Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PI.1872GAT02.pdf.exe

Overview

General Information

Sample Name:PI.1872GAT02.pdf.exe
Analysis ID:553435
MD5:1396637598469e7e918c70be938370d5
SHA1:c83510c66f043c3595960102ac030a3c99656768
SHA256:d6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PI.1872GAT02.pdf.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 5588 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3500 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PI.1872GAT02.pdf.exe (PID: 6360 cmdline: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe MD5: 1396637598469E7E918C70BE938370D5)
  • catch.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Roaming\catch\catch.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 4656 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 4592 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • catch.exe (PID: 3500 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 4768 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 2292 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
    • catch.exe (PID: 4860 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
  • catch.exe (PID: 2772 cmdline: "C:\Users\user\AppData\Roaming\catch\catch.exe" MD5: 1396637598469E7E918C70BE938370D5)
    • powershell.exe (PID: 5612 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6632 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • catch.exe (PID: 2948 cmdline: C:\Users\user\AppData\Roaming\catch\catch.exe MD5: 1396637598469E7E918C70BE938370D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 53 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PI.1872GAT02.pdf.exe.2797840.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              9.0.PI.1872GAT02.pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.0.PI.1872GAT02.pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.0.PI.1872GAT02.pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    9.0.PI.1872GAT02.pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 62 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, CommandLine: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, NewProcessName: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, OriginalFileName: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ProcessId: 6360
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp, ProcessId: 3500
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, ProcessId: 5588
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe" , ParentImage: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe, ParentProcessId: 6900, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe, ProcessId: 5588
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132867013418482993.5588.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PI.1872GAT02.pdf.exeVirustotal: Detection: 47%Perma Link
                      Source: PI.1872GAT02.pdf.exeReversingLabs: Detection: 45%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeReversingLabs: Detection: 46%
                      Machine Learning detection for sampleShow sources
                      Source: PI.1872GAT02.pdf.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJoe Sandbox ML: detected
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.2.catch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 32.0.catch.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.0.catch.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 31.2.catch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PI.1872GAT02.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: PI.1872GAT02.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: TextIn.pdb source: catch.exe, catch.exe, 00000018.00000000.473725790.0000000000272000.00000002.00020000.sdmp, catch.exe, 00000019.00000000.481075981.00000000003D2000.00000002.00020000.sdmp, catch.exe, 0000001C.00000000.485808707.0000000000332000.00000002.00020000.sdmp, catch.exe, 0000001F.00000000.490124493.0000000000942000.00000002.00020000.sdmp, catch.exe, 00000020.00000000.494419414.0000000000992000.00000002.00020000.sdmp, PI.1872GAT02.pdf.exe, catch.exe.9.dr, iDGyQtltoKmu.exe.0.dr

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49845 -> 208.91.199.224:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49846 -> 208.91.199.224:587
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.342428606.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342376975.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342448075.00000000055DA000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341652269.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comH
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comY
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: http://oHtnSs.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpString found in binary or memory: http://smtp.tranpotescamdonic.us
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346994696.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347052526.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346868051.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346747432.00000000055D3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comicr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346299565.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlo
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comno
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comos
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtigY
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349563544.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349795020.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350740671.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350834095.00000000055EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350538299.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350106929.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350231749.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350179211.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350438951.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350272250.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350205792.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350063993.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350314698.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350585382.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350462344.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350509924.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350082934.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350165532.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350027194.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350418250.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350130711.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350397111.00000000055EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.350849136.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350908927.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers0.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348918399.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349002423.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.351023238.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersk
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comtX(
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345017322.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/.m
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/r
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u?
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnsk.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.355602281.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353253105.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355000874.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353979670.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354410089.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353040919.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355456833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355104139.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354676559.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355798640.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353354516.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353914805.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355661429.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355512777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353605294.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355335081.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354077275.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354188877.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355558253.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354761451.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354807622.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353476286.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353190242.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354585604.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355405169.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353702244.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355713046.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354887021.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386058108.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354288508.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355836459.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353859656.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354936948.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353542324.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355199978.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355256754.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355152588.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353790375.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm=
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-e
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr.m
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.347717700.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347673213.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343671517.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343603284.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347806036.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347629233.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma)
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comk
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt#
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344046675.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.c
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr(
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-c
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deQ
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.ded
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.348543246.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deettr
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt8
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.t
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-c
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000003.589182184.0000000001144000.00000004.00000001.sdmpString found in binary or memory: https://JZAeubGsK9Sikz.org
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, catch.exe, 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, catch.exe, 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.tranpotescamdonic.us

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PI.1872GAT02.pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b73F50571u002d8E40u002d411Fu002d8F2Bu002d0DBA915C720Cu007d/u00351990C9Fu002dADF8u002d4F9Cu002dBED8u002d3040FC7E7F13.csLarge array initialization: .cctor: array initializer size 11932
                      Source: PI.1872GAT02.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABC9D40_2_00ABC9D4
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABEE080_2_00ABEE08
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_00ABEE180_2_00ABEE18
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_070200060_2_07020006
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_070200400_2_07020040
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DB30_2_07029DB3
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DC00_2_07029DC0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_07029DC00_2_07029DC0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_013991089_2_01399108
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_013945009_2_01394500
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139488F9_2_0139488F
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139B7189_2_0139B718
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_013933089_2_01393308
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_013998609_2_01399860
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139F4A89_2_0139F4A8
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E546A09_2_02E546A0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E546909_2_02E54690
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E546729_2_02E54672
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFC9D416_2_00BFC9D4
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFEE1816_2_00BFEE18
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_00BFEE0816_2_00BFEE08
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834001E16_2_0834001E
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834C86C16_2_0834C86C
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834004016_2_08340040
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834513F16_2_0834513F
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834933616_2_08349336
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834933816_2_08349338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 16_2_0834933816_2_08349338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9C9D420_2_00D9C9D4
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9EE1820_2_00D9EE18
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_00D9EE0820_2_00D9EE08
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849CA7820_2_0849CA78
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849933820_2_08499338
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849004020_2_08490040
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849001620_2_08490016
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849932720_2_08499327
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeCode function: 20_2_0849933820_2_08499338
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilename vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000000.338145138.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.386729402.0000000006EB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilename vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000000.377475434.0000000000B62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamevuduTLYHGZhoMUxQolVCGKD.exe4 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeBinary or memory string: OriginalFilenameTextIn.exe0 vs PI.1872GAT02.pdf.exe
                      Source: PI.1872GAT02.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: iDGyQtltoKmu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: catch.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PI.1872GAT02.pdf.exeVirustotal: Detection: 47%
                      Source: PI.1872GAT02.pdf.exeReversingLabs: Detection: 45%
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile read: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeJump to behavior
                      Source: PI.1872GAT02.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe "C:\Users\user\Desktop\PI.1872GAT02.pdf.exe"
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe "C:\Users\user\AppData\Roaming\catch\catch.exe"
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe "C:\Users\user\AppData\Roaming\catch\catch.exe"
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmpJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB28A.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@33/19@2/0
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PI.1872GAT02.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PI.1872GAT02.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PI.1872GAT02.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: TextIn.pdb source: catch.exe, catch.exe, 00000018.00000000.473725790.0000000000272000.00000002.00020000.sdmp, catch.exe, 00000019.00000000.481075981.00000000003D2000.00000002.00020000.sdmp, catch.exe, 0000001C.00000000.485808707.0000000000332000.00000002.00020000.sdmp, catch.exe, 0000001F.00000000.490124493.0000000000942000.00000002.00020000.sdmp, catch.exe, 00000020.00000000.494419414.0000000000992000.00000002.00020000.sdmp, PI.1872GAT02.pdf.exe, catch.exe.9.dr, iDGyQtltoKmu.exe.0.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PI.1872GAT02.pdf.exe, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: iDGyQtltoKmu.exe.0.dr, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: catch.exe.9.dr, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.13.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.3.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.7.unpack, lN/HS.cs.Net Code: od System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: PI.1872GAT02.pdf.exe, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: iDGyQtltoKmu.exe.0.dr, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.PI.1872GAT02.pdf.exe.2c0000.0.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: catch.exe.9.dr, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.13.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.3.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 9.0.PI.1872GAT02.pdf.exe.b60000.7.unpack, lN/HS.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 0_2_0702D88D push FFFFFF8Bh; iretd 0_2_0702D88F
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_02E5DD39 push FFFFFF8Bh; iretd 9_2_02E5DD3B
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.24659563485
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\catch\catch.exeJump to dropped file
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile created: C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run catchJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run catchJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\catch\catch.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.2797840.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.278f834.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.27d661c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.27bf844.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.27bf844.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.27c7850.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.27c7850.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6904Thread sleep time: -34769s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 6060Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 2440Thread sleep count: 4166 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe TID: 2440Thread sleep count: 5649 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 2944Thread sleep time: -37884s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 6308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 6376Thread sleep time: -33793s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4828Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4528Thread sleep count: 32 > 30
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 4528Thread sleep time: -29514790517935264s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 1752Thread sleep count: 3295 > 30
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exe TID: 1752Thread sleep count: 6529 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6204Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2617Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWindow / User API: threadDelayed 4166Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWindow / User API: threadDelayed 5649Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7657
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 723
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6776
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1753
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWindow / User API: threadDelayed 3295
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWindow / User API: threadDelayed 6529
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 34769Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 37884Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 33793
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeThread delayed: delay time: 922337203685477
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeCode function: 9_2_0139B718 LdrInitializeThunk,9_2_0139B718
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeMemory written: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeMemory written: C:\Users\user\AppData\Roaming\catch\catch.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeMemory written: C:\Users\user\AppData\Roaming\catch\catch.exe base: 400000 value starts with: 4D5A
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmpJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeProcess created: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe C:\Users\user\Desktop\PI.1872GAT02.pdf.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeProcess created: C:\Users\user\AppData\Roaming\catch\catch.exe C:\Users\user\AppData\Roaming\catch\catch.exe
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: PI.1872GAT02.pdf.exe, 00000009.00000002.609447003.0000000001900000.00000002.00020000.sdmp, catch.exe, 00000020.00000002.608790450.0000000001800000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Users\user\Desktop\PI.1872GAT02.pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Users\user\AppData\Roaming\catch\catch.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\catch\catch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\PI.1872GAT02.pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.PI.1872GAT02.pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.PI.1872GAT02.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.0.catch.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.0.catch.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.catch.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.382b948.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37c5928.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.catch.exe.37f5928.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PI.1872GAT02.pdf.exe.37fb948.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PI.1872GAT02.pdf.exe PID: 6360, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 5320, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 4860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: catch.exe PID: 2948, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSecurity Software Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553435 Sample: PI.1872GAT02.pdf.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 60 us2.smtp.mailhostbox.com 2->60 62 smtp.tranpotescamdonic.us 2->62 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 12 other signatures 2->78 8 PI.1872GAT02.pdf.exe 7 2->8         started        12 catch.exe 5 2->12         started        14 catch.exe 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\iDGyQtltoKmu.exe, PE32 8->52 dropped 54 C:\Users\...\iDGyQtltoKmu.exe:Zone.Identifier, ASCII 8->54 dropped 56 C:\Users\user\AppData\Local\...\tmpB28A.tmp, XML 8->56 dropped 58 C:\Users\user\...\PI.1872GAT02.pdf.exe.log, ASCII 8->58 dropped 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 8->84 16 PI.1872GAT02.pdf.exe 2 5 8->16         started        20 powershell.exe 25 8->20         started        22 schtasks.exe 1 8->22         started        86 Multi AV Scanner detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 90 Adds a directory exclusion to Windows Defender 12->90 24 powershell.exe 12->24         started        26 schtasks.exe 12->26         started        34 4 other processes 12->34 92 Injects a PE file into a foreign processes 14->92 28 powershell.exe 14->28         started        30 schtasks.exe 14->30         started        32 catch.exe 14->32         started        signatures6 process7 file8 48 C:\Users\user\AppData\Roaming\...\catch.exe, PE32 16->48 dropped 50 C:\Users\user\...\catch.exe:Zone.Identifier, ASCII 16->50 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->64 66 Tries to steal Mail credentials (via file / registry access) 16->66 68 Tries to harvest and steal ftp login credentials 16->68 70 2 other signatures 16->70 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PI.1872GAT02.pdf.exe48%VirustotalBrowse
                      PI.1872GAT02.pdf.exe45%ReversingLabsByteCode-MSIL.Spyware.Noon
                      PI.1872GAT02.pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\catch\catch.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\catch\catch.exe47%ReversingLabsByteCode-MSIL.Spyware.Noon
                      C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe47%ReversingLabsByteCode-MSIL.Spyware.Noon

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.0.PI.1872GAT02.pdf.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      32.2.catch.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      9.0.PI.1872GAT02.pdf.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      9.2.PI.1872GAT02.pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      32.0.catch.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      31.0.catch.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      31.2.catch.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://JZAeubGsK9Sikz.org0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comt#0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm=0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.goodfont.co.kr-e0%Avira URL Cloudsafe
                      http://fontfabrik.comY0%Avira URL Cloudsafe
                      http://www.tiro.com50%Avira URL Cloudsafe
                      http://www.carterandcone.comen0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sandoll.co.kr(0%Avira URL Cloudsafe
                      http://fontfabrik.comH0%URL Reputationsafe
                      http://www.carterandcone.comno0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/.m0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cnr-c0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sandoll.co.krs-c0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cnn0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://smtp.tranpotescamdonic.us0%Avira URL Cloudsafe
                      http://oHtnSs.com0%Avira URL Cloudsafe
                      http://www.urwpp.deettr0%Avira URL Cloudsafe
                      http://www.sandoll.c0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.founder.com.cn/cnsk.0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.carterandcone.comk.0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.carterandcone.comicr0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.founder.com.cn/cn/r0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comk0%Avira URL Cloudsafe
                      http://www.carterandcone.comexc0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.agfamonotype.0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.urwpp.deQ0%Avira URL Cloudsafe
                      http://www.sajatypeworks.coma)0%Avira URL Cloudsafe
                      http://www.tiro.comlic0%URL Reputationsafe
                      http://www.carterandcone.comlo0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.goodfont.co.kr.m0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnn-u?0%Avira URL Cloudsafe
                      http://www.carterandcone.comint0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comtX(0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cno.t0%Avira URL Cloudsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.zhongyicts.com.cnlt80%Avira URL Cloudsafe
                      http://www.carterandcone.comos0%Avira URL Cloudsafe
                      http://www.carterandcone.comncy0%URL Reputationsafe
                      http://www.carterandcone.comtigY0%Avira URL Cloudsafe
                      http://www.urwpp.ded0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.224
                      		truefalse
                        		high
                        smtp.tranpotescamdonic.us
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersHPI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpfalse
                            		high
                            http://127.0.0.1:HTTP/1.1PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.com/designersGPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                              		high
                              https://JZAeubGsK9Sikz.orgPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000003.589182184.0000000001144000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comt#PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/?PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htm=PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/bThePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.kr-ePI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://us2.smtp.mailhostbox.comPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpfalse
                                  		high
                                  http://fontfabrik.comYPI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.com5PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comenPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comPI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.kr(PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.fontbureau.com/designersPI.1872GAT02.pdf.exe, 00000000.00000003.349563544.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349795020.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349485061.00000000055D0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://fontfabrik.comHPI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comnoPI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers0.PI.1872GAT02.pdf.exe, 00000000.00000003.350849136.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350908927.00000000055CB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comPI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/.mPI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnr-cPI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sajatypeworks.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sandoll.co.krs-cPI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.typography.netDPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/cThePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnnPI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmPI.1872GAT02.pdf.exe, 00000000.00000003.355602281.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353253105.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355000874.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353979670.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354410089.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352539337.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353040919.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355456833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355104139.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354676559.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352631483.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355798640.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353354516.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353914805.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355661429.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355512777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353605294.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355335081.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354077275.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354188877.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352723895.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355558253.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354761451.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354807622.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353476286.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353190242.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354585604.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352897777.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355405169.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353702244.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355713046.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354887021.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.352778011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386058108.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354288508.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355836459.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353859656.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.354936948.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353542324.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355199978.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355256754.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.355152588.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.353790375.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comPI.1872GAT02.pdf.exe, 00000000.00000003.341824019.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341652269.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341738040.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341797011.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341764187.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.341718830.00000000055CB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designerskPI.1872GAT02.pdf.exe, 00000000.00000003.351023238.00000000055CB000.00000004.00000001.sdmpfalse
                                          		high
                                          http://smtp.tranpotescamdonic.usPI.1872GAT02.pdf.exe, 00000009.00000002.614063425.00000000033D7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://oHtnSs.comcatch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deettrPI.1872GAT02.pdf.exe, 00000000.00000003.348543246.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sandoll.cPI.1872GAT02.pdf.exe, 00000000.00000003.344046675.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleasePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%GETMozilla/5.0catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.ascendercorp.com/typedesigners.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346994696.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347052526.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346868051.00000000055D3000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346747432.00000000055D3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnsk.PI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344011241.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comk.PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.deDPleasePI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.dePI.1872GAT02.pdf.exe, 00000000.00000003.348396796.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnPI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePI.1872GAT02.pdf.exe, 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, catch.exe, 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346720788.00000000055D3000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comicrPI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPI.1872GAT02.pdf.exe, 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, catch.exe, 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, catch.exe, 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, catch.exe, 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, catch.exe, 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/rPI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sajatypeworks.comkPI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.comexcPI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://DynDns.comDynDNScatch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comFPI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comePI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.agfamonotype.PI.1872GAT02.pdf.exe, 00000000.00000003.355059217.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comdPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, catch.exe, 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, catch.exe, 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comTCPI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deQPI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sajatypeworks.coma)PI.1872GAT02.pdf.exe, 00000000.00000003.341031540.00000000055B2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.tiro.comlicPI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comloPI.1872GAT02.pdf.exe, 00000000.00000003.346299565.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346182389.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346137811.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346252723.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346101172.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346267222.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://en.wPI.1872GAT02.pdf.exe, 00000000.00000003.342428606.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342376975.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.342448075.00000000055DA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.ipify.org%$PI.1872GAT02.pdf.exe, 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.carterandcone.comlPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.goodfont.co.kr.mPI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNPI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnn-u?PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comintPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnPI.1872GAT02.pdf.exe, 00000000.00000003.344513930.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344330943.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344243109.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344699399.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344820593.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344444976.00000000055CD000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344944025.00000000055D4000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344214607.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344651272.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345017322.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.344593750.00000000055CB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.350538299.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350106929.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350231749.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350179211.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350438951.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350272250.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350205792.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350063993.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350314698.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350585382.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350462344.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350509924.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350082934.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350165532.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350027194.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350418250.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350130711.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350397111.00000000055EE000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlPI.1872GAT02.pdf.exe, 00000000.00000003.350740671.00000000055EE000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.350834095.00000000055EE000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comtX(PI.1872GAT02.pdf.exe, 00000000.00000002.382630491.0000000000AC7000.00000004.00000040.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.zhongyicts.com.cno.tPI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.monotype.PI.1872GAT02.pdf.exe, 00000000.00000003.347717700.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347673213.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343671517.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343603284.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347806036.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.347629233.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343931833.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.343826733.00000000055CB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8PI.1872GAT02.pdf.exe, 00000000.00000002.386241392.00000000068A2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.zhongyicts.com.cnlt8PI.1872GAT02.pdf.exe, 00000000.00000003.345621529.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345860474.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345963065.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345520263.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345653672.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345712831.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345117213.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345815598.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345765130.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345166705.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345345476.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345392285.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.346027248.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comosPI.1872GAT02.pdf.exe, 00000000.00000003.345283896.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345218625.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comncyPI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers:PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/PI.1872GAT02.pdf.exe, 00000000.00000003.348682641.00000000055D0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comtigYPI.1872GAT02.pdf.exe, 00000000.00000003.345485164.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.345441267.00000000055CB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.urwpp.dedPI.1872GAT02.pdf.exe, 00000000.00000003.348186597.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.348260615.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351070142.00000000055CB000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.351131352.00000000055D7000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers2PI.1872GAT02.pdf.exe, 00000000.00000003.348918399.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349323893.00000000055D0000.00000004.00000001.sdmp, PI.1872GAT02.pdf.exe, 00000000.00000003.349002423.00000000055D0000.00000004.00000001.sdmpfalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                Analysis ID:553435
                                                                Start date:14.01.2022
                                                                Start time:22:21:14
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 13m 24s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:PI.1872GAT02.pdf.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:41
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@33/19@2/0
                                                                EGA Information:
                                                                • Successful, ratio: 80%
                                                                HDC Information:
                                                                • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                                • Quality average: 65.1%
                                                                • Quality standard deviation: 35.6%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 92
                                                                • Number of non-executed functions: 7
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                • Execution Graph export aborted for target catch.exe, PID 3500 because there are no executed function
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                22:22:20API Interceptor596x Sleep call for process: PI.1872GAT02.pdf.exe modified
                                                                22:22:24API Interceptor88x Sleep call for process: powershell.exe modified
                                                                22:22:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run catch C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                22:23:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run catch C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                22:23:08API Interceptor244x Sleep call for process: catch.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI.1872GAT02.pdf.exe.log
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):1310
                                                                Entropy (8bit):5.345651901398759
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\catch.exe.log
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1310
                                                                Entropy (8bit):5.345651901398759
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):22168
                                                                Entropy (8bit):5.6057066113124625
                                                                Encrypted:false
                                                                SSDEEP:384:ztCDLqyZp0WR0Xe0/RcSBKn4jultIa/paeQ99gtbcxyT1MaDZlbAV7G3WDyZBDIN:s0WRIe0C4K4Clt1Rat8hZC6fwy1VK
                                                                MD5:53C520BE8CDC6F6BF16863F4BB562638
                                                                SHA1:70391CC67D9B586AAC373FBF7DF6C70669BB4776
                                                                SHA-256:8129FB32F8FCC386F60B0C6E0EF92F1322B254CAB0A4DFE00F099F140F2A4E0D
                                                                SHA-512:A5CFCE49E18815C18805C650FCF7E6369940D88B01CE4D2F7B3D994F8836946B727F5757B4B95AB68E991AE76EB39F3C3D8D650557886BD0D87326F03D55937B
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: @...e...........]...................Q...x.v..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qysiocw.gzb.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajno0yrk.14b.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixzoiwgh.ddw.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kawb1whi.elv.psm1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmd43qat.nwn.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2btzcjm.l41.ps1
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:very short file (no magic)
                                                                Category:dropped
                                                                Size (bytes):1
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3:U:U
                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: 1
                                                                C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                                                                Process:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1611
                                                                Entropy (8bit):5.11715377982551
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLexvn:cgea6YrFdOFzOzN33ODOiDdKrsuTWv
                                                                MD5:3D101574D5C7C36A6FFB1733E9A405ED
                                                                SHA1:C16D43BEB7493D4F119E60C62E5D895CD4FED054
                                                                SHA-256:3A52CA55D7A163C15E187788137F8CB1B4A84779EC7DE748463F1AA23314E901
                                                                SHA-512:597E2C91C729F0F284D44FE31C6AC700546624B1544A6909A87D5BDAB7D7520E126AEDD7701A8314DA2962E02A16EB848C80A3017A216FFDDD00D74456208900
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab
                                                                C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):596992
                                                                Entropy (8bit):7.236697493708965
                                                                Encrypted:false
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                MD5:1396637598469E7E918C70BE938370D5
                                                                SHA1:C83510C66F043C3595960102AC030A3C99656768
                                                                SHA-256:D6F3D5FBDC9C7F68E29260BADB6FD6E8F1B606798FD9FE544E0B28387F21EAF9
                                                                SHA-512:FA0CF9DCFB5F5AB5397BDDFF5642898028CC72F197B07BE439EA90CD6BCA0E8B821CE5E9BB59DE505A5F26462514CB1F3A19C517EFC9DC6784E55EB072CF924C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@..................................0..K....@.......................`......F0............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........f..........E.......*.............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... .....::...&..E................0...........j.......8.... ............E....Z...x...........r...~...>...r.......Z...@...8...............(...R... ....8....8N...r...p.(...... .....:....&..(..... ........8u...8....r5..p.(...... ....8]...8....rc..p.(...... .....9@...&.9.... ........8'...8....r...p.(..
                                                                C:\Users\user\AppData\Roaming\catch\catch.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):596992
                                                                Entropy (8bit):7.236697493708965
                                                                Encrypted:false
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                MD5:1396637598469E7E918C70BE938370D5
                                                                SHA1:C83510C66F043C3595960102AC030A3C99656768
                                                                SHA-256:D6F3D5FBDC9C7F68E29260BADB6FD6E8F1B606798FD9FE544E0B28387F21EAF9
                                                                SHA-512:FA0CF9DCFB5F5AB5397BDDFF5642898028CC72F197B07BE439EA90CD6BCA0E8B821CE5E9BB59DE505A5F26462514CB1F3A19C517EFC9DC6784E55EB072CF924C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                Reputation:unknown
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@..................................0..K....@.......................`......F0............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H........f..........E.......*.............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... .....::...&..E................0...........j.......8.... ............E....Z...x...........r...~...>...r.......Z...@...8...............(...R... ....8....8N...r...p.(...... .....:....&..(..... ........8u...8....r5..p.(...... ....8]...8....rc..p.(...... .....9@...&.9.... ........8'...8....r...p.(..
                                                                C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe:Zone.Identifier
                                                                Process:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Reputation:unknown
                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.QGssXbBu.20220114222222.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.377704252121327
                                                                Encrypted:false
                                                                SSDEEP:96:BZRTLKN+qDo1ZPZkTLKN+qDo1ZyxDpjZdTLKN+qDo1ZPE553Zg:f
                                                                MD5:71D228AAF492D79076B73C9D2B27013A
                                                                SHA1:0A86EAB450B1CD81557CCF72E31E7C803F9AB44A
                                                                SHA-256:A8517EDF2BC36DF48DF3C3E13A0BE1BA07B132AD0D1F54FC09979F9299470954
                                                                SHA-512:893BB62391D84D9A6828EC3E1616CB6670D4A6F55ABD71D624C9B21E430F9939D08577F6F6DACEE7D3ED8FFDD33CC38E7EC6E9BD7F410C75BCA07ABABCCB0C67
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222223..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 5588..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222223..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222545..Username: computer\user..RunAs User: D
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.b0jiOviu.20220114222318.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.371678692143556
                                                                Encrypted:false
                                                                SSDEEP:96:BZcTLKNKtqDo1ZIZqTLKNKtqDo1ZIxDpjZ/TLKNKtqDo1ZZE55JZa:H
                                                                MD5:9856AC8EDA71C81081373075C63B1FBF
                                                                SHA1:1127A82E408E284F58970BFC492FDF3155D7F1CA
                                                                SHA-256:67D2D901C2AE839AC5BB8A3D65AA9772BF9E469B5BFE055CDB8B12E02C1ABFBC
                                                                SHA-512:F757EBE94C7E5248B1F858B80737A345393361E8B5B587B3FF88FCEAE7BADE7D3446FED4E838112CB59A362520B57523CFF2B0D163177C05AD0075F63D52EB22
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222321..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 5612..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222321..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222631..Username: computer\user..RunAs User: D
                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.377142.dHeZQIbB.20220114222311.txt
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):5827
                                                                Entropy (8bit):5.373267333914756
                                                                Encrypted:false
                                                                SSDEEP:96:BZ+TLKNXqDo1ZyZCTLKNXqDo1ZIxDpjZ0TLKNXqDo1ZcE554ZH:4
                                                                MD5:85283F0F6FA628A82FFF3E0E79A83DEC
                                                                SHA1:3917D8CD74B27A603CB7B1FCA06B2BD6522617C6
                                                                SHA-256:81EE9C2B79D72E329B1A5B6F9043F27224D36E967C0BCBADA6E9DE1D37B7438F
                                                                SHA-512:ABE8FEC327AB41D49175A18483020C6BE91D04863324885C4F4AD01BC275A6C17EA800D62D7D6A152AC29B0DE46D002ECFE92C2E06EA0EBC829F48307787ECF1
                                                                Malicious:false
                                                                Reputation:unknown
                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114222312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 377142 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..Process ID: 4656..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114222312..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe..**********************..Windows PowerShell transcript start..Start time: 20220114222705..Username: computer\user..RunAs User: D

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.236697493708965
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:PI.1872GAT02.pdf.exe
                                                                File size:596992
                                                                MD5:1396637598469e7e918c70be938370d5
                                                                SHA1:c83510c66f043c3595960102ac030a3c99656768
                                                                SHA256:d6f3d5fbdc9c7f68e29260badb6fd6e8f1b606798fd9fe544e0b28387f21eaf9
                                                                SHA512:fa0cf9dcfb5f5ab5397bddff5642898028cc72f197b07be439ea90cd6bca0e8b821ce5e9bb59de505a5f26462514cb1f3a19c517efc9dc6784e55eb072cf924c
                                                                SSDEEP:12288:tK777777777777N79PvlZJB1Wzf25mo+aeI73QDQYV+KS8rDblU7dhqsQ:tK777777777777l9hB1Wjcmo+FaQUYVQ
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.a.............................0... ...@....@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4930de
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x61E14017 [Fri Jan 14 09:19:19 2022 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x930900x4b.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x5c4.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x930460x1c.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x910e40x91200False0.758032878445data7.24659563485IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x940000x5c40x600False0.431640625data4.11817059658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x960000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0x940a00x336data
                                                                RT_MANIFEST0x943d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyright2022 Tradewell
                                                                Assembly Version22.0.0.0
                                                                InternalNameTextIn.exe
                                                                FileVersion1.1.0.0
                                                                CompanyNameTradewell ltd
                                                                LegalTrademarks
                                                                CommentsPurple Org
                                                                ProductNameBlaster
                                                                ProductVersion1.1.0.0
                                                                FileDescriptionBlaster
                                                                OriginalFilenameTextIn.exe

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                01/14/22-22:24:16.780887TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49845587192.168.2.6208.91.199.224
                                                                01/14/22-22:24:18.553611TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49846587192.168.2.6208.91.199.224

                                                                Network Port Distribution

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 14, 2022 22:24:15.108119965 CET4969453192.168.2.68.8.8.8
                                                                Jan 14, 2022 22:24:15.262865067 CET53496948.8.8.8192.168.2.6
                                                                Jan 14, 2022 22:24:15.266561031 CET5498253192.168.2.68.8.8.8
                                                                Jan 14, 2022 22:24:15.432521105 CET53549828.8.8.8192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Jan 14, 2022 22:24:15.108119965 CET192.168.2.68.8.8.80x3206Standard query (0)smtp.tranpotescamdonic.usA (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.266561031 CET192.168.2.68.8.8.80x4bb1Standard query (0)smtp.tranpotescamdonic.usA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)smtp.tranpotescamdonic.usus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.262865067 CET8.8.8.8192.168.2.60x3206No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)smtp.tranpotescamdonic.usus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                Jan 14, 2022 22:24:15.432521105 CET8.8.8.8192.168.2.60x4bb1No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: PI.1872GAT02.pdf.exe PID: 6900 Parent PID: 1268

                                                                General

                                                                Start time:22:22:10
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\PI.1872GAT02.pdf.exe"
                                                                Imagebase:0x2c0000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.383386260.0000000003769000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.383033038.0000000002761000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.383089116.00000000027AB000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: powershell.exe PID: 5588 Parent PID: 6900

                                                                General

                                                                Start time:22:22:21
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 1752 Parent PID: 5588

                                                                General

                                                                Start time:22:22:22
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: schtasks.exe PID: 3500 Parent PID: 6900

                                                                General

                                                                Start time:22:22:22
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmpB28A.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 4536 Parent PID: 3500

                                                                General

                                                                Start time:22:22:23
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: PI.1872GAT02.pdf.exe PID: 6360 Parent PID: 6900

                                                                General

                                                                Start time:22:22:24
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\PI.1872GAT02.pdf.exe
                                                                Imagebase:0xb60000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.377405263.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.378343563.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.610231002.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.379158737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.606087624.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.379924132.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 5320 Parent PID: 3440

                                                                General

                                                                Start time:22:23:02
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\catch\catch.exe"
                                                                Imagebase:0x310000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.510080482.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.507778914.0000000002791000.00000004.00000001.sdmp, Author: Joe Security
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 47%, ReversingLabs
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: powershell.exe PID: 4656 Parent PID: 5320

                                                                General

                                                                Start time:22:23:09
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 5088 Parent PID: 4656

                                                                General

                                                                Start time:22:23:10
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 2772 Parent PID: 3440

                                                                General

                                                                Start time:22:23:10
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\catch\catch.exe"
                                                                Imagebase:0x360000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.509847995.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.507639555.0000000002791000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: schtasks.exe PID: 4592 Parent PID: 5320

                                                                General

                                                                Start time:22:23:11
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp79D1.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 4712 Parent PID: 4592

                                                                General

                                                                Start time:22:23:12
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 3500 Parent PID: 5320

                                                                General

                                                                Start time:22:23:13
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x270000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 4768 Parent PID: 5320

                                                                General

                                                                Start time:22:23:15
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x3d0000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: powershell.exe PID: 5612 Parent PID: 2772

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iDGyQtltoKmu.exe
                                                                Imagebase:0xd30000
                                                                File size:430592 bytes
                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 4368 Parent PID: 5612

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 2292 Parent PID: 5320

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x330000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: schtasks.exe PID: 6632 Parent PID: 2772

                                                                General

                                                                Start time:22:23:17
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDGyQtltoKmu" /XML "C:\Users\user\AppData\Local\Temp\tmp86D2.tmp
                                                                Imagebase:0x20000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 2988 Parent PID: 6632

                                                                General

                                                                Start time:22:23:19
                                                                Start date:14/01/2022
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 4860 Parent PID: 5320

                                                                General

                                                                Start time:22:23:20
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x940000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.500639086.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.512689898.0000000002E31000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.499174008.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.501171531.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.511166140.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000000.502205022.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Analysis Process: catch.exe PID: 2948 Parent PID: 2772

                                                                General

                                                                Start time:22:23:20
                                                                Start date:14/01/2022
                                                                Path:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\catch\catch.exe
                                                                Imagebase:0x990000
                                                                File size:596992 bytes
                                                                MD5 hash:1396637598469E7E918C70BE938370D5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.499820218.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.501701572.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000002.606123172.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.502624331.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.609266504.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000020.00000000.500431945.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: PI.1872GAT02.pdf.exe PID: 6900 Parent PID: 1268 PI.1872GAT02.pdf.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:11.5%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:244
                                                                  Total number of Limit Nodes:17

                                                                  Graph

                                                                  execution_graph 22854 abc158 DuplicateHandle 22855 abc1ee 22854->22855 22648 702ae08 22650 702ae09 22648->22650 22649 702af93 22650->22649 22653 702b081 22650->22653 22657 702b088 22650->22657 22654 702b07b 22653->22654 22654->22653 22655 702b08c PostMessageW 22654->22655 22656 702b0f4 22655->22656 22656->22650 22658 702b089 PostMessageW 22657->22658 22660 702b0f4 22658->22660 22660->22650 22661 7027709 22662 7027ab3 22661->22662 22663 7027713 22661->22663 22667 70298d8 22663->22667 22675 70298e8 22663->22675 22666 702760f 22669 70298dc 22667->22669 22668 7029872 22668->22666 22669->22668 22682 7029937 22669->22682 22688 70299b0 22669->22688 22694 7029948 22669->22694 22699 7029947 22669->22699 22670 7029930 22670->22666 22676 70298e9 22675->22676 22678 70299b0 12 API calls 22676->22678 22679 7029937 12 API calls 22676->22679 22680 7029947 12 API calls 22676->22680 22681 7029948 12 API calls 22676->22681 22677 7029930 22677->22666 22678->22677 22679->22677 22680->22677 22681->22677 22684 702993c 22682->22684 22683 7029944 22683->22670 22684->22683 22704 7029d60 22684->22704 22716 7029d51 22684->22716 22685 70299a5 22685->22670 22689 7029981 22688->22689 22691 70299be 22689->22691 22692 7029d60 12 API calls 22689->22692 22693 7029d51 12 API calls 22689->22693 22690 70299a5 22690->22670 22691->22670 22692->22690 22693->22690 22695 7029949 22694->22695 22697 7029d60 12 API calls 22695->22697 22698 7029d51 12 API calls 22695->22698 22696 70299a5 22696->22670 22697->22696 22698->22696 22700 7029949 22699->22700 22702 7029d60 12 API calls 22700->22702 22703 7029d51 12 API calls 22700->22703 22701 70299a5 22701->22670 22702->22701 22703->22701 22705 7029d61 22704->22705 22728 702a2b0 22705->22728 22733 702a12c 22705->22733 22737 702a40c 22705->22737 22745 702a05c 22705->22745 22750 702a3d9 22705->22750 22755 702a1b9 22705->22755 22763 702a245 22705->22763 22768 7029f17 22705->22768 22773 702a5e6 22705->22773 22717 7029d54 22716->22717 22719 702a2b0 2 API calls 22717->22719 22720 702a5e6 4 API calls 22717->22720 22721 7029f17 2 API calls 22717->22721 22722 702a245 2 API calls 22717->22722 22723 702a1b9 4 API calls 22717->22723 22724 702a3d9 2 API calls 22717->22724 22725 702a05c 2 API calls 22717->22725 22726 702a40c 4 API calls 22717->22726 22727 702a12c 2 API calls 22717->22727 22718 7029da8 22718->22685 22719->22718 22720->22718 22721->22718 22722->22718 22723->22718 22724->22718 22725->22718 22726->22718 22727->22718 22729 702a2ba 22728->22729 22780 7026fe0 22729->22780 22784 7026fdb 22729->22784 22730 702a37f 22788 7026ee8 22733->22788 22792 7026ef0 22733->22792 22734 702a15a 22796 702ac71 22737->22796 22802 702ac08 22737->22802 22807 702abf9 22737->22807 22738 702a428 22743 7026ef0 WriteProcessMemory 22738->22743 22744 7026ee8 WriteProcessMemory 22738->22744 22739 7029da8 22739->22685 22743->22739 22744->22739 22746 702a066 22745->22746 22747 702a0bb 22746->22747 22820 7026d53 22746->22820 22824 7026d58 22746->22824 22751 702a2d6 22750->22751 22752 702a37f 22750->22752 22753 7026fe0 ReadProcessMemory 22751->22753 22754 7026fdb ReadProcessMemory 22751->22754 22753->22752 22754->22752 22756 702a1c6 22755->22756 22757 702a2da 22755->22757 22759 7026d53 GetThreadContext 22756->22759 22760 7026d58 GetThreadContext 22756->22760 22761 7026fe0 ReadProcessMemory 22757->22761 22762 7026fdb ReadProcessMemory 22757->22762 22758 702a1e1 22759->22758 22760->22758 22761->22758 22762->22758 22765 702a24e 22763->22765 22764 702a287 22828 702ad90 22765->22828 22833 702ada0 22765->22833 22769 7029f4f 22768->22769 22846 7027178 22769->22846 22850 702716c 22769->22850 22776 7026ef0 WriteProcessMemory 22773->22776 22777 7026ee8 WriteProcessMemory 22773->22777 22774 702a0bb 22775 702a082 22775->22774 22778 7026d53 GetThreadContext 22775->22778 22779 7026d58 GetThreadContext 22775->22779 22776->22775 22777->22775 22778->22774 22779->22774 22781 702702b ReadProcessMemory 22780->22781 22783 702706f 22781->22783 22783->22730 22785 7026fe0 ReadProcessMemory 22784->22785 22787 702706f 22785->22787 22787->22730 22789 7026ef0 WriteProcessMemory 22788->22789 22791 7026f8f 22789->22791 22791->22734 22793 7026f38 WriteProcessMemory 22792->22793 22795 7026f8f 22793->22795 22795->22734 22797 702ac16 22796->22797 22799 702ac79 22796->22799 22797->22799 22812 7026e30 22797->22812 22816 7026e28 22797->22816 22798 702ac5d 22798->22738 22799->22738 22803 702ac09 22802->22803 22805 7026e30 VirtualAllocEx 22803->22805 22806 7026e28 VirtualAllocEx 22803->22806 22804 702ac5d 22804->22738 22805->22804 22806->22804 22808 702abfc 22807->22808 22810 7026e30 VirtualAllocEx 22808->22810 22811 7026e28 VirtualAllocEx 22808->22811 22809 702ac5d 22809->22738 22810->22809 22811->22809 22813 7026e31 VirtualAllocEx 22812->22813 22815 7026ead 22813->22815 22815->22798 22817 7026e2c VirtualAllocEx 22816->22817 22819 7026ead 22817->22819 22819->22798 22821 7026d58 GetThreadContext 22820->22821 22823 7026de5 22821->22823 22823->22747 22825 7026d9d GetThreadContext 22824->22825 22827 7026de5 22825->22827 22827->22747 22829 702ad94 22828->22829 22838 7026ca8 22829->22838 22842 7026ca0 22829->22842 22830 702ade9 22830->22764 22834 702ada1 22833->22834 22836 7026ca0 ResumeThread 22834->22836 22837 7026ca8 ResumeThread 22834->22837 22835 702ade9 22835->22764 22836->22835 22837->22835 22839 7026ce8 ResumeThread 22838->22839 22841 7026d19 22839->22841 22841->22830 22843 7026ca3 ResumeThread 22842->22843 22845 7026d19 22842->22845 22843->22845 22845->22830 22847 702717c CreateProcessA 22846->22847 22849 70273c3 22847->22849 22849->22849 22851 7027170 CreateProcessA 22850->22851 22853 70273c3 22851->22853 22853->22853 22856 ab9a30 22857 ab9a3f 22856->22857 22859 ab9f30 22856->22859 22860 ab9f43 22859->22860 22861 ab9f5b 22860->22861 22867 aba1a8 22860->22867 22871 aba1b8 22860->22871 22861->22857 22862 aba158 GetModuleHandleW 22864 aba185 22862->22864 22863 ab9f53 22863->22861 22863->22862 22864->22857 22868 aba1cc 22867->22868 22869 aba1f1 22868->22869 22875 ab9b48 22868->22875 22869->22863 22872 aba1cc 22871->22872 22873 ab9b48 LoadLibraryExW 22872->22873 22874 aba1f1 22872->22874 22873->22874 22874->22863 22876 aba398 LoadLibraryExW 22875->22876 22878 aba411 22876->22878 22878->22869 22879 abbf30 22880 abbf32 GetCurrentProcess 22879->22880 22881 abbfaa GetCurrentThread 22880->22881 22882 abbfa3 22880->22882 22883 abbfe0 22881->22883 22884 abbfe7 GetCurrentProcess 22881->22884 22882->22881 22883->22884 22887 abc01d 22884->22887 22885 abc045 GetCurrentThreadId 22886 abc076 22885->22886 22887->22885 22888 ab3e50 22890 ab3e6c 22888->22890 22889 ab3f1f 22890->22889 22893 ab4008 22890->22893 22898 ab39f0 22890->22898 22894 ab402d 22893->22894 22902 ab40f9 22894->22902 22906 ab4108 22894->22906 22901 ab39fb 22898->22901 22899 ab727a 22899->22890 22901->22899 22914 ab53d8 22901->22914 22904 ab412f 22902->22904 22903 ab420c 22903->22903 22904->22903 22910 ab3e30 22904->22910 22908 ab412f 22906->22908 22907 ab420c 22907->22907 22908->22907 22909 ab3e30 CreateActCtxA 22908->22909 22909->22907 22911 ab5598 CreateActCtxA 22910->22911 22913 ab565b 22911->22913 22913->22913 22915 ab53e3 22914->22915 22918 ab6d48 22915->22918 22917 ab7355 22917->22901 22919 ab6d53 22918->22919 22922 ab6d78 22919->22922 22921 ab743a 22921->22917 22923 ab6d83 22922->22923 22926 ab6da8 22923->22926 22925 ab752a 22925->22921 22927 ab6db3 22926->22927 22928 ab7c7c 22927->22928 22930 abbb50 22927->22930 22928->22925 22931 abbb81 22930->22931 22932 abbba5 22931->22932 22935 abbe08 22931->22935 22939 abbe18 22931->22939 22932->22928 22937 abbe25 22935->22937 22936 abbe5f 22936->22932 22937->22936 22943 ab9e48 22937->22943 22940 abbe25 22939->22940 22941 abbe5f 22940->22941 22942 ab9e48 2 API calls 22940->22942 22941->22932 22942->22941 22945 ab9e53 22943->22945 22944 abcb58 22945->22944 22947 abc718 22945->22947 22948 abc723 22947->22948 22949 ab6da8 2 API calls 22948->22949 22950 abcbc7 22949->22950 22954 abe950 22950->22954 22960 abe938 22950->22960 22951 abcc00 22951->22944 22956 abe981 22954->22956 22957 abe9cd 22954->22957 22955 abe98d 22955->22951 22956->22955 22958 abedbf LoadLibraryExW GetModuleHandleW 22956->22958 22959 abedd0 LoadLibraryExW GetModuleHandleW 22956->22959 22957->22951 22958->22957 22959->22957 22961 abe91d 22960->22961 22963 abe94a 22960->22963 22961->22951 22962 abe98d 22962->22951 22963->22962 22964 abedbf LoadLibraryExW GetModuleHandleW 22963->22964 22965 abedd0 LoadLibraryExW GetModuleHandleW 22963->22965 22964->22962 22965->22962

                                                                  Executed Functions

                                                                  Function 00ABBF20, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00ABBF90
                                                                  • GetCurrentThread.KERNEL32 ref: 00ABBFCD
                                                                  • GetCurrentProcess.KERNEL32 ref: 00ABC00A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ABC063
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: ff1e8fa93bd3290228e98b5a3ab7c77030337c2107bf251a91324d4f716c62fb
                                                                  • Instruction ID: 32df6002191e63e062f4c7abc196e5b800416b1be5c2f40e9ab644cc3b294e1b
                                                                  • Opcode Fuzzy Hash: ff1e8fa93bd3290228e98b5a3ab7c77030337c2107bf251a91324d4f716c62fb
                                                                  • Instruction Fuzzy Hash: 645177B0900749CFCB54DFA9C548BEEBBF4EF88314F248899E019A7251C7749844CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABBF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00ABBF90
                                                                  • GetCurrentThread.KERNEL32 ref: 00ABBFCD
                                                                  • GetCurrentProcess.KERNEL32 ref: 00ABC00A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ABC063
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: aa6d2125655e0a08cd99da381750dde4bd0ee3980863b1e4077bed88ab7d3194
                                                                  • Instruction ID: 69a03547f66e480e11b0ddf0c2f0059350ebb161903e95c60b8a6b147c938912
                                                                  • Opcode Fuzzy Hash: aa6d2125655e0a08cd99da381750dde4bd0ee3980863b1e4077bed88ab7d3194
                                                                  • Instruction Fuzzy Hash: 8A5166B0D00649CFDB54DFAAC548BEEBBF4EB48314F208899E019A7251C7749844CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0702716C, Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 334 702716c-702716e 335 7027170-7027171 334->335 336 7027175 334->336 337 7027173 335->337 338 70271e9 335->338 339 7027178-702717b 336->339 340 702717c-7027184 336->340 337->336 341 7027186-70271e2 338->341 342 70271eb-702720d 338->342 339->340 340->341 341->338 344 7027246-7027266 342->344 345 702720f-7027219 342->345 350 7027268-7027272 344->350 351 702729f-70272ce 344->351 345->344 346 702721b-702721d 345->346 348 7027240-7027243 346->348 349 702721f-7027229 346->349 348->344 352 702722b 349->352 353 702722d-702723c 349->353 350->351 354 7027274-7027276 350->354 361 70272d0-70272da 351->361 362 7027307-70273c1 CreateProcessA 351->362 352->353 353->353 355 702723e 353->355 356 7027278-7027282 354->356 357 7027299-702729c 354->357 355->348 359 7027286-7027295 356->359 360 7027284 356->360 357->351 359->359 363 7027297 359->363 360->359 361->362 364 70272dc-70272de 361->364 373 70273c3-70273c9 362->373 374 70273ca-7027450 362->374 363->357 366 70272e0-70272ea 364->366 367 7027301-7027304 364->367 368 70272ee-70272fd 366->368 369 70272ec 366->369 367->362 368->368 370 70272ff 368->370 369->368 370->367 373->374 384 7027452-7027456 374->384 385 7027460-7027464 374->385 384->385 386 7027458 384->386 387 7027466-702746a 385->387 388 7027474-7027478 385->388 386->385 387->388 389 702746c 387->389 390 702747a-702747e 388->390 391 7027488-702748c 388->391 389->388 390->391 392 7027480 390->392 393 702749e-70274a5 391->393 394 702748e-7027494 391->394 392->391 395 70274a7-70274b6 393->395 396 70274bc 393->396 394->393 395->396 398 70274bd 396->398 398->398
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070273AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 9fcc89806df1338b9d425acd2d0b891256254a74f90062840b5857766daf130d
                                                                  • Instruction ID: 17f4cf1438a22c5e0a1da547dc0d439db86132d79cece66dc4e045d8e460d668
                                                                  • Opcode Fuzzy Hash: 9fcc89806df1338b9d425acd2d0b891256254a74f90062840b5857766daf130d
                                                                  • Instruction Fuzzy Hash: 1DA17CB2D00229CFDB10CFA4C841BEDBBB6FF48304F149669E914A7250DB749986DF92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07027178, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 399 7027178-7027184 401 7027186-70271e9 399->401 403 70271eb-702720d 401->403 405 7027246-7027266 403->405 406 702720f-7027219 403->406 411 7027268-7027272 405->411 412 702729f-70272ce 405->412 406->405 407 702721b-702721d 406->407 409 7027240-7027243 407->409 410 702721f-7027229 407->410 409->405 413 702722b 410->413 414 702722d-702723c 410->414 411->412 415 7027274-7027276 411->415 422 70272d0-70272da 412->422 423 7027307-70273c1 CreateProcessA 412->423 413->414 414->414 416 702723e 414->416 417 7027278-7027282 415->417 418 7027299-702729c 415->418 416->409 420 7027286-7027295 417->420 421 7027284 417->421 418->412 420->420 424 7027297 420->424 421->420 422->423 425 70272dc-70272de 422->425 434 70273c3-70273c9 423->434 435 70273ca-7027450 423->435 424->418 427 70272e0-70272ea 425->427 428 7027301-7027304 425->428 429 70272ee-70272fd 427->429 430 70272ec 427->430 428->423 429->429 431 70272ff 429->431 430->429 431->428 434->435 445 7027452-7027456 435->445 446 7027460-7027464 435->446 445->446 447 7027458 445->447 448 7027466-702746a 446->448 449 7027474-7027478 446->449 447->446 448->449 450 702746c 448->450 451 702747a-702747e 449->451 452 7027488-702748c 449->452 450->449 451->452 453 7027480 451->453 454 702749e-70274a5 452->454 455 702748e-7027494 452->455 453->452 456 70274a7-70274b6 454->456 457 70274bc 454->457 455->454 456->457 459 70274bd 457->459 459->459
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070273AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: fe9e03c875040485f05de9e7fb3bdfdc8f49a5ae9014938c0ab55aa4d3b87834
                                                                  • Instruction ID: aa2fee8644407a16baa413956025d6b1093ecc769c6b06bebfdb7fafa1b8a548
                                                                  • Opcode Fuzzy Hash: fe9e03c875040485f05de9e7fb3bdfdc8f49a5ae9014938c0ab55aa4d3b87834
                                                                  • Instruction Fuzzy Hash: DE917CB2D00229CFDB10CFA4C880BDDBBB6FF44314F149669E918A7240DB749986DF92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00AB9F30, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 460 ab9f30-ab9f45 call ab8aac 463 ab9f5b-ab9f5f 460->463 464 ab9f47 460->464 465 ab9f73-ab9fb4 463->465 466 ab9f61-ab9f6b 463->466 514 ab9f4d call aba1a8 464->514 515 ab9f4d call aba1b8 464->515 471 ab9fc1-ab9fcf 465->471 472 ab9fb6-ab9fbe 465->472 466->465 467 ab9f53-ab9f55 467->463 468 aba090-aba150 467->468 509 aba158-aba183 GetModuleHandleW 468->509 510 aba152-aba155 468->510 474 ab9ff3-ab9ff5 471->474 475 ab9fd1-ab9fd6 471->475 472->471 476 ab9ff8-ab9fff 474->476 477 ab9fd8-ab9fdf call ab8ab8 475->477 478 ab9fe1 475->478 480 aba00c-aba013 476->480 481 aba001-aba009 476->481 479 ab9fe3-ab9ff1 477->479 478->479 479->476 484 aba020-aba029 call ab8ac8 480->484 485 aba015-aba01d 480->485 481->480 490 aba02b-aba033 484->490 491 aba036-aba03b 484->491 485->484 490->491 493 aba059-aba066 491->493 494 aba03d-aba044 491->494 500 aba089-aba08f 493->500 501 aba068-aba086 493->501 494->493 496 aba046-aba056 call ab8ad8 call ab9b1c 494->496 496->493 501->500 511 aba18c-aba1a0 509->511 512 aba185-aba18b 509->512 510->509 512->511 514->467 515->467
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00ABA176
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 8f2579cccbf16529d441a0f80fe5c6bd650247936488482bd29478d3121497ee
                                                                  • Instruction ID: 92ef2c4b9d677bda0569575950c26cc72b4dc23051d0d2611055c6ef9a4748f3
                                                                  • Opcode Fuzzy Hash: 8f2579cccbf16529d441a0f80fe5c6bd650247936488482bd29478d3121497ee
                                                                  • Instruction Fuzzy Hash: EA716570A00B048FDB64DF6AD0407ABBBF9BF88344F008A2ED44AD7A41DB35E805CB91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00AB558C, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 516 ab558c-ab5659 CreateActCtxA 518 ab565b-ab5661 516->518 519 ab5662-ab56bc 516->519 518->519 526 ab56cb-ab56cf 519->526 527 ab56be-ab56c1 519->527 528 ab56d1-ab56dd 526->528 529 ab56e0 526->529 527->526 528->529 531 ab56e1 529->531 531->531
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00AB5649
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 23248af0f6cf8607716a95e1ebdb206d886947753d2df604b7767cceb8abb8f8
                                                                  • Instruction ID: 3078b4b4ba5224147cff6a8ed712f10a034b97e604fd6bd374d5185acbf27097
                                                                  • Opcode Fuzzy Hash: 23248af0f6cf8607716a95e1ebdb206d886947753d2df604b7767cceb8abb8f8
                                                                  • Instruction Fuzzy Hash: 38410471C00618CEDF24DFA9C8947DEFBB9BF49308F248469D448AB251DB715946CF51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00AB3E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 532 ab3e30-ab5659 CreateActCtxA 535 ab565b-ab5661 532->535 536 ab5662-ab56bc 532->536 535->536 543 ab56cb-ab56cf 536->543 544 ab56be-ab56c1 536->544 545 ab56d1-ab56dd 543->545 546 ab56e0 543->546 544->543 545->546 548 ab56e1 546->548 548->548
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00AB5649
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 0272e25473a4acef27fe1809f7a6cfdaf7bd1710dc8db29771739f3cf015c732
                                                                  • Instruction ID: 75b7ce3da1d6117cb5105aa80f17eb1f9e33b30b9dabd82322a3b7c03d713ac2
                                                                  • Opcode Fuzzy Hash: 0272e25473a4acef27fe1809f7a6cfdaf7bd1710dc8db29771739f3cf015c732
                                                                  • Instruction Fuzzy Hash: F741F170C00618CBDF24DFA9C884BCEBBB9BF48308F648469D409AB251DB756946CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026EE8, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 549 7026ee8-7026f3e 552 7026f40-7026f4c 549->552 553 7026f4e-7026f8d WriteProcessMemory 549->553 552->553 555 7026f96-7026fc6 553->555 556 7026f8f-7026f95 553->556 556->555
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07026F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: e41346ed44a831ef63b025d4b7c2b1a95deba7cc7e9129b69fba3cdffe1814a8
                                                                  • Instruction ID: ce713083aa66ea5818feb589932450974d3c6b9eb35f4999bef6e7d560107e9d
                                                                  • Opcode Fuzzy Hash: e41346ed44a831ef63b025d4b7c2b1a95deba7cc7e9129b69fba3cdffe1814a8
                                                                  • Instruction Fuzzy Hash: 2D2148B29003599FCF50CFA9C8847DEBBF5FF48314F10882AE918A7641D778A955CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026EF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 560 7026ef0-7026f3e 562 7026f40-7026f4c 560->562 563 7026f4e-7026f8d WriteProcessMemory 560->563 562->563 565 7026f96-7026fc6 563->565 566 7026f8f-7026f95 563->566 566->565
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07026F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: b484fea5d48a449ffb8bd451ff2431fcb8ea0138e778d58e455d4779141c1f4f
                                                                  • Instruction ID: fa1f435553b28280d36b8cb6c143bd3d15e72a47cf69dd8f18068f44afbb4af8
                                                                  • Opcode Fuzzy Hash: b484fea5d48a449ffb8bd451ff2431fcb8ea0138e778d58e455d4779141c1f4f
                                                                  • Instruction Fuzzy Hash: 022127B19003599FCF50CFA9C884BDEBBF5FF48314F10882AE918A7640D779A955CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026FDB, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 586 7026fdb-702706d ReadProcessMemory 590 7027076-70270a6 586->590 591 702706f-7027075 586->591 591->590
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07027060
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 8214325984b33b7c320bc13b3e048b739f562b71e2ed88962fe7cad36f295fae
                                                                  • Instruction ID: 03db99bc2ab795103f4a2bff5090cbce4ed29bfb5feae45b58030c4e79b93317
                                                                  • Opcode Fuzzy Hash: 8214325984b33b7c320bc13b3e048b739f562b71e2ed88962fe7cad36f295fae
                                                                  • Instruction Fuzzy Hash: 592136B18002199FCB10CFAAC880ADEFBF5FF48314F10882AE518A3240C778A954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026D53, Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 575 7026d53-7026da3 578 7026db3-7026de3 GetThreadContext 575->578 579 7026da5-7026db1 575->579 581 7026de5-7026deb 578->581 582 7026dec-7026e1c 578->582 579->578 581->582
                                                                  APIs
                                                                  • GetThreadContext.KERNELBASE(?,00000000), ref: 07026DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 07c4752d8e755477891a4084c9b48bb83cc7e4e7e8a8c569ae4df006ce1b5882
                                                                  • Instruction ID: 391fc8fcf550ff191b3520da90250eff1384bc4aa1c62b87d1ac9f27af9215d9
                                                                  • Opcode Fuzzy Hash: 07c4752d8e755477891a4084c9b48bb83cc7e4e7e8a8c569ae4df006ce1b5882
                                                                  • Instruction Fuzzy Hash: 83213AB1D003198FDB10DFAAC4857EEBBF4EF48218F14842AD419A7741D779A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABC151, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 570 abc151-abc1ec DuplicateHandle 571 abc1ee-abc1f4 570->571 572 abc1f5-abc212 570->572 571->572
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABC1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 196bdf5b8ec7310167ada44125d8ef54b24e80967f2b8d5c01063bfdfc58c951
                                                                  • Instruction ID: 3ee04a9006bc7a19d16316e5f11fc551b90e2191355e433ad2d4909514e825d4
                                                                  • Opcode Fuzzy Hash: 196bdf5b8ec7310167ada44125d8ef54b24e80967f2b8d5c01063bfdfc58c951
                                                                  • Instruction Fuzzy Hash: E121F2B59002499FCB10CFA9D484AEEBFF8EB48324F14851AE854B3211C375A955CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026FE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 605 7026fe0-702706d ReadProcessMemory 608 7027076-70270a6 605->608 609 702706f-7027075 605->609 609->608
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07027060
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 9d041795de23d43ce672f46cf51d44899c8a1fdd57d0ed90973871d2f1731bfd
                                                                  • Instruction ID: cbb1a04b9dc613a356ae8b7333450a18924ae18c8e8b079e4e8270c8579c0791
                                                                  • Opcode Fuzzy Hash: 9d041795de23d43ce672f46cf51d44899c8a1fdd57d0ed90973871d2f1731bfd
                                                                  • Instruction Fuzzy Hash: C02128B1C003599FCB10DFAAC884ADEFBF5FF48314F50882AE519A7240D7799955CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026D58, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 595 7026d58-7026da3 597 7026db3-7026de3 GetThreadContext 595->597 598 7026da5-7026db1 595->598 600 7026de5-7026deb 597->600 601 7026dec-7026e1c 597->601 598->597 600->601
                                                                  APIs
                                                                  • GetThreadContext.KERNELBASE(?,00000000), ref: 07026DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: ac886a826e34fffef5d0e2747583ba8183e9a1d9d60e6863c3d208a498d0f397
                                                                  • Instruction ID: 215dbc8297fdff6dfd4902f3107684912db269b934796c249e20d74cdca0ef67
                                                                  • Opcode Fuzzy Hash: ac886a826e34fffef5d0e2747583ba8183e9a1d9d60e6863c3d208a498d0f397
                                                                  • Instruction Fuzzy Hash: 10213AB1D003198FCB10DFAAC4847EEBBF4EF48214F14842AD419A7741D7799945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABC158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ABC1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 23d87a54a0b246a9995192fe215881e2345b8a36e3b33fb8ccd44666efa581b8
                                                                  • Instruction ID: de152660e8105272cb14df60a62ee051a82bde442cba0599aa17e620c97d330c
                                                                  • Opcode Fuzzy Hash: 23d87a54a0b246a9995192fe215881e2345b8a36e3b33fb8ccd44666efa581b8
                                                                  • Instruction Fuzzy Hash: 6E21C2B59002499FDB10CFAAD984ADEBFF8EB48324F14851AE914B3351D378A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026E28, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07026E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 7a9043de7c7e0c0da8815344ea66ce0379df48a32f5d7248c7a960b4a3e44167
                                                                  • Instruction ID: f82a16a4430d04b279bb0338d12c8895f4bac20963fb5dd78de09cea4abc80e7
                                                                  • Opcode Fuzzy Hash: 7a9043de7c7e0c0da8815344ea66ce0379df48a32f5d7248c7a960b4a3e44167
                                                                  • Instruction Fuzzy Hash: B2114A728002499FCF10DFA9C4447DFFBF5AF88318F14881AE415A7650C7769955CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00AB9B48, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ABA1F1,00000800,00000000,00000000), ref: 00ABA402
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 6b4c97ac469d7e837426e97d868b1c38304d70af52ff437b9680cda1d1c05252
                                                                  • Instruction ID: 98aeec134c5719536c92e55147b24c3aaec1511ae6b1a74a4fcd96553f71027f
                                                                  • Opcode Fuzzy Hash: 6b4c97ac469d7e837426e97d868b1c38304d70af52ff437b9680cda1d1c05252
                                                                  • Instruction Fuzzy Hash: 5911F6B6D003499FCB10DF9AC448ADEFBF8EB98324F15842EE515A7601C3B5A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABA390, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ABA1F1,00000800,00000000,00000000), ref: 00ABA402
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 09e8d5a9b5afac4f54345358eb7e94fcc9c426cbfbff99ddf5c97d9d14d0c7aa
                                                                  • Instruction ID: 508e004797add25d85310ef6fe15d6986ece40723870cb98b0922cd12cb36f09
                                                                  • Opcode Fuzzy Hash: 09e8d5a9b5afac4f54345358eb7e94fcc9c426cbfbff99ddf5c97d9d14d0c7aa
                                                                  • Instruction Fuzzy Hash: E01126B6D002498FCB10CFAAD484ADEFBF8EF98324F14842EE415A7601C375A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026E30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07026E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 2fee949fa237c7ebcce7cce6fc2a275bb73814e4469e523d846c77cdffe4751a
                                                                  • Instruction ID: 390ae26e9e606f1d408d71046b58124b9ff544bfe1a037713150d97029a7bcf1
                                                                  • Opcode Fuzzy Hash: 2fee949fa237c7ebcce7cce6fc2a275bb73814e4469e523d846c77cdffe4751a
                                                                  • Instruction Fuzzy Hash: 8D113A719002499FCF10DFA9C8447DFBBF9EF88328F14881AE515A7650C7759954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026CA0, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 89e94942d42b4b0abee6c6d3b279ab44d326380ed9b3986505e30f2f27719ff7
                                                                  • Instruction ID: 3e833a35c11d14e921324a33299d532bcde8eb7db0ed8d39d9eee38bdc2b03c6
                                                                  • Opcode Fuzzy Hash: 89e94942d42b4b0abee6c6d3b279ab44d326380ed9b3986505e30f2f27719ff7
                                                                  • Instruction Fuzzy Hash: 911158B1D002588BDB10DFAAC4457DEFBF8EB88228F14882AD419A7740C775A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0702B081, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0702B0E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 94e08124e2f354f194cdb3c4d64e10286c537c0993793eaf9a1c9676078821fe
                                                                  • Instruction ID: 9d11e3174a9ad58403a4a036dea10833a5eac68745ec14fd47d650823b328e29
                                                                  • Opcode Fuzzy Hash: 94e08124e2f354f194cdb3c4d64e10286c537c0993793eaf9a1c9676078821fe
                                                                  • Instruction Fuzzy Hash: 641164F28003599FCB21CF9AC888BDEBFF8EB48324F14850AD564A3601D374A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07026CA8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: ad40a8c7781c4d37a38edfbfa5c90c78bd1d296a240ab9a28d1a9c206c7b1424
                                                                  • Instruction ID: 84009cb2332af5a067ecd9d47edb2d2bd45d8c8b05ec9f0e1c94d1d602765906
                                                                  • Opcode Fuzzy Hash: ad40a8c7781c4d37a38edfbfa5c90c78bd1d296a240ab9a28d1a9c206c7b1424
                                                                  • Instruction Fuzzy Hash: 1F113AB1D003488BCB10DFAAC4447DEFBF9EB88228F14881AD415A7740C775A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABA110, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00ABA176
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: a9c711e25f930fd0aafbd9a2b110e84e806200d7d6c708c6821bb8fde2bec5c8
                                                                  • Instruction ID: e6e1e6c3e48ad4029464a4497fb200816e57fd7e9471baf5ff913da4102db6ce
                                                                  • Opcode Fuzzy Hash: a9c711e25f930fd0aafbd9a2b110e84e806200d7d6c708c6821bb8fde2bec5c8
                                                                  • Instruction Fuzzy Hash: 9C11E0B5C006498FCB10DF9AD844BDEFBF8EB89324F15852AD429B7601C379A545CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0702B088, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0702B0E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 4804528f97507549e52beb47d35e24026be7644fa2ca6b4a29c5569c562dcba7
                                                                  • Instruction ID: 3f170096aa244e54bedb335940dc9a4625b32edfadeda2761945a3de1b99ee4c
                                                                  • Opcode Fuzzy Hash: 4804528f97507549e52beb47d35e24026be7644fa2ca6b4a29c5569c562dcba7
                                                                  • Instruction Fuzzy Hash: E41115B58003499FCB10CF9AC484BDEFFF8EB48324F108819D514A3600C375A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 07020040, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: /
                                                                  • API String ID: 0-2043925204
                                                                  • Opcode ID: f736cf56ae68afda01fa0cb7d1f22b1ed0f70e8daf3d08301921e95e00177767
                                                                  • Instruction ID: e4da4de06f7d80e8b5d322129267e80b15f41325eda4e3dea3afeff42a5cc249
                                                                  • Opcode Fuzzy Hash: f736cf56ae68afda01fa0cb7d1f22b1ed0f70e8daf3d08301921e95e00177767
                                                                  • Instruction Fuzzy Hash: C74144B1E056188BEB5CCF6B8D40789FAF7AFC9204F14C1FA851CA7254EB3449868F14
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABEE18, Relevance: .3, Instructions: 315COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7bca14cba3126aae615b2a476730710bb28eaeb120c39d8ed25b19b55c7f1e7
                                                                  • Instruction ID: 6a8907d87f51db5fbb56374b2fefe05433eeaccc5323211c2911152d11d8620e
                                                                  • Opcode Fuzzy Hash: c7bca14cba3126aae615b2a476730710bb28eaeb120c39d8ed25b19b55c7f1e7
                                                                  • Instruction Fuzzy Hash: 7B12C9F1C937668BE330CF65E4981893B61B74532ABD14A08D2619FAD0E7B4116EEF4C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABC9D4, Relevance: .3, Instructions: 265COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a30cc819d65c3fd4b07573332065c6268bdb0ff178bb387b418394b372665de5
                                                                  • Instruction ID: 44545afde764d9fcd44f40659c3493af4160b88c1efed3efe40f9775ba7da618
                                                                  • Opcode Fuzzy Hash: a30cc819d65c3fd4b07573332065c6268bdb0ff178bb387b418394b372665de5
                                                                  • Instruction Fuzzy Hash: 8EA16D32E00219CFCF15DFB5C9449DEBBB6FF84304B15856AE905BB222EB71A955CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00ABEE08, Relevance: .2, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.382583745.0000000000AB0000.00000040.00000001.sdmp, Offset: 00AB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_ab0000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17b4348a2497cc76448aa0bda769abd2b56f37488975851670ccde4b9f26b720
                                                                  • Instruction ID: ad46bb22265cc3fe82fea6694937b677b247aad53718d51bd49233d1b2157385
                                                                  • Opcode Fuzzy Hash: 17b4348a2497cc76448aa0bda769abd2b56f37488975851670ccde4b9f26b720
                                                                  • Instruction Fuzzy Hash: EEC13EB1C927668BD720CF64E8881897B71BB4532AFD14B08D161AF6D0E7B4106EEF48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07020006, Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 449b6c35f7ea1f18497e29b15428e5628095ba153b830e50369753ee85e5b900
                                                                  • Instruction ID: 61b85307d83a08e5f91ac62d5a5cf4a6020f939aae637ca352449dee6bb27531
                                                                  • Opcode Fuzzy Hash: 449b6c35f7ea1f18497e29b15428e5628095ba153b830e50369753ee85e5b900
                                                                  • Instruction Fuzzy Hash: F551BFB2D057588FE759CF678C40299FFF3AFC9200F09C1FAC548AA265EA3409869F55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07029DC0, Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed2131f148db489f63b4ec4c3d051fc03dd4072b945eba9adcc04e1c60d333e6
                                                                  • Instruction ID: 45f2bad876a33529ba4b3b74f524cd2376a35022107db7297851e140d99a0d92
                                                                  • Opcode Fuzzy Hash: ed2131f148db489f63b4ec4c3d051fc03dd4072b945eba9adcc04e1c60d333e6
                                                                  • Instruction Fuzzy Hash: 4831ECB1E146298BEB68CF67C8047DEF6F2BF89304F04C1AAC81DB6255DB7409859F51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 07029DB3, Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.386872616.0000000007020000.00000040.00000001.sdmp, Offset: 07020000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7020000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78c6404d008bac4b28de8eeb67c2f6031b1a9778173ad4bd47b689344a671f4e
                                                                  • Instruction ID: b9d541c993d8c6bad582fd35d2d8f770b23329d5c951349fe2e3de5c839d6a4e
                                                                  • Opcode Fuzzy Hash: 78c6404d008bac4b28de8eeb67c2f6031b1a9778173ad4bd47b689344a671f4e
                                                                  • Instruction Fuzzy Hash: AB21EDB1E156298BEB28CF57CC1479ABAF3AFC5304F04C1BAC81D6A255DB3449858F41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: PI.1872GAT02.pdf.exe PID: 6360 Parent PID: 6900 PI.1872GAT02.pdf.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:12.9%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:3.4%
                                                                  Total number of Nodes:116
                                                                  Total number of Limit Nodes:13

                                                                  Graph

                                                                  execution_graph 23606 139b718 23609 139b73d 23606->23609 23607 139b8b7 23608 139be9c LdrInitializeThunk 23608->23609 23609->23607 23609->23608 23610 2e56940 GetCurrentProcess 23611 2e569b3 23610->23611 23612 2e569ba GetCurrentThread 23610->23612 23611->23612 23613 2e569f7 GetCurrentProcess 23612->23613 23614 2e569f0 23612->23614 23615 2e56a2d 23613->23615 23614->23613 23616 2e56a55 GetCurrentThreadId 23615->23616 23617 2e56a86 23616->23617 23643 2e55090 23644 2e550f8 CreateWindowExW 23643->23644 23646 2e551b4 23644->23646 23646->23646 23647 2e5ba10 23648 2e5ba24 23647->23648 23651 2e5bc5a 23648->23651 23657 2e5be56 23651->23657 23662 2e5be3c 23651->23662 23667 2e5bd30 23651->23667 23672 2e5bd40 23651->23672 23658 2e5be69 23657->23658 23659 2e5be7b 23657->23659 23677 2e5c189 23658->23677 23685 2e5c138 23658->23685 23663 2e5bdef 23662->23663 23663->23662 23664 2e5be7b 23663->23664 23665 2e5c189 2 API calls 23663->23665 23666 2e5c138 2 API calls 23663->23666 23665->23664 23666->23664 23668 2e5bd40 23667->23668 23669 2e5be7b 23668->23669 23670 2e5c189 2 API calls 23668->23670 23671 2e5c138 2 API calls 23668->23671 23670->23669 23671->23669 23673 2e5bd84 23672->23673 23674 2e5be7b 23673->23674 23675 2e5c189 2 API calls 23673->23675 23676 2e5c138 2 API calls 23673->23676 23675->23674 23676->23674 23678 2e5c132 23677->23678 23680 2e5c192 23677->23680 23683 2e5c189 RtlEncodePointer 23678->23683 23690 2e5c198 23678->23690 23679 2e5c166 23679->23659 23681 2e5c1fc RtlEncodePointer 23680->23681 23682 2e5c225 23680->23682 23681->23682 23682->23659 23683->23679 23686 2e5c156 23685->23686 23688 2e5c189 2 API calls 23686->23688 23689 2e5c198 RtlEncodePointer 23686->23689 23687 2e5c166 23687->23659 23688->23687 23689->23687 23691 2e5c1d2 23690->23691 23692 2e5c1fc RtlEncodePointer 23691->23692 23693 2e5c225 23691->23693 23692->23693 23693->23679 23554 139d970 23556 139d985 23554->23556 23555 139dc64 23556->23555 23557 139ebfa LdrInitializeThunk GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23556->23557 23558 139ec80 LdrInitializeThunk GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 23556->23558 23560 139edd4 23556->23560 23557->23556 23558->23556 23561 139edd5 23560->23561 23562 139ee17 23561->23562 23565 139f090 23561->23565 23570 139f080 23561->23570 23562->23556 23569 139f080 4 API calls 23565->23569 23583 139f0ba 23565->23583 23591 139f0c8 23565->23591 23566 139f09e 23566->23562 23569->23566 23571 139f0bd 23570->23571 23572 139f083 23570->23572 23574 139f0d5 23571->23574 23575 139d7d0 GlobalMemoryStatusEx 23571->23575 23573 139f09e 23572->23573 23580 139f0c8 2 API calls 23572->23580 23581 139f0ba 2 API calls 23572->23581 23582 139f080 3 API calls 23572->23582 23573->23562 23574->23562 23579 139f11a 23575->23579 23576 139f1e6 GlobalMemoryStatusEx 23577 139f216 23576->23577 23577->23562 23578 139f11e 23578->23562 23579->23576 23579->23578 23580->23573 23581->23573 23582->23573 23584 139f0fd 23583->23584 23585 139f0d5 23583->23585 23600 139d7d0 23584->23600 23585->23566 23587 139f1e6 GlobalMemoryStatusEx 23588 139f216 23587->23588 23588->23566 23589 139f11e 23589->23566 23592 139f0fd 23591->23592 23593 139f0d5 23591->23593 23594 139d7d0 GlobalMemoryStatusEx 23592->23594 23593->23566 23596 139f11a 23594->23596 23595 139f11e 23595->23566 23596->23595 23597 139f1e6 GlobalMemoryStatusEx 23596->23597 23598 139f183 23596->23598 23599 139f216 23597->23599 23598->23566 23599->23566 23601 139f1a0 GlobalMemoryStatusEx 23600->23601 23603 139f11a 23601->23603 23603->23587 23603->23589 23604 2e56b68 DuplicateHandle 23605 2e56bfe 23604->23605 23618 2e55248 23619 2e5526e 23618->23619 23622 2e5359c 23619->23622 23623 2e535a7 23622->23623 23624 2e57bf1 23623->23624 23626 2e57be1 23623->23626 23639 2e5779c 23624->23639 23630 2e57d08 23626->23630 23635 2e57d18 23626->23635 23627 2e57bef 23631 2e57d16 23630->23631 23632 2e57cc8 23630->23632 23633 2e5779c CallWindowProcW 23631->23633 23634 2e57e13 23631->23634 23632->23627 23633->23631 23634->23627 23637 2e57d26 23635->23637 23636 2e5779c CallWindowProcW 23636->23637 23637->23636 23638 2e57e13 23637->23638 23638->23627 23640 2e577a7 23639->23640 23641 2e57ee2 CallWindowProcW 23640->23641 23642 2e57e91 23640->23642 23641->23642 23642->23627

                                                                  Executed Functions

                                                                  Function 0139B718, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1610 139b718-139b81e 1628 139b820-139b861 1610->1628 1629 139b875-139b87f 1610->1629 1628->1629 1635 139b863-139b873 1628->1635 1632 139b885-139b8a0 1629->1632 1810 139b8a2 call 139c6e9 1632->1810 1811 139b8a2 call 139c6f0 1632->1811 1635->1632 1636 139b8a7-139b8b5 1639 139b8c5-139bc72 1636->1639 1640 139b8b7-139c29d 1636->1640 1679 139bc78-139bc85 1639->1679 1680 139c25d-139c280 1639->1680 1681 139bc8b-139bcf6 1679->1681 1682 139c285-139c28f 1679->1682 1680->1682 1681->1680 1693 139bcfc-139bd31 1681->1693 1696 139bd5a-139bd62 1693->1696 1697 139bd33-139bd58 1693->1697 1700 139bd65-139bdae 1696->1700 1697->1700 1705 139c244-139c24a 1700->1705 1706 139bdb4-139bdd3 1700->1706 1705->1680 1707 139c24c-139c255 1705->1707 1812 139bdd8 call 139ce68 1706->1812 1813 139bdd8 call 139cda0 1706->1813 1707->1681 1708 139c25b 1707->1708 1708->1682 1710 139bddd-139be0c 1710->1705 1713 139be12-139be1c 1710->1713 1713->1705 1714 139be22-139be35 1713->1714 1714->1705 1715 139be3b-139be62 1714->1715 1719 139be68-139be6b 1715->1719 1720 139c205-139c228 1715->1720 1719->1720 1721 139be71-139beab LdrInitializeThunk 1719->1721 1728 139c22d-139c233 1720->1728 1731 139beb1-139bf00 1721->1731 1728->1680 1730 139c235-139c23e 1728->1730 1730->1705 1730->1715 1739 139c045-139c04b 1731->1739 1740 139bf06-139bf3f 1731->1740 1741 139c059 1739->1741 1742 139c04d-139c04f 1739->1742 1744 139c061-139c067 1740->1744 1756 139bf45-139bf7b 1740->1756 1741->1744 1742->1741 1745 139c069-139c06b 1744->1745 1746 139c075-139c078 1744->1746 1745->1746 1748 139c083-139c089 1746->1748 1750 139c08b-139c08d 1748->1750 1751 139c097-139c09a 1748->1751 1750->1751 1753 139bfe9-139c019 1751->1753 1758 139c01b-139c03a 1753->1758 1762 139c09f-139c0cd 1756->1762 1763 139bf81-139bfa4 1756->1763 1766 139c040 1758->1766 1767 139c0d2-139c124 1758->1767 1762->1758 1763->1762 1772 139bfaa-139bfdd 1763->1772 1766->1728 1785 139c12e-139c134 1767->1785 1786 139c126-139c12c 1767->1786 1772->1748 1783 139bfe3 1772->1783 1783->1753 1788 139c142 1785->1788 1789 139c136-139c138 1785->1789 1787 139c145-139c163 1786->1787 1793 139c165-139c175 1787->1793 1794 139c187-139c203 1787->1794 1788->1787 1789->1788 1793->1794 1797 139c177-139c180 1793->1797 1794->1728 1797->1794 1810->1636 1811->1636 1812->1710 1813->1710
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609151888.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1390000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 87004397a333d37a9a56b6fc629fbe3594daa5483b6a58e638029c8c6bfd003f
                                                                  • Instruction ID: bc3d8a03157d780d0ed141ccf4ccf8dc2ccecafdf4c42fbdd81de867ebaa2273
                                                                  • Opcode Fuzzy Hash: 87004397a333d37a9a56b6fc629fbe3594daa5483b6a58e638029c8c6bfd003f
                                                                  • Instruction Fuzzy Hash: 8E620934E007198BCB24EF78C9546EEB7B5AF89304F1085A9D54AAB394EF309D85CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E5691F, Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 02E569A0
                                                                  • GetCurrentThread.KERNEL32 ref: 02E569DD
                                                                  • GetCurrentProcess.KERNEL32 ref: 02E56A1A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02E56A73
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: a749542915547106a57ce6ce33f7c04b0ce5f11d1058e49078611cf358d9cc96
                                                                  • Instruction ID: eca37947ef2def980736bf5a6a08e7cc0c3522af24e38f6799cffbd9df730850
                                                                  • Opcode Fuzzy Hash: a749542915547106a57ce6ce33f7c04b0ce5f11d1058e49078611cf358d9cc96
                                                                  • Instruction Fuzzy Hash: E55187B4A013488FDB05DFAAD5487DEBFF4EF88318F24849AE409A7351D7385884CB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E56940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 02E569A0
                                                                  • GetCurrentThread.KERNEL32 ref: 02E569DD
                                                                  • GetCurrentProcess.KERNEL32 ref: 02E56A1A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 02E56A73
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 9281b14ad5be2373725eac04dd16d92df65649a9b3b38fa40b3899244327390b
                                                                  • Instruction ID: 8fe07a0ca6480703a158fec28f8a06bf3a3a060906fddb42b89abdfef706a008
                                                                  • Opcode Fuzzy Hash: 9281b14ad5be2373725eac04dd16d92df65649a9b3b38fa40b3899244327390b
                                                                  • Instruction Fuzzy Hash: 305164B4A012488FDB04DFAAD548BEEBBF4EF88318F208459E819B7350C7745884CB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 01392A08, Relevance: 1.7, APIs: 1, Instructions: 195libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1814 1392a08-1392a14 1815 1392a39-1392a48 1814->1815 1816 1392a16-1392a20 1814->1816 1820 1392a4a-1392a5f 1815->1820 1821 1392a67-1392a6b 1815->1821 1817 1392a22-1392a33 1816->1817 1818 1392a35-1392a38 1816->1818 1817->1818 1826 1392a61 1820->1826 1827 1392a84-1392b0a LdrInitializeThunk 1820->1827 1823 1392a6d-1392a7e 1821->1823 1824 1392a80-1392a83 1821->1824 1823->1824 1826->1821 1837 1392b10-1392b2a 1827->1837 1838 1392c53-1392c70 1827->1838 1837->1838 1841 1392b30-1392b4a 1837->1841 1850 1392c75-1392c7e 1838->1850 1844 1392b4c-1392b4e 1841->1844 1845 1392b50 1841->1845 1847 1392b53-1392bae 1844->1847 1845->1847 1856 1392bb0-1392bb2 1847->1856 1857 1392bb4 1847->1857 1858 1392bb7-1392c51 1856->1858 1857->1858 1858->1850
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609151888.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1390000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 03acae3e8a6c982b0fde7c75774a181a5ba97f12f38d2f0e7b9e0531fa6e7f05
                                                                  • Instruction ID: 1d9764ff1a31bc1c87616578931b42dbf989235f3c8278de6f560677ccac3142
                                                                  • Opcode Fuzzy Hash: 03acae3e8a6c982b0fde7c75774a181a5ba97f12f38d2f0e7b9e0531fa6e7f05
                                                                  • Instruction Fuzzy Hash: F161D531B002059FCF15EBB4C854BAE77B6AF84208F148979E4159B395DF34E805CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0139F0C8, Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1875 139f0c8-139f0d3 1876 139f0fd-139f11c call 139d7d0 1875->1876 1877 139f0d5-139f0f2 1875->1877 1883 139f11e-139f121 1876->1883 1884 139f122-139f161 1876->1884 1878 139f0f9-139f0fc 1877->1878 1879 139f0f4 call 139d7c4 1877->1879 1879->1878 1890 139f19d-139f214 GlobalMemoryStatusEx 1884->1890 1891 139f163-139f181 1884->1891 1894 139f21d-139f245 1890->1894 1895 139f216-139f21c 1890->1895 1896 139f183-139f186 1891->1896 1897 139f187-139f19c 1891->1897 1895->1894 1897->1890
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609151888.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1390000_PI.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54afc84a1e9f49120d26dd29d85c5e0b314cd7a081abedbdfcd35311bf47e71a
                                                                  • Instruction ID: 0223ef4cc876c500ae26acf325b55063a66c997837426336a242ac76c4cda1b2
                                                                  • Opcode Fuzzy Hash: 54afc84a1e9f49120d26dd29d85c5e0b314cd7a081abedbdfcd35311bf47e71a
                                                                  • Instruction Fuzzy Hash: 74412572D043458FCB01CFB9D8142DEBFF5AF8A224F15856AD404E7241EB389845CBE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E55084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1901 2e55084-2e550f6 1902 2e55101-2e55108 1901->1902 1903 2e550f8-2e550fe 1901->1903 1904 2e55113-2e5514b 1902->1904 1905 2e5510a-2e55110 1902->1905 1903->1902 1906 2e55153-2e551b2 CreateWindowExW 1904->1906 1905->1904 1907 2e551b4-2e551ba 1906->1907 1908 2e551bb-2e551f3 1906->1908 1907->1908 1912 2e551f5-2e551f8 1908->1912 1913 2e55200 1908->1913 1912->1913 1914 2e55201 1913->1914 1914->1914
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E551A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: f8d95087a7c4ddb1dd5167edc7e112204033d63482bbb2fa1578a92bebbe53d5
                                                                  • Instruction ID: 511dd66aedd3ba4b8ee6c501b133e51d625b8ec0336fe6f4cd54fba38577359a
                                                                  • Opcode Fuzzy Hash: f8d95087a7c4ddb1dd5167edc7e112204033d63482bbb2fa1578a92bebbe53d5
                                                                  • Instruction Fuzzy Hash: A251EEB1D103199FDB14CFA9C980ADEBFB5BF48314F64852AE818AB210D774A945CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E55090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1915 2e55090-2e550f6 1916 2e55101-2e55108 1915->1916 1917 2e550f8-2e550fe 1915->1917 1918 2e55113-2e551b2 CreateWindowExW 1916->1918 1919 2e5510a-2e55110 1916->1919 1917->1916 1921 2e551b4-2e551ba 1918->1921 1922 2e551bb-2e551f3 1918->1922 1919->1918 1921->1922 1926 2e551f5-2e551f8 1922->1926 1927 2e55200 1922->1927 1926->1927 1928 2e55201 1927->1928 1928->1928
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E551A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 3b9f0f1832ac620cd05dd9aedc162a75415e17a33b1b7f77daa40eb59a6f939b
                                                                  • Instruction ID: d33526936b20e32113a26844ffb0f6fd0a71bbde03a753ad68753ce5666d5769
                                                                  • Opcode Fuzzy Hash: 3b9f0f1832ac620cd05dd9aedc162a75415e17a33b1b7f77daa40eb59a6f939b
                                                                  • Instruction Fuzzy Hash: B441EFB1D103189FDB14CF9AC984ADEBFB5BF48314F64812AE819AB210D774A945CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E5779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1929 2e5779c-2e57e84 1932 2e57f34-2e57f54 call 2e5359c 1929->1932 1933 2e57e8a-2e57e8f 1929->1933 1940 2e57f57-2e57f64 1932->1940 1935 2e57e91-2e57ec8 1933->1935 1936 2e57ee2-2e57f1a CallWindowProcW 1933->1936 1943 2e57ed1-2e57ee0 1935->1943 1944 2e57eca-2e57ed0 1935->1944 1937 2e57f23-2e57f32 1936->1937 1938 2e57f1c-2e57f22 1936->1938 1937->1940 1938->1937 1943->1940 1944->1943
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02E57F09
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 398e908d83d7fead4bf7217d23f5319f7a6235474599f30649597251b29658d5
                                                                  • Instruction ID: e88a1512930ae10aa7f8b94b77e6c21c96e28e73ddc4e7b8e89a501f8f11a20e
                                                                  • Opcode Fuzzy Hash: 398e908d83d7fead4bf7217d23f5319f7a6235474599f30649597251b29658d5
                                                                  • Instruction Fuzzy Hash: 21411AB5A107158FCB14CF99C488AAAFBF9FF88314F15C559E819AB321D734A841CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E5C189, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1946 2e5c189-2e5c190 1947 2e5c132-2e5c156 call 2e5bd08 1946->1947 1948 2e5c192-2e5c1da 1946->1948 1967 2e5c160 call 2e5c189 1947->1967 1968 2e5c160 call 2e5c198 1947->1968 1957 2e5c1e0 1948->1957 1958 2e5c1dc-2e5c1de 1948->1958 1954 2e5c166-2e5c185 call 2e5bf58 1959 2e5c1e5-2e5c1f0 1957->1959 1958->1959 1961 2e5c251-2e5c25e 1959->1961 1962 2e5c1f2-2e5c223 RtlEncodePointer 1959->1962 1964 2e5c225-2e5c22b 1962->1964 1965 2e5c22c-2e5c24c 1962->1965 1964->1965 1965->1961 1967->1954 1968->1954
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02E5C212
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 94e7ef295d10383e5f9546e4a82d571974186f717db5bc159e436ca58baf5c82
                                                                  • Instruction ID: 25a50ddfe09c858347c45bab4d490290bfa8fda173010f046795f7538a65650c
                                                                  • Opcode Fuzzy Hash: 94e7ef295d10383e5f9546e4a82d571974186f717db5bc159e436ca58baf5c82
                                                                  • Instruction Fuzzy Hash: 6B31CDB18053858FDB10EFA6E50839E7FF4FB45328F24905AD848E7242D7795445CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E56B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1969 2e56b62-2e56bfc DuplicateHandle 1970 2e56c05-2e56c22 1969->1970 1971 2e56bfe-2e56c04 1969->1971 1971->1970
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E56BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 22a115a13a98eca15a653bc4b25af6b52f49f26ed37eb1a93b6eda17d92bfa39
                                                                  • Instruction ID: 7294ba4fb6e7d619f46ad30f8ec9188418c199abbac08e6a34064a3e9d741c57
                                                                  • Opcode Fuzzy Hash: 22a115a13a98eca15a653bc4b25af6b52f49f26ed37eb1a93b6eda17d92bfa39
                                                                  • Instruction Fuzzy Hash: 4D21D2B59002089FDB10CFAAD985ADEFBF8EB48324F14841AE814A7310D378A955CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E56B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1974 2e56b68-2e56bfc DuplicateHandle 1975 2e56c05-2e56c22 1974->1975 1976 2e56bfe-2e56c04 1974->1976 1976->1975
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E56BEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 9a0d19c48a3c3c31b6eecde5b90cff882af2a91e3cee84ea9dd7d50e7d173def
                                                                  • Instruction ID: 81543c31c0b1919fb80d135d73e2004078a3a92f62b0a5b21990915735dfda50
                                                                  • Opcode Fuzzy Hash: 9a0d19c48a3c3c31b6eecde5b90cff882af2a91e3cee84ea9dd7d50e7d173def
                                                                  • Instruction Fuzzy Hash: 2B21C2B59002589FDB10CFAAD984ADEFFF8EB48324F54841AE914A7310D378A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0139F198, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1979 139f198-139f1de 1981 139f1e6-139f214 GlobalMemoryStatusEx 1979->1981 1982 139f21d-139f245 1981->1982 1983 139f216-139f21c 1981->1983 1983->1982
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0139F11A), ref: 0139F207
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609151888.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1390000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 1a55cb21eb85a2ee3e135db3d7a0c61d089eefbc5992536e703c492278ce050b
                                                                  • Instruction ID: fa04e9947b4616f0d3c8397b49c74448118d0999ad26f1861785c621e3442923
                                                                  • Opcode Fuzzy Hash: 1a55cb21eb85a2ee3e135db3d7a0c61d089eefbc5992536e703c492278ce050b
                                                                  • Instruction Fuzzy Hash: 362133B5C006599FCB10CFAAC444BEEFBF8AF48324F15856AD814B7240D378A945CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0139D7D0, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1986 139d7d0-139f214 GlobalMemoryStatusEx 1989 139f21d-139f245 1986->1989 1990 139f216-139f21c 1986->1990 1990->1989
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0139F11A), ref: 0139F207
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609151888.0000000001390000.00000040.00000010.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1390000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 1834ec3f76ff59bd06edd0de13decefe3b1bc01872efb9b87728ac2bbdd55787
                                                                  • Instruction ID: 7112cc9689dbc4f3676fc7b514f906b7a70013c981c84ab68421b27b595447a9
                                                                  • Opcode Fuzzy Hash: 1834ec3f76ff59bd06edd0de13decefe3b1bc01872efb9b87728ac2bbdd55787
                                                                  • Instruction Fuzzy Hash: 261142B5C006199BCB00DF9AC444BDEFBF8EB48224F14856AE828B7200D378A954CFE1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 02E5C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02E5C212
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.609650390.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_2e50000_PI.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointer
                                                                  • String ID:
                                                                  • API String ID: 2118026453-0
                                                                  • Opcode ID: 165080428ce9ce8ed1cb6625760021dfba9d5198f25c843d94fb2a39963c0cf8
                                                                  • Instruction ID: ec01cf91d8290884a0cdfde25ff451fdc8632f39215b0eacc2a56cd8c9f5d6f1
                                                                  • Opcode Fuzzy Hash: 165080428ce9ce8ed1cb6625760021dfba9d5198f25c843d94fb2a39963c0cf8
                                                                  • Instruction Fuzzy Hash: 4211ACB19013058FDB10EFAAD5487DFBBF8EB48324F20942AD808E7600D7396544CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: catch.exe PID: 5320 Parent PID: 3440 catch.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:10.9%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:229
                                                                  Total number of Limit Nodes:13

                                                                  Graph

                                                                  execution_graph 22788 bfc158 DuplicateHandle 22789 bfc1ee 22788->22789 22790 834a438 22791 834a5c3 22790->22791 22792 834a45e 22790->22792 22792->22791 22795 834a6b0 22792->22795 22798 834a6b8 PostMessageW 22792->22798 22796 834a6bb PostMessageW 22795->22796 22797 834a724 22796->22797 22797->22792 22799 834a724 22798->22799 22799->22792 22916 8347709 22917 8347ab3 22916->22917 22918 8347713 22916->22918 22922 8348e60 22918->22922 22927 8348e50 22918->22927 22919 834760f 22923 8348e7a 22922->22923 22932 8348ec0 22923->22932 22937 8348ebe 22923->22937 22924 8348ea8 22924->22919 22928 8348e7a 22927->22928 22930 8348ec0 12 API calls 22928->22930 22931 8348ebe 12 API calls 22928->22931 22929 8348ea8 22929->22919 22930->22929 22931->22929 22933 8348edd 22932->22933 22942 83492d8 22933->22942 22954 83492c9 22933->22954 22934 8348f1d 22934->22924 22938 8348ec3 22937->22938 22940 83492d8 12 API calls 22938->22940 22941 83492c9 12 API calls 22938->22941 22939 8348f1d 22939->22924 22940->22939 22941->22939 22943 83492f2 22942->22943 22949 8349320 22943->22949 22966 83496a4 22943->22966 22970 8349828 22943->22970 22975 834948f 22943->22975 22980 8349b5e 22943->22980 22987 83497bd 22943->22987 22992 8349731 22943->22992 23000 8349951 22943->23000 23005 8349984 22943->23005 23012 83495d4 22943->23012 22949->22934 22955 83492f2 22954->22955 22956 83496a4 2 API calls 22955->22956 22957 83495d4 2 API calls 22955->22957 22958 8349984 4 API calls 22955->22958 22959 8349951 2 API calls 22955->22959 22960 8349731 4 API calls 22955->22960 22961 8349320 22955->22961 22962 83497bd 2 API calls 22955->22962 22963 8349b5e 4 API calls 22955->22963 22964 834948f 2 API calls 22955->22964 22965 8349828 2 API calls 22955->22965 22956->22961 22957->22961 22958->22961 22959->22961 22960->22961 22961->22934 22962->22961 22963->22961 22964->22961 22965->22961 23017 8346ef0 22966->23017 23021 8346ee8 22966->23021 22967 83496d2 22971 8349832 22970->22971 23025 8346fe0 22971->23025 23029 8346fdb 22971->23029 22972 83498f7 22976 83494c7 22975->22976 23033 834716c 22976->23033 23037 8347178 22976->23037 22983 8346ef0 WriteProcessMemory 22980->22983 22984 8346ee8 WriteProcessMemory 22980->22984 22981 83495fa 22982 8349633 22981->22982 23041 8346d53 22981->23041 23045 8346d58 22981->23045 22983->22981 22984->22981 22988 83497c6 22987->22988 23049 834a3d0 22988->23049 23054 834a3bf 22988->23054 22989 83497ff 22993 834973e 22992->22993 22994 8349852 22992->22994 22996 8346d53 SetThreadContext 22993->22996 22997 8346d58 SetThreadContext 22993->22997 22998 8346fe0 ReadProcessMemory 22994->22998 22999 8346fdb ReadProcessMemory 22994->22999 22995 8349759 22996->22995 22997->22995 22998->22995 22999->22995 23001 83498f7 23000->23001 23002 834984e 23000->23002 23003 8346fe0 ReadProcessMemory 23002->23003 23004 8346fdb ReadProcessMemory 23002->23004 23003->23001 23004->23001 23067 834a170 23005->23067 23072 834a180 23005->23072 23006 83499a0 23010 8346ef0 WriteProcessMemory 23006->23010 23011 8346ee8 WriteProcessMemory 23006->23011 23007 8349a0f 23007->22949 23007->23007 23010->23007 23011->23007 23013 83495de 23012->23013 23014 8349633 23013->23014 23015 8346d53 SetThreadContext 23013->23015 23016 8346d58 SetThreadContext 23013->23016 23015->23014 23016->23014 23018 8346f38 WriteProcessMemory 23017->23018 23020 8346f8f 23018->23020 23020->22967 23022 8346ef3 WriteProcessMemory 23021->23022 23024 8346f8f 23022->23024 23024->22967 23026 834702b ReadProcessMemory 23025->23026 23028 834706f 23026->23028 23028->22972 23030 8346fe3 ReadProcessMemory 23029->23030 23032 834706f 23030->23032 23032->22972 23034 8347167 23033->23034 23034->23033 23035 8347366 CreateProcessA 23034->23035 23036 83473c3 23035->23036 23038 8347201 CreateProcessA 23037->23038 23040 83473c3 23038->23040 23042 8346d5b SetThreadContext 23041->23042 23044 8346de5 23042->23044 23044->22982 23046 8346d9d SetThreadContext 23045->23046 23048 8346de5 23046->23048 23048->22982 23050 834a3ea 23049->23050 23059 8346ca0 23050->23059 23063 8346ca8 23050->23063 23051 834a419 23051->22989 23055 834a3ea 23054->23055 23057 8346ca0 ResumeThread 23055->23057 23058 8346ca8 ResumeThread 23055->23058 23056 834a419 23056->22989 23057->23056 23058->23056 23060 8346c97 23059->23060 23060->23059 23061 8346cf2 ResumeThread 23060->23061 23062 8346d19 23061->23062 23062->23051 23064 8346ce8 ResumeThread 23063->23064 23066 8346d19 23064->23066 23066->23051 23068 834a19a 23067->23068 23077 8346e30 23068->23077 23081 8346e28 23068->23081 23069 834a1d5 23069->23006 23073 834a19a 23072->23073 23075 8346e30 VirtualAllocEx 23073->23075 23076 8346e28 VirtualAllocEx 23073->23076 23074 834a1d5 23074->23006 23075->23074 23076->23074 23078 8346e70 VirtualAllocEx 23077->23078 23080 8346ead 23078->23080 23080->23069 23082 8346e33 VirtualAllocEx 23081->23082 23084 8346ead 23082->23084 23084->23069 22800 bf9a30 22804 bf9f30 22800->22804 22812 bf9f20 22800->22812 22801 bf9a3f 22805 bf9f43 22804->22805 22806 bf9f5b 22805->22806 22820 bfa1b8 22805->22820 22824 bfa1a8 22805->22824 22806->22801 22807 bf9f53 22807->22806 22808 bfa158 GetModuleHandleW 22807->22808 22809 bfa185 22808->22809 22809->22801 22813 bf9f24 22812->22813 22814 bf9f5b 22813->22814 22818 bfa1b8 LoadLibraryExW 22813->22818 22819 bfa1a8 LoadLibraryExW 22813->22819 22814->22801 22815 bf9f53 22815->22814 22816 bfa158 GetModuleHandleW 22815->22816 22817 bfa185 22816->22817 22817->22801 22818->22815 22819->22815 22821 bfa1cc 22820->22821 22822 bfa1f1 22821->22822 22828 bf9b48 22821->22828 22822->22807 22826 bfa1b8 22824->22826 22825 bfa1f1 22825->22807 22826->22825 22827 bf9b48 LoadLibraryExW 22826->22827 22827->22825 22829 bfa398 LoadLibraryExW 22828->22829 22831 bfa411 22829->22831 22831->22822 22832 bfbf30 GetCurrentProcess 22833 bfbfaa GetCurrentThread 22832->22833 22834 bfbfa3 22832->22834 22835 bfbfe7 GetCurrentProcess 22833->22835 22836 bfbfe0 22833->22836 22834->22833 22837 bfc01d 22835->22837 22836->22835 22838 bfc045 GetCurrentThreadId 22837->22838 22839 bfc076 22838->22839 22840 bf3e50 22841 bf3e6c 22840->22841 22842 bf3f1f 22841->22842 22845 bf4008 22841->22845 22850 bf39f0 22841->22850 22846 bf400c 22845->22846 22854 bf40f9 22846->22854 22858 bf4108 22846->22858 22853 bf39fb 22850->22853 22851 bf727a 22851->22841 22853->22851 22866 bf53d8 22853->22866 22856 bf40fc 22854->22856 22855 bf420c 22856->22855 22862 bf3e30 22856->22862 22859 bf410a 22858->22859 22860 bf3e30 CreateActCtxA 22859->22860 22861 bf420c 22859->22861 22860->22861 22863 bf5598 CreateActCtxA 22862->22863 22865 bf565b 22863->22865 22865->22865 22867 bf53e3 22866->22867 22870 bf6d48 22867->22870 22869 bf7355 22869->22853 22871 bf6d53 22870->22871 22874 bf6d78 22871->22874 22873 bf743a 22873->22869 22875 bf6d83 22874->22875 22878 bf6da8 22875->22878 22877 bf752a 22877->22873 22880 bf6db3 22878->22880 22879 bf7c7c 22879->22877 22880->22879 22882 bfbb50 22880->22882 22883 bfbb54 22882->22883 22884 bfbba5 22883->22884 22887 bfbe18 22883->22887 22891 bfbe08 22883->22891 22884->22879 22888 bfbe25 22887->22888 22889 bfbe5f 22888->22889 22895 bf9e48 22888->22895 22889->22884 22892 bfbe18 22891->22892 22893 bfbe5f 22892->22893 22894 bf9e48 2 API calls 22892->22894 22893->22884 22894->22893 22896 bf9e53 22895->22896 22897 bfcb58 22896->22897 22899 bfc718 22896->22899 22900 bfc723 22899->22900 22901 bf6da8 2 API calls 22900->22901 22902 bfcbc7 22901->22902 22906 bfe950 22902->22906 22911 bfe938 22902->22911 22903 bfcc00 22903->22897 22908 bfe952 22906->22908 22907 bfe98d 22907->22903 22908->22907 22909 bfedbf LoadLibraryExW GetModuleHandleW 22908->22909 22910 bfedd0 LoadLibraryExW GetModuleHandleW 22908->22910 22909->22907 22910->22907 22912 bfe944 22911->22912 22913 bfe91d 22912->22913 22914 bfedbf LoadLibraryExW GetModuleHandleW 22912->22914 22915 bfedd0 LoadLibraryExW GetModuleHandleW 22912->22915 22913->22903 22914->22913 22915->22913

                                                                  Executed Functions

                                                                  Function 00BFBF20, Relevance: 6.1, APIs: 4, Instructions: 122threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00BFBF90
                                                                  • GetCurrentThread.KERNEL32 ref: 00BFBFCD
                                                                  • GetCurrentProcess.KERNEL32 ref: 00BFC00A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BFC063
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 87c044b9a4a216e9455fbed2f36fd293796f5ce8c899e7506cb6d431eb6c62aa
                                                                  • Instruction ID: a64de415baa4d2b623fe7d22a39f83c7efb69538fe3a2f11d8298357ea64fa75
                                                                  • Opcode Fuzzy Hash: 87c044b9a4a216e9455fbed2f36fd293796f5ce8c899e7506cb6d431eb6c62aa
                                                                  • Instruction Fuzzy Hash: 125165B0900649CFDB10CFA9C648BEEBBF1EF48314F24889AE419A7751C7745888CF62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BFBF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00BFBF90
                                                                  • GetCurrentThread.KERNEL32 ref: 00BFBFCD
                                                                  • GetCurrentProcess.KERNEL32 ref: 00BFC00A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BFC063
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 1bcb3e179e7ba37b4ea365a4930561500cf1a41c47e17f3367c647164a718aa3
                                                                  • Instruction ID: d65fb97ba6ae8e51a87194786dee5c8e27ed35efb5e3869b3059dbd1c1174406
                                                                  • Opcode Fuzzy Hash: 1bcb3e179e7ba37b4ea365a4930561500cf1a41c47e17f3367c647164a718aa3
                                                                  • Instruction Fuzzy Hash: 835147B09006498FDB14CFA9C549BEEFBF5EB48314F24885AE419A3750C7745889CF66
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0834716C, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 331 834716c-8347171 332 8347167-834716b 331->332 333 8347173-834720d 331->333 332->331 336 8347246-8347266 333->336 337 834720f-8347219 333->337 344 834729f-83472ce 336->344 345 8347268-8347272 336->345 337->336 338 834721b-834721d 337->338 339 8347240-8347243 338->339 340 834721f-8347229 338->340 339->336 342 834722d-834723c 340->342 343 834722b 340->343 342->342 346 834723e 342->346 343->342 351 8347307-834735f 344->351 352 83472d0-83472da 344->352 345->344 347 8347274-8347276 345->347 346->339 349 8347278-8347282 347->349 350 8347299-834729c 347->350 353 8347284 349->353 354 8347286-8347295 349->354 350->344 364 8347366-83473c1 CreateProcessA 351->364 352->351 355 83472dc-83472de 352->355 353->354 354->354 356 8347297 354->356 357 83472e0-83472ea 355->357 358 8347301-8347304 355->358 356->350 360 83472ec 357->360 361 83472ee-83472fd 357->361 358->351 360->361 361->361 362 83472ff 361->362 362->358 365 83473c3-83473c9 364->365 366 83473ca-8347450 364->366 365->366 376 8347460-8347464 366->376 377 8347452-8347456 366->377 379 8347474-8347478 376->379 380 8347466-834746a 376->380 377->376 378 8347458 377->378 378->376 382 8347488-834748c 379->382 383 834747a-834747e 379->383 380->379 381 834746c 380->381 381->379 384 834749e-83474a5 382->384 385 834748e-8347494 382->385 383->382 386 8347480 383->386 387 83474a7-83474b6 384->387 388 83474bc 384->388 385->384 386->382 387->388 390 83474bd 388->390 390->390
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 083473AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 3be8a35cb780b484bcaa911b19ee6c0d3e982aa54f52f6ed6b4034808e4cb487
                                                                  • Instruction ID: 22deaa3cf536b4d48c3666c67e07fc85a108e0c606abf783f5f8f606b161502a
                                                                  • Opcode Fuzzy Hash: 3be8a35cb780b484bcaa911b19ee6c0d3e982aa54f52f6ed6b4034808e4cb487
                                                                  • Instruction Fuzzy Hash: 48A18B71D002198FDF10DFA4C8407EDBBF2BF88314F149569E858A7290DB34A986CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08347178, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 391 8347178-834720d 393 8347246-8347266 391->393 394 834720f-8347219 391->394 401 834729f-83472ce 393->401 402 8347268-8347272 393->402 394->393 395 834721b-834721d 394->395 396 8347240-8347243 395->396 397 834721f-8347229 395->397 396->393 399 834722d-834723c 397->399 400 834722b 397->400 399->399 403 834723e 399->403 400->399 408 8347307-83473c1 CreateProcessA 401->408 409 83472d0-83472da 401->409 402->401 404 8347274-8347276 402->404 403->396 406 8347278-8347282 404->406 407 8347299-834729c 404->407 410 8347284 406->410 411 8347286-8347295 406->411 407->401 422 83473c3-83473c9 408->422 423 83473ca-8347450 408->423 409->408 412 83472dc-83472de 409->412 410->411 411->411 413 8347297 411->413 414 83472e0-83472ea 412->414 415 8347301-8347304 412->415 413->407 417 83472ec 414->417 418 83472ee-83472fd 414->418 415->408 417->418 418->418 419 83472ff 418->419 419->415 422->423 433 8347460-8347464 423->433 434 8347452-8347456 423->434 436 8347474-8347478 433->436 437 8347466-834746a 433->437 434->433 435 8347458 434->435 435->433 439 8347488-834748c 436->439 440 834747a-834747e 436->440 437->436 438 834746c 437->438 438->436 441 834749e-83474a5 439->441 442 834748e-8347494 439->442 440->439 443 8347480 440->443 444 83474a7-83474b6 441->444 445 83474bc 441->445 442->441 443->439 444->445 447 83474bd 445->447 447->447
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 083473AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 021c57870a5ac0062093280377a6b5c29ca3213be73cb8b385060c23f9381906
                                                                  • Instruction ID: 4fcc117faeba1686c71d1003cf88f06f4b20a18942c50116dbf74215bdf429ec
                                                                  • Opcode Fuzzy Hash: 021c57870a5ac0062093280377a6b5c29ca3213be73cb8b385060c23f9381906
                                                                  • Instruction Fuzzy Hash: 9B915A71D002198FDF10DFA4C841BEDBBF6BB88315F149569E818A7290DB74A986CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BF9F30, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 448 bf9f30-bf9f45 call bf8aac 451 bf9f5b-bf9f5f 448->451 452 bf9f47 448->452 453 bf9f73-bf9fb4 451->453 454 bf9f61-bf9f6b 451->454 501 bf9f4d call bfa1b8 452->501 502 bf9f4d call bfa1a8 452->502 459 bf9fb6-bf9fbe 453->459 460 bf9fc1-bf9fcf 453->460 454->453 455 bf9f53-bf9f55 455->451 458 bfa090-bfa150 455->458 496 bfa158-bfa183 GetModuleHandleW 458->496 497 bfa152-bfa155 458->497 459->460 462 bf9ff3-bf9ff5 460->462 463 bf9fd1-bf9fd6 460->463 466 bf9ff8-bf9fff 462->466 464 bf9fd8-bf9fdf call bf8ab8 463->464 465 bf9fe1 463->465 471 bf9fe3-bf9ff1 464->471 465->471 467 bfa00c-bfa013 466->467 468 bfa001-bfa009 466->468 472 bfa015-bfa01d 467->472 473 bfa020-bfa029 call bf8ac8 467->473 468->467 471->466 472->473 478 bfa02b-bfa033 473->478 479 bfa036-bfa03b 473->479 478->479 481 bfa03d-bfa044 479->481 482 bfa059-bfa066 479->482 481->482 483 bfa046-bfa056 call bf8ad8 call bf9b1c 481->483 487 bfa089-bfa08f 482->487 488 bfa068-bfa086 482->488 483->482 488->487 498 bfa18c-bfa1a0 496->498 499 bfa185-bfa18b 496->499 497->496 499->498 501->455 502->455
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFA176
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 8e431ac1059c4bc6a93a5103dd58e86152e3f6ec4cb8cd6fb710e7f783937cce
                                                                  • Instruction ID: 37e91786bd63c369dc61e79ba0eddc1208da06ecf8e313b4726845239209f67c
                                                                  • Opcode Fuzzy Hash: 8e431ac1059c4bc6a93a5103dd58e86152e3f6ec4cb8cd6fb710e7f783937cce
                                                                  • Instruction Fuzzy Hash: A2714770A00B098FD724DF69D0407AABBF5FF48344F008A6ED54AD7B40DB75E8098B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BF558C, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 503 bf558c-bf558e 504 bf5592 503->504 505 bf5590-bf5591 503->505 506 bf5596 504->506 507 bf5594 504->507 505->504 508 bf559a-bf5659 CreateActCtxA 506->508 509 bf5598-bf5599 506->509 507->506 511 bf565b-bf5661 508->511 512 bf5662-bf56bc 508->512 509->508 511->512 519 bf56be-bf56c1 512->519 520 bf56cb-bf56cf 512->520 519->520 521 bf56d1-bf56dd 520->521 522 bf56e0 520->522 521->522 524 bf56e1 522->524 524->524
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00BF5649
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 5d0cfb4c8bdfb2b278a09d39938b3119ecf24e4e13be5805c36f21e943a0a240
                                                                  • Instruction ID: 5dbed333f7eee6057bc9387a7ba0b68f3313bd8a9559210c543c4965e79d9fff
                                                                  • Opcode Fuzzy Hash: 5d0cfb4c8bdfb2b278a09d39938b3119ecf24e4e13be5805c36f21e943a0a240
                                                                  • Instruction Fuzzy Hash: 4341F271C0061CCEDB20CF99C8847EEFBB9BF48304F608469D519AB251DB75694ACFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BF3E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 525 bf3e30-bf5659 CreateActCtxA 529 bf565b-bf5661 525->529 530 bf5662-bf56bc 525->530 529->530 537 bf56be-bf56c1 530->537 538 bf56cb-bf56cf 530->538 537->538 539 bf56d1-bf56dd 538->539 540 bf56e0 538->540 539->540 542 bf56e1 540->542 542->542
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00BF5649
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: a36b905acacdeda18c5d95db14dafc8fb229588c90756e7f264d02a0a39000ee
                                                                  • Instruction ID: 2d461450e37797152fd44f1419b8f45c749db4266bd04c12091f2471d4c0aa78
                                                                  • Opcode Fuzzy Hash: a36b905acacdeda18c5d95db14dafc8fb229588c90756e7f264d02a0a39000ee
                                                                  • Instruction Fuzzy Hash: 72410070C0061CCBDB20CFA9C884BDEFBB9BF48304F608469D518AB251DB70694ACFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346EE8, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 543 8346ee8-8346f3e 546 8346f40-8346f4c 543->546 547 8346f4e-8346f8d WriteProcessMemory 543->547 546->547 549 8346f96-8346fc6 547->549 550 8346f8f-8346f95 547->550 550->549
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08346F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 9cab21b1397d4d151bfc9f454a11d26e8568657341e91192e99b3f639711bced
                                                                  • Instruction ID: cb7ce9b44d957ee137262787ae0a85e52b89c497bf52fde0e373762e8485cfa7
                                                                  • Opcode Fuzzy Hash: 9cab21b1397d4d151bfc9f454a11d26e8568657341e91192e99b3f639711bced
                                                                  • Instruction Fuzzy Hash: 63213771D002499FDB10CFA9C8857EEBBF5FF48324F10892AE968A7640D774A955CBA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346EF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 554 8346ef0-8346f3e 556 8346f40-8346f4c 554->556 557 8346f4e-8346f8d WriteProcessMemory 554->557 556->557 559 8346f96-8346fc6 557->559 560 8346f8f-8346f95 557->560 560->559
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08346F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 4ca007780ce7d1eeceb8ca3ae149b5f0e3088cacf398995a2c790676af2ac269
                                                                  • Instruction ID: b287cc76449e6345ba7b982e3b6f9d5835f896b3e6d41df527a0c68634906077
                                                                  • Opcode Fuzzy Hash: 4ca007780ce7d1eeceb8ca3ae149b5f0e3088cacf398995a2c790676af2ac269
                                                                  • Instruction Fuzzy Hash: 902127719003499FDB10CFA9C8857DEBBF5FF88314F10882AE958A7640D778A955CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BFC151, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 564 bfc151-bfc1ec DuplicateHandle 565 bfc1ee-bfc1f4 564->565 566 bfc1f5-bfc212 564->566 565->566
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFC1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: e85642a66bb1df6b61b37d50faaff29b9c7110b11c9e338bfc32398b3776eea6
                                                                  • Instruction ID: 06fe6f5986d004ea369a0733da1424744d9aaf3b3eb7770622fd4e65450e3fab
                                                                  • Opcode Fuzzy Hash: e85642a66bb1df6b61b37d50faaff29b9c7110b11c9e338bfc32398b3776eea6
                                                                  • Instruction Fuzzy Hash: C321F4B5900249AFDB00CF99D584AEEBFF4EB48324F14841AE914A3211D374AA54CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346D53, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 569 8346d53-8346da3 572 8346da5-8346db1 569->572 573 8346db3-8346de3 SetThreadContext 569->573 572->573 575 8346de5-8346deb 573->575 576 8346dec-8346e1c 573->576 575->576
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 08346DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 49d019a5a7e9f3d59a9aaf018a7f0a26c31eae09a3e88643148b77c54281e6f6
                                                                  • Instruction ID: a3c4bc5cde9b43af9c2175ad80b751b1f806254a990c1510c4e6d5d7fb4b987c
                                                                  • Opcode Fuzzy Hash: 49d019a5a7e9f3d59a9aaf018a7f0a26c31eae09a3e88643148b77c54281e6f6
                                                                  • Instruction Fuzzy Hash: 38213A71D002088FDB10DFA9C4857EEBBF5EF99324F14842ED429A7681DB789945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346D58, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 580 8346d58-8346da3 582 8346da5-8346db1 580->582 583 8346db3-8346de3 SetThreadContext 580->583 582->583 585 8346de5-8346deb 583->585 586 8346dec-8346e1c 583->586 585->586
                                                                  APIs
                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 08346DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 0c8eddc72bc71c22e0b3089bfc16c6574d4a141dc6f4b5075b8f82ad11b2c33f
                                                                  • Instruction ID: 8bc670d9e7c2c57fb5274c84aa5bf858052add9eb1474d2c52468f0761b5ee57
                                                                  • Opcode Fuzzy Hash: 0c8eddc72bc71c22e0b3089bfc16c6574d4a141dc6f4b5075b8f82ad11b2c33f
                                                                  • Instruction Fuzzy Hash: A2213871D002088FDB10DFAAC4857EEBBF8EF89224F14842ED419A7741DB78A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346FE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 599 8346fe0-834706d ReadProcessMemory 602 8347076-83470a6 599->602 603 834706f-8347075 599->603 603->602
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08347060
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: b4fcba29e9edba6fb85f41d4972f7296747655acedd62da3bf1a6e342238e566
                                                                  • Instruction ID: f5ff22a36bcfd1bdb50c0561f9ae4895a4197f4dce5339890befece1209768ed
                                                                  • Opcode Fuzzy Hash: b4fcba29e9edba6fb85f41d4972f7296747655acedd62da3bf1a6e342238e566
                                                                  • Instruction Fuzzy Hash: 9F214871C002499FCB10DFAAC880BEEFBF5FF48320F10882AE518A3240C7749954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346FDB, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 590 8346fdb-834706d ReadProcessMemory 594 8347076-83470a6 590->594 595 834706f-8347075 590->595 595->594
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08347060
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 448d0da7590a3d52ee66a5cd371efeea0e767fa0c2bca1a8dc84b4fc8cda97c0
                                                                  • Instruction ID: b68bbdbb00e14d6c44e3a960d22cbbc46544373e3e1f7ea84cfa62145c5d3484
                                                                  • Opcode Fuzzy Hash: 448d0da7590a3d52ee66a5cd371efeea0e767fa0c2bca1a8dc84b4fc8cda97c0
                                                                  • Instruction Fuzzy Hash: A4214871C002499FCB10DFA9C8847EEBBF5FF48320F10892AE528A3250C7749555CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BFC158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFC1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 82ac5290bc66682d6dbaa1aeeb8323994191f5c82f21f5d6d64cc235ba72862b
                                                                  • Instruction ID: a3b0f75882af26b458d5a1a5ca47cba4e8974555fdda0baf6bf4e655832129f7
                                                                  • Opcode Fuzzy Hash: 82ac5290bc66682d6dbaa1aeeb8323994191f5c82f21f5d6d64cc235ba72862b
                                                                  • Instruction Fuzzy Hash: 9921B3B59002499FDB10CF9AD984AEEBFF8EB48324F14841AE914B3711D374A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346CA0, Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 94f67043a5679690d5985c69dbd11f6ad352ce7816e74a462729150b7f1b1de2
                                                                  • Instruction ID: deae5c5c631150ec42946e108ea5caabbf3a572a110a1f129d563777abe0aec0
                                                                  • Opcode Fuzzy Hash: 94f67043a5679690d5985c69dbd11f6ad352ce7816e74a462729150b7f1b1de2
                                                                  • Instruction Fuzzy Hash: B221C0B1C083848FDB11DFA9C8543DEFFF4AF89224F14885AC015A7291D7799849CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346E28, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08346E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: fbebfba6b24cdc348f7348f210ede23358d4b6e1a7b84452756d3c2149af549c
                                                                  • Instruction ID: 32a84de496cdec724f653b4dc1366aa247ea52f3115d8b08e5ec4b98e794c820
                                                                  • Opcode Fuzzy Hash: fbebfba6b24cdc348f7348f210ede23358d4b6e1a7b84452756d3c2149af549c
                                                                  • Instruction Fuzzy Hash: 6D116A758002498FCF10DFAAC8457EFBBF5EF88324F14881AE525A7650C775A955CFA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BFA390, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFA1F1,00000800,00000000,00000000), ref: 00BFA402
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: f2cd777ef52f5b6c938dac7f57af8fa4475987e86f18f849f31a399820e47672
                                                                  • Instruction ID: cede50d2f363d61fa9172c3c9985e04e8c2d1d6b461326382e1db80f16f14fde
                                                                  • Opcode Fuzzy Hash: f2cd777ef52f5b6c938dac7f57af8fa4475987e86f18f849f31a399820e47672
                                                                  • Instruction Fuzzy Hash: DF1136B6C002498FCB14CF9AC484AEEFBF5EB88320F14842AD419A7710C375A949CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BF9B48, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFA1F1,00000800,00000000,00000000), ref: 00BFA402
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: fcee2136d70fc0c3b35937179ac97d384391583749b4f1d7d98cbb746620b0d3
                                                                  • Instruction ID: 35c7aa0476a9b24cd801f32e924ae9f655124f45c2bd0acbac6d89331c775813
                                                                  • Opcode Fuzzy Hash: fcee2136d70fc0c3b35937179ac97d384391583749b4f1d7d98cbb746620b0d3
                                                                  • Instruction Fuzzy Hash: A11108B29003489FCB14CF9AC444AEEFBF4EB48314F158469D519A7600C375A549CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346E30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08346E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 5ad92b40034149e3eb29736bbfc74c104f3ce0f819653f6667173abdcc452420
                                                                  • Instruction ID: 9e8a8e0cc652fbd3c6a3b4ad3310e04c98e48d8d7e146ac186fb69184f4d09fb
                                                                  • Opcode Fuzzy Hash: 5ad92b40034149e3eb29736bbfc74c104f3ce0f819653f6667173abdcc452420
                                                                  • Instruction Fuzzy Hash: FD1167718002489FCF10DFAAC8457DFBBF9EF88324F14881AE515A7610C775A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08346CA8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 7c6f4b010173315caed0815e29e763da442fe83b2d96f65a1cec9c709c31fb43
                                                                  • Instruction ID: 7b51cb407c8031c6738876c72d0e54c2298f637d66b801d9f24a1f14eb0e864c
                                                                  • Opcode Fuzzy Hash: 7c6f4b010173315caed0815e29e763da442fe83b2d96f65a1cec9c709c31fb43
                                                                  • Instruction Fuzzy Hash: CC1166B1D002488BCB10DFAAC4457EEFBF9EB88224F14882AD419A7700D775A944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0834A6B0, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0834A715
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: a7a33340d83e8a1a7d3677f414d3dcf7483831081db36af2fc586a367a75c1f2
                                                                  • Instruction ID: 877f230cbd1a8338249b384a3e2819abc6844f5dd95364367c5f7964415f8cb1
                                                                  • Opcode Fuzzy Hash: a7a33340d83e8a1a7d3677f414d3dcf7483831081db36af2fc586a367a75c1f2
                                                                  • Instruction Fuzzy Hash: 1B1118B58002599FCB20DF99C885BDEBFF4FB48324F14891AD524A7681C374A995CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00BFA110, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00BFA176
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.506157620.0000000000BF0000.00000040.00000001.sdmp, Offset: 00BF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_bf0000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 107ff0a1ca8fe90831e5ddf588ea945052eeac12827ad4e771e9224f4a697567
                                                                  • Instruction ID: 65e6bdcc54d133e2720ab7073b298e1ad9cb6f464c9b10abec1c7015d32164e0
                                                                  • Opcode Fuzzy Hash: 107ff0a1ca8fe90831e5ddf588ea945052eeac12827ad4e771e9224f4a697567
                                                                  • Instruction Fuzzy Hash: 221113B2C006498FCB10CF9AC844BDEFBF4EB89324F15845AD529B7600C374A549CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0834A6B8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0834A715
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.515915515.0000000008340000.00000040.00000001.sdmp, Offset: 08340000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_8340000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 2f518173a48ca5f72e12ae464c6bdc1fa59543bb3995a57195cc1e9db518ea59
                                                                  • Instruction ID: 04e34fb78279c72dd9f5c3215700fb73b0996bcc01066e0ac4a762f5b375a2b6
                                                                  • Opcode Fuzzy Hash: 2f518173a48ca5f72e12ae464c6bdc1fa59543bb3995a57195cc1e9db518ea59
                                                                  • Instruction Fuzzy Hash: 9A11D3B58002499FDB10DF9AC885BDEBFF8EB48324F148419D554A7600C375A994CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5D4C4, Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505889200.0000000000B5D000.00000040.00000001.sdmp, Offset: 00B5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b5d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 88e63c975989dd880bad5d759f27224f8b3becf6efe8103321bebf5beca3f0e2
                                                                  • Instruction ID: 55c2cc4d5d91867cd11e0c76573a726e116aeceb97dba00a691d2a2e46bc1285
                                                                  • Opcode Fuzzy Hash: 88e63c975989dd880bad5d759f27224f8b3becf6efe8103321bebf5beca3f0e2
                                                                  • Instruction Fuzzy Hash: EE212871500240DFDB25DF54E9C0B26BFA5FB94329F24C6E9DC050B246D336D85ACBA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B6D1D4, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505934767.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b6d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98c3578fac279016f172f042f7f86b2d5f4266e52b47e2ec463597375a06f541
                                                                  • Instruction ID: 330d9161547c94e9126b61cd547931a99d25f6e3f03011a0a424fe0e4ca399bc
                                                                  • Opcode Fuzzy Hash: 98c3578fac279016f172f042f7f86b2d5f4266e52b47e2ec463597375a06f541
                                                                  • Instruction Fuzzy Hash: 9421D4B1A04240EFDB15DF54D9D0B26BBE5FB88314F24C9ADE8094B286C33AD856CB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B6D01C, Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505934767.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b6d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2637e04bc0e3120a629e75ec8c1afe02170055a81f228f006471169d798c3568
                                                                  • Instruction ID: 6f4c628ee41a6a6358b473fa7080236e8753aef6bf46588b3b3ef89b10f256c9
                                                                  • Opcode Fuzzy Hash: 2637e04bc0e3120a629e75ec8c1afe02170055a81f228f006471169d798c3568
                                                                  • Instruction Fuzzy Hash: 2E21F575A04240DFCB14DF14D9D4B26BBA5FB84314F24C9A9D8094B286C33BD847CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B6D006, Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505934767.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b6d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e04a1c5ee9a0ce20f181a11575ab4ffc88a694be7035fd04358dc9ceac7f3cf3
                                                                  • Instruction ID: dd591146117a6085750a35394ef1d5acfe6b5c9a21dc0e0bff1889d672dc591e
                                                                  • Opcode Fuzzy Hash: e04a1c5ee9a0ce20f181a11575ab4ffc88a694be7035fd04358dc9ceac7f3cf3
                                                                  • Instruction Fuzzy Hash: 902162755083809FCB12CF14D994B11BFB1EB46314F28C5DAD8498F697C33A985ACB62
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5D4BF, Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505889200.0000000000B5D000.00000040.00000001.sdmp, Offset: 00B5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b5d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 189baa3621a1b6d92a2beb935f6e06ddffa1d94834130ffa225fbb3adf8786c3
                                                                  • Instruction ID: 6ee6af83021b40990fa6db7ef044328c38c7e38fc71a40ce0c48e227246af1af
                                                                  • Opcode Fuzzy Hash: 189baa3621a1b6d92a2beb935f6e06ddffa1d94834130ffa225fbb3adf8786c3
                                                                  • Instruction Fuzzy Hash: 3E11AF76504280CFCB12CF14E5C4B16BFB1FB94324F2486EADC450B656C336D85ACBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B6D1CF, Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505934767.0000000000B6D000.00000040.00000001.sdmp, Offset: 00B6D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b6d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f76a4c832885a47eef9ebc7b6c2ce687a7dfcf81a03017dce253b815f903819
                                                                  • Instruction ID: 4db95ab2151ba5cb6fa6ee88debce75ed7bcddba0a4251d88d6e618c1b1ba791
                                                                  • Opcode Fuzzy Hash: 0f76a4c832885a47eef9ebc7b6c2ce687a7dfcf81a03017dce253b815f903819
                                                                  • Instruction Fuzzy Hash: A7118B75A04280DFCB12DF14D5D4B15FFA1FB84324F28C6AAD8494B696C33AD85ACB61
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5D745, Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505889200.0000000000B5D000.00000040.00000001.sdmp, Offset: 00B5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b5d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5c62ea90107ec878f33bd351cb7850d98e80ee193b859647b2419390edcaea1
                                                                  • Instruction ID: e8e29f9cc24e7bbccae14d1383036470a646c158ebc2aa74fe2c0654ddf4d90d
                                                                  • Opcode Fuzzy Hash: e5c62ea90107ec878f33bd351cb7850d98e80ee193b859647b2419390edcaea1
                                                                  • Instruction Fuzzy Hash: A501F7715083809AE7209B61CCC4BA6BBDCDF49375F188ADAED045B682D7789C49CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00B5D744, Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.505889200.0000000000B5D000.00000040.00000001.sdmp, Offset: 00B5D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_b5d000_catch.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05a507780e9fd77794364fdf5538bc9a428d8e359fbc6bb587effa94817f1b7e
                                                                  • Instruction ID: dd4a3a2f0539dced4f1662d6171562fb60cd9eeb3712a65b39e371d5cec06c5d
                                                                  • Opcode Fuzzy Hash: 05a507780e9fd77794364fdf5538bc9a428d8e359fbc6bb587effa94817f1b7e
                                                                  • Instruction Fuzzy Hash: 4FF06271404284AAE7209F15CC88BA2FFD8EB85734F18C59AED085B686D3799C48CAB1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Analysis Process: catch.exe PID: 2772 Parent PID: 3440 catch.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:10.8%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:231
                                                                  Total number of Limit Nodes:13

                                                                  Graph

                                                                  execution_graph 20952 8497709 20953 8497ab3 20952->20953 20954 8497713 20952->20954 20958 8498e50 20954->20958 20963 8498e60 20954->20963 20955 849760f 20959 8498e7a 20958->20959 20968 8498ec0 20959->20968 20973 8498eb0 20959->20973 20960 8498ea8 20960->20955 20964 8498e7a 20963->20964 20966 8498ec0 12 API calls 20964->20966 20967 8498eb0 12 API calls 20964->20967 20965 8498ea8 20965->20955 20966->20965 20967->20965 20969 8498edd 20968->20969 20978 84992d8 20969->20978 20990 84992c7 20969->20990 20970 8498f1d 20970->20960 20974 8498ec0 20973->20974 20976 84992d8 12 API calls 20974->20976 20977 84992c7 12 API calls 20974->20977 20975 8498f1d 20975->20960 20976->20975 20977->20975 20979 84992f2 20978->20979 21002 8499828 20979->21002 21007 84996a4 20979->21007 21011 8499984 20979->21011 21018 84995d4 20979->21018 21023 8499951 20979->21023 21028 8499731 20979->21028 21036 8499b5e 20979->21036 21043 849948f 20979->21043 21048 84997bd 20979->21048 20991 84992d8 20990->20991 20993 8499828 2 API calls 20991->20993 20994 84997bd 2 API calls 20991->20994 20995 849948f 2 API calls 20991->20995 20996 8499b5e 4 API calls 20991->20996 20997 8499731 4 API calls 20991->20997 20998 8499951 2 API calls 20991->20998 20999 84995d4 2 API calls 20991->20999 21000 8499984 4 API calls 20991->21000 21001 84996a4 2 API calls 20991->21001 20992 8499320 20992->20970 20993->20992 20994->20992 20995->20992 20996->20992 20997->20992 20998->20992 20999->20992 21000->20992 21001->20992 21003 8499832 21002->21003 21053 8496fda 21003->21053 21057 8496fe0 21003->21057 21004 84998f7 21061 8496ee8 21007->21061 21065 8496ef0 21007->21065 21008 84996d2 21069 849a170 21011->21069 21074 849a180 21011->21074 21012 84999a0 21014 8496ee8 WriteProcessMemory 21012->21014 21015 8496ef0 WriteProcessMemory 21012->21015 21013 8499320 21013->20970 21014->21013 21015->21013 21019 84995de 21018->21019 21020 8499633 21019->21020 21087 8496d58 21019->21087 21091 8496d52 21019->21091 21024 849984e 21023->21024 21025 84998f7 21023->21025 21026 8496fda ReadProcessMemory 21024->21026 21027 8496fe0 ReadProcessMemory 21024->21027 21026->21025 21027->21025 21029 849973e 21028->21029 21030 8499852 21028->21030 21034 8496d58 GetThreadContext 21029->21034 21035 8496d52 GetThreadContext 21029->21035 21032 8496fda ReadProcessMemory 21030->21032 21033 8496fe0 ReadProcessMemory 21030->21033 21031 8499759 21032->21031 21033->21031 21034->21031 21035->21031 21039 8496ee8 WriteProcessMemory 21036->21039 21040 8496ef0 WriteProcessMemory 21036->21040 21037 8499633 21038 84995fa 21038->21037 21041 8496d58 GetThreadContext 21038->21041 21042 8496d52 GetThreadContext 21038->21042 21039->21038 21040->21038 21041->21037 21042->21037 21044 84994c7 21043->21044 21095 8497178 21044->21095 21099 849716c 21044->21099 21049 84997c6 21048->21049 21103 849a318 21049->21103 21108 849a307 21049->21108 21050 84997ff 21054 8496fe0 ReadProcessMemory 21053->21054 21056 849706f 21054->21056 21056->21004 21058 849702b ReadProcessMemory 21057->21058 21060 849706f 21058->21060 21060->21004 21062 8496ef0 WriteProcessMemory 21061->21062 21064 8496f8f 21062->21064 21064->21008 21066 8496f38 WriteProcessMemory 21065->21066 21068 8496f8f 21066->21068 21068->21008 21070 849a180 21069->21070 21079 8496e28 21070->21079 21083 8496e30 21070->21083 21071 849a1d5 21071->21012 21075 849a19a 21074->21075 21077 8496e28 VirtualAllocEx 21075->21077 21078 8496e30 VirtualAllocEx 21075->21078 21076 849a1d5 21076->21012 21077->21076 21078->21076 21080 8496e30 VirtualAllocEx 21079->21080 21082 8496ead 21080->21082 21082->21071 21084 8496e70 VirtualAllocEx 21083->21084 21086 8496ead 21084->21086 21086->21071 21088 8496d9d GetThreadContext 21087->21088 21090 8496de5 21088->21090 21090->21020 21092 8496d58 GetThreadContext 21091->21092 21094 8496de5 21092->21094 21094->21020 21096 8497201 CreateProcessA 21095->21096 21098 84973c3 21096->21098 21100 8497201 CreateProcessA 21099->21100 21102 84973c3 21100->21102 21104 849a332 21103->21104 21113 8496ca8 21104->21113 21117 8496ca0 21104->21117 21105 849a361 21105->21050 21109 849a332 21108->21109 21111 8496ca8 ResumeThread 21109->21111 21112 8496ca0 ResumeThread 21109->21112 21110 849a361 21110->21050 21111->21110 21112->21110 21114 8496cae ResumeThread 21113->21114 21116 8496d19 21114->21116 21116->21105 21118 8496ca3 ResumeThread 21117->21118 21120 8496d19 21118->21120 21120->21105 21121 d93e50 21122 d93e6c 21121->21122 21123 d93f1f 21122->21123 21126 d94008 21122->21126 21131 d939f0 21122->21131 21127 d9402d 21126->21127 21135 d940f9 21127->21135 21139 d94108 21127->21139 21134 d939fb 21131->21134 21132 d9727a 21132->21122 21134->21132 21147 d953d8 21134->21147 21137 d9412f 21135->21137 21136 d9420c 21137->21136 21143 d93e30 21137->21143 21141 d9412f 21139->21141 21140 d9420c 21140->21140 21141->21140 21142 d93e30 CreateActCtxA 21141->21142 21142->21140 21144 d95598 CreateActCtxA 21143->21144 21146 d9565b 21144->21146 21146->21146 21148 d953e3 21147->21148 21151 d96d48 21148->21151 21150 d97355 21150->21134 21152 d96d53 21151->21152 21155 d96d78 21152->21155 21154 d9743a 21154->21150 21156 d96d83 21155->21156 21159 d96da8 21156->21159 21158 d9752a 21158->21154 21161 d96db3 21159->21161 21160 d97c7c 21160->21158 21161->21160 21164 d9bb50 21161->21164 21169 d9bb60 21161->21169 21165 d9bb81 21164->21165 21166 d9bba5 21165->21166 21174 d9be08 21165->21174 21178 d9be18 21165->21178 21166->21160 21170 d9bb81 21169->21170 21171 d9bba5 21170->21171 21172 d9be18 2 API calls 21170->21172 21173 d9be08 2 API calls 21170->21173 21171->21160 21172->21171 21173->21171 21175 d9be25 21174->21175 21176 d9be5f 21175->21176 21182 d99e48 21175->21182 21176->21166 21179 d9be25 21178->21179 21180 d9be5f 21179->21180 21181 d99e48 2 API calls 21179->21181 21180->21166 21181->21180 21183 d99e53 21182->21183 21185 d9cb58 21183->21185 21186 d9c718 21183->21186 21185->21185 21187 d9c723 21186->21187 21188 d96da8 2 API calls 21187->21188 21189 d9cbc7 21188->21189 21193 d9e950 21189->21193 21198 d9e938 21189->21198 21190 d9cc00 21190->21185 21194 d9e9cd 21193->21194 21196 d9e981 21193->21196 21194->21190 21195 d9e98d 21195->21190 21196->21195 21197 d9edd0 LoadLibraryExW GetModuleHandleW 21196->21197 21197->21194 21199 d9e9cd 21198->21199 21201 d9e981 21198->21201 21199->21190 21200 d9e98d 21200->21190 21201->21200 21202 d9edd0 LoadLibraryExW GetModuleHandleW 21201->21202 21202->21199 21203 849a380 21204 849a50b 21203->21204 21205 849a3a6 21203->21205 21205->21204 21208 849a5f8 21205->21208 21211 849a600 PostMessageW 21205->21211 21209 849a600 PostMessageW 21208->21209 21210 849a66c 21209->21210 21210->21205 21212 849a66c 21211->21212 21212->21205 21213 d9bf30 21214 d9bf96 21213->21214 21218 d9c0f0 21214->21218 21221 d9c0e0 21214->21221 21215 d9c045 21224 d99ed0 21218->21224 21222 d9c11e 21221->21222 21223 d99ed0 DuplicateHandle 21221->21223 21222->21215 21223->21222 21225 d9c158 DuplicateHandle 21224->21225 21226 d9c11e 21225->21226 21226->21215 21227 d99a30 21231 d99f30 21227->21231 21239 d99f20 21227->21239 21228 d99a3f 21232 d99f43 21231->21232 21233 d99f5b 21232->21233 21247 d9a1b8 21232->21247 21251 d9a1a8 21232->21251 21233->21228 21234 d99f53 21234->21233 21235 d9a158 GetModuleHandleW 21234->21235 21236 d9a185 21235->21236 21236->21228 21240 d99f43 21239->21240 21241 d99f5b 21240->21241 21245 d9a1b8 LoadLibraryExW 21240->21245 21246 d9a1a8 LoadLibraryExW 21240->21246 21241->21228 21242 d99f53 21242->21241 21243 d9a158 GetModuleHandleW 21242->21243 21244 d9a185 21243->21244 21244->21228 21245->21242 21246->21242 21248 d9a1cc 21247->21248 21249 d9a1f1 21248->21249 21255 d99b48 21248->21255 21249->21234 21252 d9a1cc 21251->21252 21253 d99b48 LoadLibraryExW 21252->21253 21254 d9a1f1 21252->21254 21253->21254 21254->21234 21256 d9a398 LoadLibraryExW 21255->21256 21258 d9a411 21256->21258 21258->21249

                                                                  Executed Functions

                                                                  Function 0849716C, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 303 849716c-849720d 305 849720f-8497219 303->305 306 8497246-8497266 303->306 305->306 307 849721b-849721d 305->307 311 8497268-8497272 306->311 312 849729f-84972ce 306->312 309 849721f-8497229 307->309 310 8497240-8497243 307->310 313 849722b 309->313 314 849722d-849723c 309->314 310->306 311->312 316 8497274-8497276 311->316 322 84972d0-84972da 312->322 323 8497307-84973c1 CreateProcessA 312->323 313->314 314->314 315 849723e 314->315 315->310 317 8497299-849729c 316->317 318 8497278-8497282 316->318 317->312 320 8497284 318->320 321 8497286-8497295 318->321 320->321 321->321 325 8497297 321->325 322->323 324 84972dc-84972de 322->324 334 84973ca-8497450 323->334 335 84973c3-84973c9 323->335 326 8497301-8497304 324->326 327 84972e0-84972ea 324->327 325->317 326->323 329 84972ec 327->329 330 84972ee-84972fd 327->330 329->330 330->330 331 84972ff 330->331 331->326 345 8497460-8497464 334->345 346 8497452-8497456 334->346 335->334 348 8497474-8497478 345->348 349 8497466-849746a 345->349 346->345 347 8497458 346->347 347->345 351 8497488-849748c 348->351 352 849747a-849747e 348->352 349->348 350 849746c 349->350 350->348 354 849749e-84974a5 351->354 355 849748e-8497494 351->355 352->351 353 8497480 352->353 353->351 356 84974bc 354->356 357 84974a7-84974b6 354->357 355->354 359 84974bd 356->359 357->356 359->359
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084973AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 0eddefa43009ef0a54dbe69e05c6c031513396aac260bc2b574532cd7c59c352
                                                                  • Instruction ID: eda095a454f40b25022827c6357e6bc925d9a475dc63d685c26875692900751f
                                                                  • Opcode Fuzzy Hash: 0eddefa43009ef0a54dbe69e05c6c031513396aac260bc2b574532cd7c59c352
                                                                  • Instruction Fuzzy Hash: 07A15971D10219CFDF20DFA4C881BEEBBB2BB48305F1485AAE858A7340DB749985CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08497178, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 360 8497178-849720d 362 849720f-8497219 360->362 363 8497246-8497266 360->363 362->363 364 849721b-849721d 362->364 368 8497268-8497272 363->368 369 849729f-84972ce 363->369 366 849721f-8497229 364->366 367 8497240-8497243 364->367 370 849722b 366->370 371 849722d-849723c 366->371 367->363 368->369 373 8497274-8497276 368->373 379 84972d0-84972da 369->379 380 8497307-84973c1 CreateProcessA 369->380 370->371 371->371 372 849723e 371->372 372->367 374 8497299-849729c 373->374 375 8497278-8497282 373->375 374->369 377 8497284 375->377 378 8497286-8497295 375->378 377->378 378->378 382 8497297 378->382 379->380 381 84972dc-84972de 379->381 391 84973ca-8497450 380->391 392 84973c3-84973c9 380->392 383 8497301-8497304 381->383 384 84972e0-84972ea 381->384 382->374 383->380 386 84972ec 384->386 387 84972ee-84972fd 384->387 386->387 387->387 388 84972ff 387->388 388->383 402 8497460-8497464 391->402 403 8497452-8497456 391->403 392->391 405 8497474-8497478 402->405 406 8497466-849746a 402->406 403->402 404 8497458 403->404 404->402 408 8497488-849748c 405->408 409 849747a-849747e 405->409 406->405 407 849746c 406->407 407->405 411 849749e-84974a5 408->411 412 849748e-8497494 408->412 409->408 410 8497480 409->410 410->408 413 84974bc 411->413 414 84974a7-84974b6 411->414 412->411 416 84974bd 413->416 414->413 416->416
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 084973AE
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 8327d7ed79a470f3ee67a6e50de4b4f2c8a1b1752ca6247aca64e261742c6d49
                                                                  • Instruction ID: 73155cf6d2b91d6f73a0b814694a4b40c34d6710627920ee224f1f104801737a
                                                                  • Opcode Fuzzy Hash: 8327d7ed79a470f3ee67a6e50de4b4f2c8a1b1752ca6247aca64e261742c6d49
                                                                  • Instruction Fuzzy Hash: 2B914971D10219CFDF20CFA4C880BEEBBB6AB48315F14856AE858A7340DB749985CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D99F30, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 417 d99f30-d99f45 call d98aac 420 d99f5b-d99f5f 417->420 421 d99f47 417->421 422 d99f61-d99f6b 420->422 423 d99f73-d99fb4 420->423 470 d99f4d call d9a1b8 421->470 471 d99f4d call d9a1a8 421->471 422->423 428 d99fc1-d99fcf 423->428 429 d99fb6-d99fbe 423->429 424 d99f53-d99f55 424->420 425 d9a090-d9a150 424->425 465 d9a158-d9a183 GetModuleHandleW 425->465 466 d9a152-d9a155 425->466 431 d99fd1-d99fd6 428->431 432 d99ff3-d99ff5 428->432 429->428 434 d99fd8-d99fdf call d98ab8 431->434 435 d99fe1 431->435 433 d99ff8-d99fff 432->433 438 d9a00c-d9a013 433->438 439 d9a001-d9a009 433->439 437 d99fe3-d99ff1 434->437 435->437 437->433 442 d9a020-d9a029 call d98ac8 438->442 443 d9a015-d9a01d 438->443 439->438 448 d9a02b-d9a033 442->448 449 d9a036-d9a03b 442->449 443->442 448->449 450 d9a059-d9a066 449->450 451 d9a03d-d9a044 449->451 458 d9a089-d9a08f 450->458 459 d9a068-d9a086 450->459 451->450 453 d9a046-d9a056 call d98ad8 call d99b1c 451->453 453->450 459->458 467 d9a18c-d9a1a0 465->467 468 d9a185-d9a18b 465->468 466->465 468->467 470->424 471->424
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D9A176
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: b1cc92621ecb540f3a33842750b270bab8dc7481a97cd82e2ac83e3b01f399d2
                                                                  • Instruction ID: ce0622e869daee976fc88f0fe9e14563037401f89b6e1c1d525c3f71d0704d48
                                                                  • Opcode Fuzzy Hash: b1cc92621ecb540f3a33842750b270bab8dc7481a97cd82e2ac83e3b01f399d2
                                                                  • Instruction Fuzzy Hash: 07714770A00B058FDB24DF6AD05079AB7F5FF88344F048A2ED45AD7A40DB75E809CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D9558C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 472 d9558c-d95659 CreateActCtxA 474 d9565b-d95661 472->474 475 d95662-d956bc 472->475 474->475 482 d956cb-d956cf 475->482 483 d956be-d956c1 475->483 484 d956d1-d956dd 482->484 485 d956e0 482->485 483->482 484->485 487 d956e1 485->487 487->487
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D95649
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: c4ad72a3ccd2adaf3e3a7e35633fdd8bb3f51d7f4e7ace2925a568fd0fd8bde4
                                                                  • Instruction ID: 97fa77b38e3968f2a078d17cd863502f64177eb954a21296233b9c4fb96eeeb6
                                                                  • Opcode Fuzzy Hash: c4ad72a3ccd2adaf3e3a7e35633fdd8bb3f51d7f4e7ace2925a568fd0fd8bde4
                                                                  • Instruction Fuzzy Hash: 6141E271C00618CFDF24DF99C8847DEBBB5BF88308F648469D408AB255DB75A94ACFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D93E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 488 d93e30-d95659 CreateActCtxA 491 d9565b-d95661 488->491 492 d95662-d956bc 488->492 491->492 499 d956cb-d956cf 492->499 500 d956be-d956c1 492->500 501 d956d1-d956dd 499->501 502 d956e0 499->502 500->499 501->502 504 d956e1 502->504 504->504
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D95649
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 8255f60e1724a2ea2c3f98897be5820a6e0163ba7587c026d1ccd4f73c895fe1
                                                                  • Instruction ID: 5b2294aa5e33f68d5a10cb1aad91d7e44b98c3c50a7fb573cd332dbf41b169ad
                                                                  • Opcode Fuzzy Hash: 8255f60e1724a2ea2c3f98897be5820a6e0163ba7587c026d1ccd4f73c895fe1
                                                                  • Instruction Fuzzy Hash: D141D271C00618CFDF24DF99C8847DDBBB5BF88304F648469D408AB255DB75A946CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496EE8, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 505 8496ee8-8496f3e 508 8496f4e-8496f8d WriteProcessMemory 505->508 509 8496f40-8496f4c 505->509 511 8496f8f-8496f95 508->511 512 8496f96-8496fc6 508->512 509->508 511->512
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08496F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 36e8bb6312f51459675b141faeb73e50d2158a29e0222820fe2a54631b994843
                                                                  • Instruction ID: 4ee9bacbcfc23cdf1ccd58d37fda1664db90ce40f9612c7410f5cb8bc5590d11
                                                                  • Opcode Fuzzy Hash: 36e8bb6312f51459675b141faeb73e50d2158a29e0222820fe2a54631b994843
                                                                  • Instruction Fuzzy Hash: 212124719002099FCF10CFA9C8847DEBBF5FF48354F15882AE958A7241C778A954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496EF0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 516 8496ef0-8496f3e 518 8496f4e-8496f8d WriteProcessMemory 516->518 519 8496f40-8496f4c 516->519 521 8496f8f-8496f95 518->521 522 8496f96-8496fc6 518->522 519->518 521->522
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08496F80
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: cebe75565dd0505a1475af7ddde23b0053a5b69db14b646da896c02a8eb66746
                                                                  • Instruction ID: 8b1e3e52afc41ea175c7c6ea54df2b0569cd8cd99438504a9aee85811a1e976e
                                                                  • Opcode Fuzzy Hash: cebe75565dd0505a1475af7ddde23b0053a5b69db14b646da896c02a8eb66746
                                                                  • Instruction Fuzzy Hash: F02113719003099FCF10CFA9C884BDEBBF5FB48354F11882AE959A7240D778A954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D99ED0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 526 d99ed0-d9c1ec DuplicateHandle 528 d9c1ee-d9c1f4 526->528 529 d9c1f5-d9c212 526->529 528->529
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D9C11E,?,?,?,?,?), ref: 00D9C1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: c0aa957dda5a216d060e92cf980969c250ef8136de9759392507f17d3d1f6b81
                                                                  • Instruction ID: 5180fa6ce5351191c327c601d7d36eb54698c1ee514843dca45fdbb4a2fbb6d4
                                                                  • Opcode Fuzzy Hash: c0aa957dda5a216d060e92cf980969c250ef8136de9759392507f17d3d1f6b81
                                                                  • Instruction Fuzzy Hash: BF21E4B5D003489FDB10CF9AD884AEEBBF8EB48324F14845AE914B3351D374A954CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496D52, Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 532 8496d52-8496da3 535 8496db3-8496de3 GetThreadContext 532->535 536 8496da5-8496db1 532->536 538 8496dec-8496e1c 535->538 539 8496de5-8496deb 535->539 536->535 539->538
                                                                  APIs
                                                                  • GetThreadContext.KERNELBASE(?,00000000), ref: 08496DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: aac41af4fab5c917b025d69cbcfb884d393772c8e50ca3919a2c2007eba77bde
                                                                  • Instruction ID: edda3230a7c47508e3f579c234237b8a711ac3581e94e3fe656dd8ebc27b451e
                                                                  • Opcode Fuzzy Hash: aac41af4fab5c917b025d69cbcfb884d393772c8e50ca3919a2c2007eba77bde
                                                                  • Instruction Fuzzy Hash: DE213971D002088FCB10DFAAC4847EEBBF8EF48254F15842ED469A7740DB789945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496FDA, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 543 8496fda-849706d ReadProcessMemory 547 849706f-8497075 543->547 548 8497076-84970a6 543->548 547->548
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08497060
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: a4e56ebd3210a5945dabd914e6ddd25da689b89a0e8f66307764e5944fb39086
                                                                  • Instruction ID: 3bb3d876b337a4be3e56f53ee3a94cc71eee17ed301c2392749e6813a206e354
                                                                  • Opcode Fuzzy Hash: a4e56ebd3210a5945dabd914e6ddd25da689b89a0e8f66307764e5944fb39086
                                                                  • Instruction Fuzzy Hash: 3D213671C002099FCF10CFAAC880AEEBBF5FF48310F10882AE558A7240D7789914CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496D58, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 552 8496d58-8496da3 554 8496db3-8496de3 GetThreadContext 552->554 555 8496da5-8496db1 552->555 557 8496dec-8496e1c 554->557 558 8496de5-8496deb 554->558 555->554 558->557
                                                                  APIs
                                                                  • GetThreadContext.KERNELBASE(?,00000000), ref: 08496DD6
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThread
                                                                  • String ID:
                                                                  • API String ID: 1591575202-0
                                                                  • Opcode ID: 89e569da072414397661fb91f20810b58cdf62bca1e3b75d2ad2acf5a8c89089
                                                                  • Instruction ID: b2bd91f5f933ba68a272bdde2e897b9848bcf34a102a68e32c05faa75b1489ed
                                                                  • Opcode Fuzzy Hash: 89e569da072414397661fb91f20810b58cdf62bca1e3b75d2ad2acf5a8c89089
                                                                  • Instruction Fuzzy Hash: 26213871D002088FCB10DFAAC4847EEBBF8EF48264F15842ED469A7740DB789944CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496FE0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 562 8496fe0-849706d ReadProcessMemory 565 849706f-8497075 562->565 566 8497076-84970a6 562->566 565->566
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08497060
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: e080ac5a5f0f6cee38f59a021539c2bab89956e83f8b209390c600f7063f5476
                                                                  • Instruction ID: 6ff92541bc45cd02b03302fed4cc3ac36119ead24d80c88a085e73512c6fc414
                                                                  • Opcode Fuzzy Hash: e080ac5a5f0f6cee38f59a021539c2bab89956e83f8b209390c600f7063f5476
                                                                  • Instruction Fuzzy Hash: 79212871D002099FCF10DFAAC880ADEFBF5FF48354F50882AE559A7240D7759954CBA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D9C151, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 570 d9c151-d9c1ec DuplicateHandle 571 d9c1ee-d9c1f4 570->571 572 d9c1f5-d9c212 570->572 571->572
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D9C11E,?,?,?,?,?), ref: 00D9C1DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 11685534228c4fff24cb73177d89a0e3db08f7fe950e2ecf097d67e6f3a1e035
                                                                  • Instruction ID: b3d1bb2427df594a39cdaed71a90b3be7bfb8a38395c823160d1ef89a453134c
                                                                  • Opcode Fuzzy Hash: 11685534228c4fff24cb73177d89a0e3db08f7fe950e2ecf097d67e6f3a1e035
                                                                  • Instruction Fuzzy Hash: 7921E3B59002099FDB00CF99D584ADEBBF5EB48360F14841AE914B3350D374AA55CF65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D99B48, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 575 d99b48-d9a3d8 577 d9a3da-d9a3dd 575->577 578 d9a3e0-d9a40f LoadLibraryExW 575->578 577->578 579 d9a418-d9a435 578->579 580 d9a411-d9a417 578->580 580->579
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9A1F1,00000800,00000000,00000000), ref: 00D9A402
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 55a9acd835634fe853f9a88037a36241e85786966f46ebb49e8f6c3590a71eb6
                                                                  • Instruction ID: 743fd35abfe08409923c37e2d3242513cc1316faa9508ab386065678020ff470
                                                                  • Opcode Fuzzy Hash: 55a9acd835634fe853f9a88037a36241e85786966f46ebb49e8f6c3590a71eb6
                                                                  • Instruction Fuzzy Hash: 561117B29003089FDB10CF9AC444ADEFBF4EB88354F15842AE419A7600C3B5A945CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496E28, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08496E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 9b3f620ce294937b71bf015969385993287195086091ef1a8a43c241a3721ffb
                                                                  • Instruction ID: 5e44bdcb792920e9146914672ec17c17669ef5cccae7f243520fc2b63cf260d4
                                                                  • Opcode Fuzzy Hash: 9b3f620ce294937b71bf015969385993287195086091ef1a8a43c241a3721ffb
                                                                  • Instruction Fuzzy Hash: BA1156718002089FCF10DFAAC844BDFBFF9EB88324F14881AE525A7250C779A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D9A390, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D9A1F1,00000800,00000000,00000000), ref: 00D9A402
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 7dd18d4aeac8ec2f67dfd374f34de9978be3aa62d64f86059babede8587344d8
                                                                  • Instruction ID: 7b8fbb2de969837c2762e6fcea29ff47ed927e603f756973ba4b3523fa725477
                                                                  • Opcode Fuzzy Hash: 7dd18d4aeac8ec2f67dfd374f34de9978be3aa62d64f86059babede8587344d8
                                                                  • Instruction Fuzzy Hash: EC11F9B6D002099FCB10DF9AD444BDEFBF4EB88354F15842AD519A7700C3B5A945CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496E30, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08496E9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: dbad2efd552ef0262b1bdbef2632319722dde20ce966a00bc842877147e68731
                                                                  • Instruction ID: 42274cd292609080ac804c003004aa9ec8f5d31815bd729cabc5a461776eb658
                                                                  • Opcode Fuzzy Hash: dbad2efd552ef0262b1bdbef2632319722dde20ce966a00bc842877147e68731
                                                                  • Instruction Fuzzy Hash: 291126719002089FCF10DFAAC8447DFBBF9AB88364F15881AE525A7250C7759954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496CA0, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: f67d3ea5dee213539b1c9c01588ea046594a2d965c1ea8276e831c7e9b88cf34
                                                                  • Instruction ID: fddba6af4c3a58e1297931b73450494211ff0aa0a738f3a6910988671b08408b
                                                                  • Opcode Fuzzy Hash: f67d3ea5dee213539b1c9c01588ea046594a2d965c1ea8276e831c7e9b88cf34
                                                                  • Instruction Fuzzy Hash: 861149B1D042088BDB10DFAAC4457DEFFF8EB88224F15882AD425A7740C775A544CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 08496CA8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: b83a1e6f0b64f45295b6acf37800cab7bc047724669c56ac50ee7af761710f56
                                                                  • Instruction ID: b4c066f92768bbacda3203c407f4a5fbed2cfffc0b17dc1d6d5703e6257e8eb8
                                                                  • Opcode Fuzzy Hash: b83a1e6f0b64f45295b6acf37800cab7bc047724669c56ac50ee7af761710f56
                                                                  • Instruction Fuzzy Hash: 87113A71D002088BCB10DFAAD4447DFFBF9EB88264F15882AD425A7740C775A944CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00D9A110, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D9A176
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.506301426.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_d90000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 7e694acc54065accc61cbfd4bfca0455324ab1dfc63cee22eb74205b1b9d9d24
                                                                  • Instruction ID: a7bb8c402b1d1c29d9ed530ec46a9166cc139f0f809b44904915fa1f47b41626
                                                                  • Opcode Fuzzy Hash: 7e694acc54065accc61cbfd4bfca0455324ab1dfc63cee22eb74205b1b9d9d24
                                                                  • Instruction Fuzzy Hash: CF1102B2C007498FCB10CF9AC444BDEFBF4AB89324F15852AD429B7600C374A545CFA2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0849A5F8, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0849A65D
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 09244b60dbb093a419bb8edd3b16ca2f096c0c1106c9ae2d0cf2ae9a554574ca
                                                                  • Instruction ID: 2dbd6b241fe08999dd26916b6a42a491550e98da02c763465fabf2aa6f9351e2
                                                                  • Opcode Fuzzy Hash: 09244b60dbb093a419bb8edd3b16ca2f096c0c1106c9ae2d0cf2ae9a554574ca
                                                                  • Instruction Fuzzy Hash: 7B11F2B58007099FDB10DF9AD888BDEBBF8EB48360F10841AE564A7640C375A954CFA5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0849A600, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,?,?,?), ref: 0849A65D
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.515831699.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_8490000_catch.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: a64d007f42c4f531b4646752857ed8c3dc361b26215e086e37eb9997a4107f1c
                                                                  • Instruction ID: e2f2d8722af15ec879c7919fc3d8fa70251f2686e49468a6c104f986f84f123e
                                                                  • Opcode Fuzzy Hash: a64d007f42c4f531b4646752857ed8c3dc361b26215e086e37eb9997a4107f1c
                                                                  • Instruction Fuzzy Hash: 561100B58003089FCB20DF9AD884BDEBFF8EB48320F10841AE468A3600C374A954CFA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions