Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI PDF.exe

Overview

General Information

Sample Name:PI PDF.exe
Analysis ID:626548
MD5:530c898ee065629d77b0b12781991d4f
SHA1:316f4b32bdcaca1902a7e9898a31f3fae42ebe30
SHA256:56e4da2be0de5210fa5f78b35aed78dc18145164b03c396d85098368aae825a5
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PI PDF.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\PI PDF.exe" MD5: 530C898EE065629D77B0B12781991D4F)
    • schtasks.exe (PID: 6320 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PI PDF.exe (PID: 6384 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
    • PI PDF.exe (PID: 6344 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
  • bwjRNo.exe (PID: 5976 cmdline: "C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe" MD5: 530C898EE065629D77B0B12781991D4F)
    • schtasks.exe (PID: 6948 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmpC00D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • bwjRNo.exe (PID: 1112 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
    • bwjRNo.exe (PID: 4588 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
    • bwjRNo.exe (PID: 1252 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
    • bwjRNo.exe (PID: 6808 cmdline: {path} MD5: 530C898EE065629D77B0B12781991D4F)
  • bwjRNo.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe" MD5: 530C898EE065629D77B0B12781991D4F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "basker@ocenmasters.com", "Password": "donblack12345", "Host": "webmail.ocenmasters.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000000.291116090.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PI PDF.exe.3f50928.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.PI PDF.exe.3f50928.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.PI PDF.exe.3f50928.4.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x10fb9d:$s10: logins
                • 0x10f604:$s11: credential
                • 0x10bac6:$g1: get_Clipboard
                • 0x10bad4:$g2: get_Keyboard
                • 0x10bae1:$g3: get_Password
                • 0x10ce98:$g4: get_CtrlKeyDown
                • 0x10cea8:$g5: get_ShiftKeyDown
                • 0x10ceb9:$g6: get_AltKeyDown
                0.2.PI PDF.exe.3e18ae8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.PI PDF.exe.3e18ae8.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 64 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 20.2.bwjRNo.exe.3a9b108.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "basker@ocenmasters.com", "Password": "donblack12345", "Host": "webmail.ocenmasters.com"}
                    Multi AV Scanner detection for submitted file
                    Source: PI PDF.exeVirustotal: Detection: 35%Perma Link
                    Source: PI PDF.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeReversingLabs: Detection: 48%
                    Source: C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exeReversingLabs: Detection: 48%
                    Machine Learning detection for sample
                    Source: PI PDF.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeJoe Sandbox ML: detected
                    Source: PI PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: PI PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h19_2_0750F270
                    Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                    Source: Joe Sandbox ViewIP Address: 198.54.126.161 198.54.126.161
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 198.54.126.161:587
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 198.54.126.161:587
                    Source: PI PDF.exe, 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://KCCXXE.com
                    Source: PI PDF.exe, 00000000.00000003.238574491.000000000123D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: PI PDF.exe, 00000000.00000002.294550223.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.392889468.00000000033A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PI PDF.exe, 00000008.00000002.510095094.0000000003081000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000008.00000002.510025331.0000000003064000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.510209841.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.510248333.00000000030BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://webmail.ocenmasters.com
                    Source: PI PDF.exe, 00000000.00000003.254344595.0000000005BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: PI PDF.exe, 00000000.00000003.244849066.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.244669874.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.245136691.0000000005BED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comZ
                    Source: PI PDF.exe, 00000000.00000003.244849066.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.244669874.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.245136691.0000000005BED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: PI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.247754281.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: PI PDF.exe, 00000000.00000003.249138762.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsvP
                    Source: PI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comce9
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                    Source: PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdn
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedg
                    Source: PI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                    Source: PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
                    Source: PI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comu
                    Source: PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comFB
                    Source: PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comWu
                    Source: PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comX
                    Source: PI PDF.exe, 00000000.00000003.239206343.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239173555.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comtaT
                    Source: PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.241735377.0000000005BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: PI PDF.exe, 00000000.00000003.242100146.0000000005BE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/x
                    Source: PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
                    Source: PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnk-s
                    Source: PI PDF.exe, 00000000.00000003.242100146.0000000005BE4000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.241735377.0000000005BE4000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.242239716.0000000005BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: PI PDF.exe, 00000000.00000003.253289800.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: PI PDF.exe, 00000000.00000003.238934806.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239014164.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238957767.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239165623.0000000005C04000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238911883.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238991885.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com#
                    Source: PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com(
                    Source: PI PDF.exe, 00000000.00000003.238934806.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239014164.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238957767.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239165623.0000000005C04000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238911883.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238991885.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comint
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: PI PDF.exe, 00000000.00000003.240656249.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: PI PDF.exe, 00000000.00000003.239462569.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comB
                    Source: PI PDF.exe, 00000000.00000003.240259326.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comcomE
                    Source: PI PDF.exe, 00000000.00000003.239543641.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comnf
                    Source: PI PDF.exe, 00000000.00000003.239488128.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comtn
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: bwjRNo.exe, 0000001D.00000002.510192777.000000000309D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://RHjTIBqqVW.com
                    Source: PI PDF.exe, 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: webmail.ocenmasters.com

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\PI PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PI PDF.exe.3f50928.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PI PDF.exe.3e18ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.PI PDF.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.PI PDF.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.PI PDF.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.bwjRNo.exe.3a9b108.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.bwjRNo.exe.3a9b108.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.bwjRNo.exe.33e4f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 19.2.bwjRNo.exe.468b108.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.bwjRNo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.2.bwjRNo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.bwjRNo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PI PDF.exe.2c44ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 0.2.PI PDF.exe.3eeb108.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.2.PI PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.PI PDF.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.bwjRNo.exe.27f4f44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 0.2.PI PDF.exe.3eeb108.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 8.0.PI PDF.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.bwjRNo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.bwjRNo.exe.468b108.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.bwjRNo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.bwjRNo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.bwjRNo.exe.45b8ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.bwjRNo.exe.39c8ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: PI PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.PI PDF.exe.3f50928.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PI PDF.exe.3e18ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.PI PDF.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.PI PDF.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.PI PDF.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.bwjRNo.exe.3a9b108.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.bwjRNo.exe.3a9b108.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.bwjRNo.exe.33e4f44.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 19.2.bwjRNo.exe.468b108.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.bwjRNo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.2.bwjRNo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.bwjRNo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PI PDF.exe.2c44ee8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 0.2.PI PDF.exe.3eeb108.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.2.PI PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.PI PDF.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.bwjRNo.exe.27f4f44.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 0.2.PI PDF.exe.3eeb108.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 8.0.PI PDF.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.bwjRNo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.bwjRNo.exe.468b108.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.bwjRNo.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.bwjRNo.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.bwjRNo.exe.45b8ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.bwjRNo.exe.39c8ae8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_02AEE5800_2_02AEE580
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_02AEBCF40_2_02AEBCF4
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C25200_2_056C2520
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C25100_2_056C2510
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C6DD80_2_056C6DD8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C84D00_2_056C84D0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C84BF0_2_056C84BF
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C27000_2_056C2700
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C26F90_2_056C26F9
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C0EC80_2_056C0EC8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C0EB80_2_056C0EB8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C96880_2_056C9688
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C69000_2_056C6900
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C69100_2_056C6910
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C00400_2_056C0040
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056CA8280_2_056CA828
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C60200_2_056C6020
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C00070_2_056C0007
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C601C0_2_056C601C
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056CA8190_2_056CA819
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C20C80_2_056C20C8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C20D80_2_056C20D8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C60D70_2_056C60D7
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056CB0A00_2_056CB0A0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056CB0900_2_056CB090
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C0BFA0_2_056C0BFA
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C22E00_2_056C22E0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C72C10_2_056C72C1
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C32D00_2_056C32D0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C72D00_2_056C72D0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C22D00_2_056C22D0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_056C32AB0_2_056C32AB
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_008020500_2_00802050
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 7_2_001620507_2_00162050
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_02B2F0808_2_02B2F080
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_02B2F3C88_2_02B2F3C8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E76B418_2_05E76B41
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E7A2E08_2_05E7A2E0
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E772B88_2_05E772B8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E71FF88_2_05E71FF8
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E7EF7A8_2_05E7EF7A
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E700408_2_05E70040
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_009220508_2_00922050
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0333E57019_2_0333E570
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0333E58019_2_0333E580
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0333BCF419_2_0333BCF4
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_07506FF819_2_07506FF8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750968819_2_07509688
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750B30819_2_0750B308
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750BA1019_2_0750BA10
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750691019_2_07506910
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750004019_2_07500040
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750270019_2_07502700
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750A79119_2_0750A791
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750A7A019_2_0750A7A0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750967819_2_07509678
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_07500EC319_2_07500EC3
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_07500EC819_2_07500EC8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075026F919_2_075026F9
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750251019_2_07502510
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750252019_2_07502520
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_07506DD819_2_07506DD8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075084D019_2_075084D0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075084BF19_2_075084BF
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_07500BFB19_2_07500BFB
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075032D019_2_075032D0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075072D019_2_075072D0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075022D019_2_075022D0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075072C119_2_075072C1
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750B2F819_2_0750B2F8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075022E019_2_075022E0
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075032B519_2_075032B5
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750690019_2_07506900
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750B01819_2_0750B018
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750000619_2_07500006
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750B00819_2_0750B008
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750600D19_2_0750600D
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_0750602019_2_07506020
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075060D719_2_075060D7
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075020D819_2_075020D8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_075020C819_2_075020C8
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_00ED205019_2_00ED2050
                    Source: PI PDF.exe, 00000000.00000003.273158420.0000000003252000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.299980503.0000000004084000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIIuzxkpCGoEBKBOkVbmUIIlTGZHstRdAKDO.exe( vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIIuzxkpCGoEBKBOkVbmUIIlTGZHstRdAKDO.exe( vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.293716932.00000000008E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.302310875.00000000077B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PI PDF.exe
                    Source: PI PDF.exe, 00000000.00000002.294550223.0000000002C01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PI PDF.exe
                    Source: PI PDF.exe, 00000007.00000002.286700492.0000000000240000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exe, 00000008.00000000.289454545.0000000000A00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exe, 00000008.00000000.291935973.000000000045A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIIuzxkpCGoEBKBOkVbmUIIlTGZHstRdAKDO.exe( vs PI PDF.exe
                    Source: PI PDF.exe, 00000008.00000002.506183003.0000000000B98000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PI PDF.exe
                    Source: PI PDF.exe, 00000008.00000003.317609617.00000000064DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exeBinary or memory string: OriginalFilenameZPXmS.exe8 vs PI PDF.exe
                    Source: PI PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: jAZPdPbNZIxFH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: bwjRNo.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: PI PDF.exeVirustotal: Detection: 35%
                    Source: PI PDF.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\Desktop\PI PDF.exeFile read: C:\Users\user\Desktop\PI PDF.exeJump to behavior
                    Source: PI PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\PI PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PI PDF.exe "C:\Users\user\Desktop\PI PDF.exe"
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe "C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe "C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe"
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmpC00D.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmpJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmpC00D.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeFile created: C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exeJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3224.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@21/10@4/1
                    Source: C:\Users\user\Desktop\PI PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeMutant created: \Sessions\1\BaseNamedObjects\vPhHtROxXdxEXTzYHVOIlPxTpe
                    Source: C:\Users\user\Desktop\PI PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: PI PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PI PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_008076A7 push es; retf 0_2_008076BE
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 0_2_008076BF push es; retf 0_2_008076D6
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 7_2_001676BF push es; retf 7_2_001676D6
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 7_2_001676A7 push es; retf 7_2_001676BE
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_009276BF push es; retf 8_2_009276D6
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_009276A7 push es; retf 8_2_009276BE
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E7EDE2 pushfd ; retf 8_2_05E7EE39
                    Source: C:\Users\user\Desktop\PI PDF.exeCode function: 8_2_05E7ED42 pushad ; retf 8_2_05E7ED49
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_00ED76A7 push es; retf 19_2_00ED76BE
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_00ED76BF push es; retf 19_2_00ED76D6
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeCode function: 19_2_058EBE78 push eax; ret 19_2_058EBEC5
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.87186503084
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.87186503084
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.87186503084
                    Source: C:\Users\user\Desktop\PI PDF.exeFile created: C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exeJump to dropped file
                    Source: C:\Users\user\Desktop\PI PDF.exeFile created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmp
                    Source: C:\Users\user\Desktop\PI PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bwjRNoJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bwjRNoJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\PI PDF.exeFile opened: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6928, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 5976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 6228, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PI PDF.exe, 00000000.00000002.297565092.000000000316F000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.294550223.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.392889468.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.395240366.0000000003911000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000014.00000002.372471030.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: PI PDF.exe, 00000000.00000002.297565092.000000000316F000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.294550223.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.392889468.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.395240366.0000000003911000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000014.00000002.372471030.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PI PDF.exe TID: 6460Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exe TID: 6620Thread sleep count: 4067 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exe TID: 6620Thread sleep count: 4816 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 2356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 6796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 1636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 2116Thread sleep time: -23980767295822402s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 4820Thread sleep count: 4832 > 30
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe TID: 4820Thread sleep count: 3936 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\PI PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\PI PDF.exeWindow / User API: threadDelayed 4067Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeWindow / User API: threadDelayed 4816Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWindow / User API: threadDelayed 4832
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWindow / User API: threadDelayed 3936
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeThread delayed: delay time: 922337203685477
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: PI PDF.exe, 00000000.00000002.302635668.0000000007B90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: bwjRNo.exe, 00000014.00000002.374011546.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: PI PDF.exe, 00000008.00000002.508374208.00000000010E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\PI PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeMemory written: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmpJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeProcess created: C:\Users\user\Desktop\PI PDF.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmpC00D.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeProcess created: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Users\user\Desktop\PI PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Users\user\Desktop\PI PDF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\PI PDF.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3f50928.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3e18ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.3a9b108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.3a9b108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.468b108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.bwjRNo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3eeb108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.PI PDF.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3eeb108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.468b108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.45b8ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.39c8ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.291116090.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.503093780.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.395553350.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290705194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.374264940.00000000037CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.382535137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.503050607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.298244806.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.383158880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.380264934.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.397542210.00000000046E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.381604157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6928, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 5976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 6808, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PI PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\Desktop\PI PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PI PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 6808, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3f50928.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3e18ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.3a9b108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.3a9b108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.468b108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.bwjRNo.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3eeb108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.PI PDF.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PI PDF.exe.3eeb108.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.PI PDF.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.468b108.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.bwjRNo.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.bwjRNo.exe.45b8ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.bwjRNo.exe.39c8ae8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.291116090.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.503093780.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.395553350.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.290705194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.374264940.00000000037CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.382535137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.503050607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.298244806.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.383158880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.380264934.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.397542210.00000000046E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.381604157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6928, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PI PDF.exe PID: 6344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 5976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bwjRNo.exe PID: 6808, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                    Software Packing                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common131
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Hidden Files and Directories                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 626548 Sample: PI PDF.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 9 other signatures 2->68 7 bwjRNo.exe 4 2->7         started        10 PI PDF.exe 6 2->10         started        13 bwjRNo.exe 3 2->13         started        process3 file4 70 Multi AV Scanner detection for dropped file 7->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->72 74 Machine Learning detection for dropped file 7->74 76 2 other signatures 7->76 15 bwjRNo.exe 6 7->15         started        19 schtasks.exe 1 7->19         started        21 bwjRNo.exe 7->21         started        30 2 other processes 7->30 42 C:\Users\user\AppData\...\jAZPdPbNZIxFH.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmp3224.tmp, XML 10->44 dropped 46 C:\Users\user\AppData\...\PI PDF.exe.log, ASCII 10->46 dropped 23 PI PDF.exe 2 9 10->23         started        26 schtasks.exe 1 10->26         started        28 PI PDF.exe 10->28         started        signatures5 process6 dnsIp7 50 Tries to harvest and steal ftp login credentials 15->50 52 Tries to harvest and steal browser information (history, passwords, etc) 15->52 32 conhost.exe 19->32         started        48 webmail.ocenmasters.com 198.54.126.161, 49752, 49756, 49778 NAMECHEAP-NETUS United States 23->48 36 C:\Users\user\AppData\Roaming\...\bwjRNo.exe, PE32 23->36 dropped 38 C:\Windows\System32\drivers\etc\hosts, ASCII 23->38 dropped 40 C:\Users\user\...\bwjRNo.exe:Zone.Identifier, ASCII 23->40 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->54 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Modifies the hosts file 23->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->60 34 conhost.exe 26->34         started        file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PI PDF.exe35%VirustotalBrowse
                    PI PDF.exe58%ReversingLabsByteCode-MSIL.Trojan.Injuke
                    PI PDF.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe49%ReversingLabsByteCode-MSIL.Trojan.Injuke
                    C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exe49%ReversingLabsByteCode-MSIL.Trojan.Injuke

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    8.0.PI PDF.exe.400000.8.unpack100%AviraHEUR/AGEN.1203024Download File
                    8.0.PI PDF.exe.400000.4.unpack100%AviraHEUR/AGEN.1203024Download File
                    8.0.PI PDF.exe.400000.12.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.2.bwjRNo.exe.400000.0.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.0.bwjRNo.exe.400000.8.unpack100%AviraHEUR/AGEN.1203024Download File
                    8.2.PI PDF.exe.400000.0.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.0.bwjRNo.exe.400000.4.unpack100%AviraHEUR/AGEN.1203024Download File
                    8.0.PI PDF.exe.400000.10.unpack100%AviraHEUR/AGEN.1203024Download File
                    8.0.PI PDF.exe.400000.6.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.0.bwjRNo.exe.400000.12.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.0.bwjRNo.exe.400000.10.unpack100%AviraHEUR/AGEN.1203024Download File
                    29.0.bwjRNo.exe.400000.6.unpack100%AviraHEUR/AGEN.1203024Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    webmail.ocenmasters.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.comessedg0%Avira URL Cloudsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/x0%Avira URL Cloudsafe
                    http://www.fonts.comFB0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.tiro.comnf0%Avira URL Cloudsafe
                    http://www.tiro.comB0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fontbureau.comgrita0%URL Reputationsafe
                    http://www.fontbureau.comgreta0%URL Reputationsafe
                    http://www.fontbureau.comcom0%URL Reputationsafe
                    http://www.founder.com.cn/cnr0%URL Reputationsafe
                    https://RHjTIBqqVW.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.comalsvP0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://webmail.ocenmasters.com0%Avira URL Cloudsafe
                    http://www.fonts.comtaT0%Avira URL Cloudsafe
                    http://www.fonts.comWu0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.fontbureau.comce90%Avira URL Cloudsafe
                    http://www.agfamonotype.0%URL Reputationsafe
                    http://www.carterandcone.comZ0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.comcomE0%Avira URL Cloudsafe
                    http://www.fontbureau.comdn0%Avira URL Cloudsafe
                    http://www.tiro.comtn0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.fonts.comX0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn00%URL Reputationsafe
                    http://www.sajatypeworks.comint0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.comu0%URL Reputationsafe
                    http://www.sajatypeworks.com#0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnk-s0%URL Reputationsafe
                    http://KCCXXE.com0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com(0%Avira URL Cloudsafe
                    http://www.fontbureau.comsief0%URL Reputationsafe
                    http://www.founder.com.cn/cn#0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    webmail.ocenmasters.com
                    		198.54.126.161
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.comessedgPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://127.0.0.1:HTTP/1.1PI PDF.exe, 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/xPI PDF.exe, 00000000.00000003.242100146.0000000005BE4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comFBPI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/bThePI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comessedPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comnfPI PDF.exe, 00000000.00000003.239543641.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comBPI PDF.exe, 00000000.00000003.239462569.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sajatypeworks.comPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cThePI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmPI PDF.exe, 00000000.00000003.253289800.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comgritaPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comgretaPI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comcomPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnrPI PDF.exe, 00000000.00000003.242100146.0000000005BE4000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.241735377.0000000005BE4000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.242239716.0000000005BEB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://RHjTIBqqVW.combwjRNo.exe, 0000001D.00000002.510192777.000000000309D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://DynDns.comDynDNSnamejidpasswordPsi/PsibwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasePI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comalsvPPI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fonts.comPI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krPI PDF.exe, 00000000.00000003.240656249.0000000005BE6000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasePI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.dePI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePI PDF.exe, 00000000.00000002.294550223.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 00000013.00000002.392889468.00000000033A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sakkal.comPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://webmail.ocenmasters.comPI PDF.exe, 00000008.00000002.510095094.0000000003081000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000008.00000002.510025331.0000000003064000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.510209841.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.510248333.00000000030BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comtaTPI PDF.exe, 00000000.00000003.239206343.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239173555.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comWuPI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comPI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.247754281.0000000005BE8000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comFPI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comce9PI PDF.exe, 00000000.00000002.300963676.0000000005BE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.agfamonotype.PI PDF.exe, 00000000.00000003.254344595.0000000005BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comZPI PDF.exe, 00000000.00000003.244849066.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.244669874.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.245136691.0000000005BED000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwPI PDF.exe, 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comcomEPI PDF.exe, 00000000.00000003.240259326.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comdnPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comtnPI PDF.exe, 00000000.00000003.239488128.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comdPI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comXPI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://en.wPI PDF.exe, 00000000.00000003.238574491.000000000123D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlPI PDF.exe, 00000000.00000003.244849066.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.244669874.0000000005BED000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.245136691.0000000005BED000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnPI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.241735377.0000000005BE4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn0PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlPI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comintPI PDF.exe, 00000000.00000003.238934806.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239014164.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238957767.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239165623.0000000005C04000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238911883.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238991885.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlPI PDF.exe, 00000000.00000003.249138762.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8PI PDF.exe, 00000000.00000002.301150695.0000000006DF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comuPI PDF.exe, 00000000.00000003.248368737.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.249055911.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.com#PI PDF.exe, 00000000.00000003.238934806.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239014164.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238957767.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239145630.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239165623.0000000005C04000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.239081087.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238911883.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp, PI PDF.exe, 00000000.00000003.238991885.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cnk-sPI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://KCCXXE.combwjRNo.exe, 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.com(PI PDF.exe, 00000000.00000003.238846807.0000000005BFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.fontbureau.comsiefPI PDF.exe, 00000000.00000003.249987331.0000000005BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cn#PI PDF.exe, 00000000.00000003.241607174.0000000005C1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            198.54.126.161
                                            		webmail.ocenmasters.comUnited States
                                            		22612NAMECHEAP-NETUStrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:626548
                                            Start date and time: 14/05/202212:25:092022-05-14 12:25:09 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 13m 8s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:PI PDF.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:36
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.adwa.spyw.evad.winEXE@21/10@4/1
                                            EGA Information:
                                            • Successful, ratio: 75%
                                            HDC Information:
                                            • Successful, ratio: 3.4% (good quality ratio 3.4%)
                                            • Quality average: 83%
                                            • Quality standard deviation: 1%
                                            HCA Information:
                                            • Successful, ratio: 96%
                                            • Number of executed functions: 82
                                            • Number of non-executed functions: 32
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Execution Graph export aborted for target PI PDF.exe, PID 6384 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            12:26:18API Interceptor634x Sleep call for process: PI PDF.exe modified
                                            12:26:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run bwjRNo C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                            12:26:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run bwjRNo C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                            12:26:55API Interceptor334x Sleep call for process: bwjRNo.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            198.54.126.161SOA (2).exeGet hashmaliciousBrowse
                                              SOA.exeGet hashmaliciousBrowse
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                  SOA.exeGet hashmaliciousBrowse
                                                    PO.exeGet hashmaliciousBrowse
                                                      SY.exeGet hashmaliciousBrowse
                                                        PO.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Trojan.GenericKD.48992267.2003.exeGet hashmaliciousBrowse
                                                            SOA.exeGet hashmaliciousBrowse
                                                              SOA.exeGet hashmaliciousBrowse
                                                                P.O.exeGet hashmaliciousBrowse
                                                                  philip.exeGet hashmaliciousBrowse
                                                                    mzp725u0B7urjJK.exeGet hashmaliciousBrowse
                                                                      PI.exeGet hashmaliciousBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        webmail.ocenmasters.comSOA (2).exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161
                                                                        Purchase Order.exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161
                                                                        SecuriteInfo.com.Trojan.GenericKD.48992267.2003.exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        NAMECHEAP-NETUShttps://kryptokingtrading.com/webapp/data.phpGet hashmaliciousBrowse
                                                                        • 68.65.120.231
                                                                        https://fedgovapp.com/Maryland-login/Get hashmaliciousBrowse
                                                                        • 198.54.114.219
                                                                        http://15u30P6pz0M18W5vt.camGet hashmaliciousBrowse
                                                                        • 162.255.119.176
                                                                        Notificaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                                        • 198.54.117.212
                                                                        LISTA DE ESPECIFICACIONES PO A Y B CON HOJA DE DIBUJO 1,2 y 3.exeGet hashmaliciousBrowse
                                                                        • 198.187.30.47
                                                                        DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                                        • 198.187.30.47
                                                                        Shipping Documents.exeGet hashmaliciousBrowse
                                                                        • 198.187.30.47
                                                                        Advice FTT5378393.exeGet hashmaliciousBrowse
                                                                        • 162.0.233.154
                                                                        http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29tGet hashmaliciousBrowse
                                                                        • 199.188.205.217
                                                                        SOA (2).exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161
                                                                        http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29tGet hashmaliciousBrowse
                                                                        • 199.188.205.217
                                                                        https://nwfparolinv.org/Get hashmaliciousBrowse
                                                                        • 68.65.123.205
                                                                        Order.docGet hashmaliciousBrowse
                                                                        • 162.0.233.154
                                                                        SOA.exeGet hashmaliciousBrowse
                                                                        • 198.54.126.161
                                                                        http://wm8delihrf.purboposchim.online/#.aHR0cHM6Ly9nYXRld2F5LnBpbmF0YS5jbG91ZC9pcGZzL1FtY3A0dDQ5Mm1GOGd5a3dUQ3NBbUJlREZ4ZWlTaG9lUWd5OTRWSE5pWnNIeTc/I3N5bHZpZS5kcmFwZWF1QHNhYXEuZ291di5xYy5jYQ==Get hashmaliciousBrowse
                                                                        • 199.188.206.59
                                                                        http://wm8delihrf.purboposchim.online/#.aHR0cHM6Ly9nYXRld2F5LnBpbmF0YS5jbG91ZC9pcGZzL1FtY3A0dDQ5Mm1GOGd5a3dUQ3NBbUJlREZ4ZWlTaG9lUWd5OTRWSE5pWnNIeTc/I3N5bHZpZS5kcmFwZWF1QHNhYXEuZ291di5xYy5jYQ==Get hashmaliciousBrowse
                                                                        • 199.188.206.59
                                                                        SecuriteInfo.com.Variant.Jaik.72878.8629.exeGet hashmaliciousBrowse
                                                                        • 198.54.117.217
                                                                        Item List 557 & Photos.exeGet hashmaliciousBrowse
                                                                        • 198.187.30.47
                                                                        ORDERS_S.EXEGet hashmaliciousBrowse
                                                                        • 198.54.117.217
                                                                        DHL Shipping documents.exeGet hashmaliciousBrowse
                                                                        • 198.187.30.47

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI PDF.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                        Malicious:true
                                                                        Reputation:unknown
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bwjRNo.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1216
                                                                        Entropy (8bit):5.355304211458859
                                                                        Encrypted:false
                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                        Malicious:false
                                                                        Reputation:unknown
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                        C:\Users\user\AppData\Local\Temp\tmp3224.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1646
                                                                        Entropy (8bit):5.203453803097939
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBH93Btn:cbh47TlNQ//rydbz9I3YODOLNdq3P3T
                                                                        MD5:977B4AD5C289482E309FBF6BD147FF93
                                                                        SHA1:1F2715FC226E643FC4F1B6255228E89F38ACD738
                                                                        SHA-256:B28491B184A5EEDF25BE98D21F1957F16EC3F280D5E59FBE6218009B9AA11C9E
                                                                        SHA-512:08990A0A8E47354799F7D5490D58FCB0BF4DE92AF47A40E7FB8018F57D4DD896E8FF61A672C2260F97A62984951C69D3D552E60281EB46FE555E0A01A8107850
                                                                        Malicious:true
                                                                        Reputation:unknown
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                        C:\Users\user\AppData\Local\Temp\tmpC00D.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):1646
                                                                        Entropy (8bit):5.203453803097939
                                                                        Encrypted:false
                                                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBH93Btn:cbh47TlNQ//rydbz9I3YODOLNdq3P3T
                                                                        MD5:977B4AD5C289482E309FBF6BD147FF93
                                                                        SHA1:1F2715FC226E643FC4F1B6255228E89F38ACD738
                                                                        SHA-256:B28491B184A5EEDF25BE98D21F1957F16EC3F280D5E59FBE6218009B9AA11C9E
                                                                        SHA-512:08990A0A8E47354799F7D5490D58FCB0BF4DE92AF47A40E7FB8018F57D4DD896E8FF61A672C2260F97A62984951C69D3D552E60281EB46FE555E0A01A8107850
                                                                        Malicious:false
                                                                        Reputation:unknown
                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                                        C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):904704
                                                                        Entropy (8bit):7.867040525817705
                                                                        Encrypted:false
                                                                        SSDEEP:12288:t/icL3Ygn2Y75AbVmtCVOdgF/y+mizs/yeCMrKxB+6qP8rgTc4Mpi/F:t6co4JdgrhzsamrKxPmigwWd
                                                                        MD5:530C898EE065629D77B0B12781991D4F
                                                                        SHA1:316F4B32BDCACA1902A7E9898A31F3FAE42EBE30
                                                                        SHA-256:56E4DA2BE0DE5210FA5F78B35AED78DC18145164B03C396D85098368AAE825A5
                                                                        SHA-512:3F35683D138D80FF728A2878D0DA0E5FF8EF5D342D085A7C051A0BD6F1A0A85E6B58050D07595B1C535A40D011968B1516A1B31F8B112DBE0A2EA2B8DDA776A6
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 49%
                                                                        Reputation:unknown
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E~b..............P.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........Y...Z......`........-............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r+..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........

                                                                        C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe:Zone.Identifier

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):26
                                                                        Entropy (8bit):3.95006375643621
                                                                        Encrypted:false
                                                                        SSDEEP:3:ggPYV:rPYV
                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                        Malicious:true
                                                                        Reputation:unknown
                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                        C:\Users\user\AppData\Roaming\jAZPdPbNZIxFH.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):904704
                                                                        Entropy (8bit):7.867040525817705
                                                                        Encrypted:false
                                                                        SSDEEP:12288:t/icL3Ygn2Y75AbVmtCVOdgF/y+mizs/yeCMrKxB+6qP8rgTc4Mpi/F:t6co4JdgrhzsamrKxPmigwWd
                                                                        MD5:530C898EE065629D77B0B12781991D4F
                                                                        SHA1:316F4B32BDCACA1902A7E9898A31F3FAE42EBE30
                                                                        SHA-256:56E4DA2BE0DE5210FA5F78B35AED78DC18145164B03C396D85098368AAE825A5
                                                                        SHA-512:3F35683D138D80FF728A2878D0DA0E5FF8EF5D342D085A7C051A0BD6F1A0A85E6B58050D07595B1C535A40D011968B1516A1B31F8B112DBE0A2EA2B8DDA776A6
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 49%
                                                                        Reputation:unknown
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E~b..............P.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........Y...Z......`........-............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r+..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........

                                                                        C:\Users\user\AppData\Roaming\xkhii1zz.ywa\Chrome\Default\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                        Category:modified
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):0.6970840431455908
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                        Malicious:false
                                                                        Reputation:unknown
                                                                        Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\zktusgco.ufg\Chrome\Default\Cookies

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                        Category:dropped
                                                                        Size (bytes):20480
                                                                        Entropy (8bit):0.6970840431455908
                                                                        Encrypted:false
                                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                                        Malicious:false
                                                                        Reputation:unknown
                                                                        Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Windows\System32\drivers\etc\hosts

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\PI PDF.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):835
                                                                        Entropy (8bit):4.694294591169137
                                                                        Encrypted:false
                                                                        SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                                        MD5:6EB47C1CF858E25486E42440074917F2
                                                                        SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                                        SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                                        SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                                        Malicious:true
                                                                        Reputation:unknown
                                                                        Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):7.867040525817705
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:PI PDF.exe
                                                                        File size:904704
                                                                        MD5:530c898ee065629d77b0b12781991d4f
                                                                        SHA1:316f4b32bdcaca1902a7e9898a31f3fae42ebe30
                                                                        SHA256:56e4da2be0de5210fa5f78b35aed78dc18145164b03c396d85098368aae825a5
                                                                        SHA512:3f35683d138d80ff728a2878d0da0e5ff8ef5d342d085a7c051a0bd6f1a0a85e6b58050d07595b1c535a40d011968b1516a1b31f8b112dbe0a2ea2b8dda776a6
                                                                        SSDEEP:12288:t/icL3Ygn2Y75AbVmtCVOdgF/y+mizs/yeCMrKxB+6qP8rgTc4Mpi/F:t6co4JdgrhzsamrKxPmigwWd
                                                                        TLSH:181512013B6C7D66D4ABDB345211C0088AF1AC5FBD27E22A3DD77C8E985974097B1EB1
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E~b..............P.................. ........@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:00828e8e8686b000

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x4de2de
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                        Time Stamp:0x627E45A6 [Fri May 13 11:48:54 2022 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:v4.0.30319
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        or al, byte ptr [eax+00h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [esi], cl
                                                                        inc eax
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        adc byte ptr [eax+00h], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax+eax*2], cl
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        adc dword ptr [eax+00h], eax
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xde28c0x4f.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x5a4.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xdc30c0xdc400False0.90938475454data7.87186503084IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xe00000x5a40x600False0.420572916667data4.07782470148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_VERSION0xe00900x314data
                                                                        RT_MANIFEST0xe03b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Version Infos

                                                                        DescriptionData
                                                                        Translation0x0000 0x04b0
                                                                        LegalCopyrightCopyright 2017
                                                                        Assembly Version1.0.0.0
                                                                        InternalNameZPXmS.exe
                                                                        FileVersion1.0.0.0
                                                                        CompanyName
                                                                        LegalTrademarks
                                                                        Comments
                                                                        ProductNameCoffee Shop
                                                                        ProductVersion1.0.0.0
                                                                        FileDescriptionCoffee Shop
                                                                        OriginalFilenameZPXmS.exe

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 14, 2022 12:26:45.863831997 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:46.036645889 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:46.036787033 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:46.521317005 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:46.521672964 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:46.695774078 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:46.698307037 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:46.871859074 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:46.872452974 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:47.085675955 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:48.456665993 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:48.464423895 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:48.637429953 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:48.638108969 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:48.638216019 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:48.645277977 CEST49752587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:48.817888021 CEST58749752198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:50.134658098 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:50.308897018 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:50.311944962 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:50.580655098 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:50.582381964 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:50.756458044 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:50.757569075 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:50.972130060 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:54.943469048 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:54.944633961 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:55.122080088 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:57.174988031 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:57.175209999 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:57.349693060 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:57.349997997 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:26:57.350090027 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:57.350496054 CEST49756587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:26:57.524431944 CEST58749756198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:30.868840933 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:31.045579910 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:31.045717955 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:31.266168118 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:31.266634941 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:31.444529057 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:31.444958925 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:31.622293949 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:31.623956919 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:31.841794014 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:33.153253078 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:33.153584957 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:33.331151962 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:33.331515074 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:33.331624985 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:33.348444939 CEST49778587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:33.525588036 CEST58749778198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:35.495639086 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:35.670006990 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:35.670198917 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:35.901343107 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:35.971069098 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:36.152457952 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:36.327141047 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:36.327440023 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:36.542601109 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:40.508548975 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:40.529777050 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:40.704498053 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:42.439783096 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:42.440644026 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:42.615334988 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:42.615612030 CEST58749793198.54.126.161192.168.2.3
                                                                        May 14, 2022 12:27:42.615740061 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:42.616202116 CEST49793587192.168.2.3198.54.126.161
                                                                        May 14, 2022 12:27:42.790404081 CEST58749793198.54.126.161192.168.2.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        May 14, 2022 12:26:45.816303968 CEST4987353192.168.2.38.8.8.8
                                                                        May 14, 2022 12:26:45.837141991 CEST53498738.8.8.8192.168.2.3
                                                                        May 14, 2022 12:26:50.101141930 CEST6333253192.168.2.38.8.8.8
                                                                        May 14, 2022 12:26:50.121200085 CEST53633328.8.8.8192.168.2.3
                                                                        May 14, 2022 12:27:30.753124952 CEST5979553192.168.2.38.8.8.8
                                                                        May 14, 2022 12:27:30.775355101 CEST53597958.8.8.8192.168.2.3
                                                                        May 14, 2022 12:27:35.432094097 CEST6386153192.168.2.38.8.8.8
                                                                        May 14, 2022 12:27:35.454005003 CEST53638618.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        May 14, 2022 12:26:45.816303968 CEST192.168.2.38.8.8.80x8863Standard query (0)webmail.ocenmasters.comA (IP address)IN (0x0001)
                                                                        May 14, 2022 12:26:50.101141930 CEST192.168.2.38.8.8.80x53a2Standard query (0)webmail.ocenmasters.comA (IP address)IN (0x0001)
                                                                        May 14, 2022 12:27:30.753124952 CEST192.168.2.38.8.8.80x5ff3Standard query (0)webmail.ocenmasters.comA (IP address)IN (0x0001)
                                                                        May 14, 2022 12:27:35.432094097 CEST192.168.2.38.8.8.80x9827Standard query (0)webmail.ocenmasters.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        May 14, 2022 12:26:45.837141991 CEST8.8.8.8192.168.2.30x8863No error (0)webmail.ocenmasters.com198.54.126.161A (IP address)IN (0x0001)
                                                                        May 14, 2022 12:26:50.121200085 CEST8.8.8.8192.168.2.30x53a2No error (0)webmail.ocenmasters.com198.54.126.161A (IP address)IN (0x0001)
                                                                        May 14, 2022 12:27:30.775355101 CEST8.8.8.8192.168.2.30x5ff3No error (0)webmail.ocenmasters.com198.54.126.161A (IP address)IN (0x0001)
                                                                        May 14, 2022 12:27:35.454005003 CEST8.8.8.8192.168.2.30x9827No error (0)webmail.ocenmasters.com198.54.126.161A (IP address)IN (0x0001)

                                                                        SMTP Packets

                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                        May 14, 2022 12:26:46.521317005 CEST58749752198.54.126.161192.168.2.3220-premium12.web-hosting.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 06:26:46 -0400
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 14, 2022 12:26:46.521672964 CEST49752587192.168.2.3198.54.126.161EHLO 216554
                                                                        May 14, 2022 12:26:46.695774078 CEST58749752198.54.126.161192.168.2.3250-premium12.web-hosting.com Hello 216554 [102.129.143.55]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 12:26:46.698307037 CEST49752587192.168.2.3198.54.126.161AUTH login YmFza2VyQG9jZW5tYXN0ZXJzLmNvbQ==
                                                                        May 14, 2022 12:26:46.871859074 CEST58749752198.54.126.161192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 14, 2022 12:26:48.456665993 CEST58749752198.54.126.161192.168.2.3535 Incorrect authentication data
                                                                        May 14, 2022 12:26:48.464423895 CEST49752587192.168.2.3198.54.126.161MAIL FROM:<basker@ocenmasters.com>
                                                                        May 14, 2022 12:26:48.637429953 CEST58749752198.54.126.161192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
                                                                        May 14, 2022 12:26:50.580655098 CEST58749756198.54.126.161192.168.2.3220-premium12.web-hosting.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 06:26:50 -0400
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 14, 2022 12:26:50.582381964 CEST49756587192.168.2.3198.54.126.161EHLO 216554
                                                                        May 14, 2022 12:26:50.756458044 CEST58749756198.54.126.161192.168.2.3250-premium12.web-hosting.com Hello 216554 [102.129.143.55]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 12:26:50.757569075 CEST49756587192.168.2.3198.54.126.161AUTH login YmFza2VyQG9jZW5tYXN0ZXJzLmNvbQ==
                                                                        May 14, 2022 12:26:54.943469048 CEST58749756198.54.126.161192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 14, 2022 12:26:57.174988031 CEST58749756198.54.126.161192.168.2.3535 Incorrect authentication data
                                                                        May 14, 2022 12:26:57.175209999 CEST49756587192.168.2.3198.54.126.161MAIL FROM:<basker@ocenmasters.com>
                                                                        May 14, 2022 12:26:57.349693060 CEST58749756198.54.126.161192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
                                                                        May 14, 2022 12:27:31.266168118 CEST58749778198.54.126.161192.168.2.3220-premium12.web-hosting.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 06:27:31 -0400
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 14, 2022 12:27:31.266634941 CEST49778587192.168.2.3198.54.126.161EHLO 216554
                                                                        May 14, 2022 12:27:31.444529057 CEST58749778198.54.126.161192.168.2.3250-premium12.web-hosting.com Hello 216554 [102.129.143.55]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 12:27:31.444958925 CEST49778587192.168.2.3198.54.126.161AUTH login YmFza2VyQG9jZW5tYXN0ZXJzLmNvbQ==
                                                                        May 14, 2022 12:27:31.622293949 CEST58749778198.54.126.161192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 14, 2022 12:27:33.153253078 CEST58749778198.54.126.161192.168.2.3535 Incorrect authentication data
                                                                        May 14, 2022 12:27:33.153584957 CEST49778587192.168.2.3198.54.126.161MAIL FROM:<basker@ocenmasters.com>
                                                                        May 14, 2022 12:27:33.331151962 CEST58749778198.54.126.161192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
                                                                        May 14, 2022 12:27:35.901343107 CEST58749793198.54.126.161192.168.2.3220-premium12.web-hosting.com ESMTP Exim 4.94.2 #2 Sat, 14 May 2022 06:27:35 -0400
                                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                                        220 and/or bulk e-mail.
                                                                        May 14, 2022 12:27:36.152457952 CEST49793587192.168.2.3198.54.126.161EHLO 216554
                                                                        May 14, 2022 12:27:36.327141047 CEST58749793198.54.126.161192.168.2.3250-premium12.web-hosting.com Hello 216554 [102.129.143.55]
                                                                        250-SIZE 52428800
                                                                        250-8BITMIME
                                                                        250-PIPELINING
                                                                        250-PIPE_CONNECT
                                                                        250-AUTH PLAIN LOGIN
                                                                        250-STARTTLS
                                                                        250 HELP
                                                                        May 14, 2022 12:27:36.327440023 CEST49793587192.168.2.3198.54.126.161AUTH login YmFza2VyQG9jZW5tYXN0ZXJzLmNvbQ==
                                                                        May 14, 2022 12:27:40.508548975 CEST58749793198.54.126.161192.168.2.3334 UGFzc3dvcmQ6
                                                                        May 14, 2022 12:27:42.439783096 CEST58749793198.54.126.161192.168.2.3535 Incorrect authentication data
                                                                        May 14, 2022 12:27:42.440644026 CEST49793587192.168.2.3198.54.126.161MAIL FROM:<basker@ocenmasters.com>
                                                                        May 14, 2022 12:27:42.615334988 CEST58749793198.54.126.161192.168.2.3550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:26:06
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\Desktop\PI PDF.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\PI PDF.exe"
                                                                        Imagebase:0x800000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.299681122.0000000003F42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.298244806.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.298244806.0000000003C1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:4
                                                                        Start time:12:26:28
                                                                        Start date:14/05/2022
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmp3224.tmp
                                                                        Imagebase:0x1370000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:5
                                                                        Start time:12:26:29
                                                                        Start date:14/05/2022
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7c9170000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:7
                                                                        Start time:12:26:29
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\Desktop\PI PDF.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x160000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:8
                                                                        Start time:12:26:30
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\Desktop\PI PDF.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0x920000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.291840024.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.290109897.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.291116090.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.291116090.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.290705194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.290705194.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.503050607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.503050607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.509270910.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:19
                                                                        Start time:12:26:49
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe"
                                                                        Imagebase:0xed0000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.395553350.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.395553350.00000000043BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.397542210.00000000046E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.397542210.00000000046E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 49%, ReversingLabs
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:20
                                                                        Start time:12:26:57
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe"
                                                                        Imagebase:0x360000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.374264940.00000000037CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.374264940.00000000037CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:22
                                                                        Start time:12:27:06
                                                                        Start date:14/05/2022
                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jAZPdPbNZIxFH" /XML "C:\Users\user\AppData\Local\Temp\tmpC00D.tmp
                                                                        Imagebase:0x1370000
                                                                        File size:185856 bytes
                                                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:23
                                                                        Start time:12:27:06
                                                                        Start date:14/05/2022
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7c9170000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:24
                                                                        Start time:12:27:07
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x160000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:27
                                                                        Start time:12:27:09
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x200000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:28
                                                                        Start time:12:27:11
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:{path}
                                                                        Imagebase:0x30000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low

                                                                        General

                                                                        Target ID:29
                                                                        Start time:12:27:12
                                                                        Start date:14/05/2022
                                                                        Path:C:\Users\user\AppData\Roaming\bwjRNo\bwjRNo.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:{path}
                                                                        Imagebase:0x750000
                                                                        File size:904704 bytes
                                                                        MD5 hash:530C898EE065629D77B0B12781991D4F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.503093780.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000002.503093780.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.382535137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.382535137.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.383158880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.383158880.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.380264934.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.380264934.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.509640311.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.381604157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.381604157.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:6.5%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:85
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 16697 2ae96c8 16698 2ae970a 16697->16698 16699 2ae9710 GetModuleHandleW 16697->16699 16698->16699 16700 2ae973d 16699->16700 16785 2aee538 16786 2ae94e8 LoadLibraryExW 16785->16786 16787 2aee541 16786->16787 16788 56cdf30 16789 56ce0bb 16788->16789 16791 56cdf56 16788->16791 16791->16789 16793 2aedb54 16791->16793 16796 56cb748 16791->16796 16794 2aeff40 SetWindowLongW 16793->16794 16795 2aeffac 16794->16795 16795->16791 16797 56ce1f8 PostMessageW 16796->16797 16798 56ce264 16797->16798 16798->16791 16701 2ae68a0 16702 2ae68b7 16701->16702 16705 2ae55e4 16702->16705 16704 2ae68c4 16706 2ae55ef 16705->16706 16709 2ae568c 16706->16709 16708 2ae6995 16708->16704 16710 2ae5697 16709->16710 16713 2ae56bc 16710->16713 16712 2ae6a7a 16712->16708 16714 2ae56c7 16713->16714 16717 2ae56ec 16714->16717 16716 2ae6b6a 16716->16712 16718 2ae56f7 16717->16718 16720 2ae727e 16718->16720 16723 2ae93b9 16718->16723 16719 2ae72bc 16719->16716 16720->16719 16727 2aeb508 16720->16727 16731 2ae93e9 16723->16731 16736 2ae93f0 16723->16736 16724 2ae93ce 16724->16720 16728 2aeb529 16727->16728 16729 2aeb54d 16728->16729 16762 2aeb6b8 16728->16762 16729->16719 16732 2ae93f0 16731->16732 16740 2ae94db 16732->16740 16745 2ae94e8 16732->16745 16733 2ae93ff 16733->16724 16738 2ae94db LoadLibraryExW 16736->16738 16739 2ae94e8 LoadLibraryExW 16736->16739 16737 2ae93ff 16737->16724 16738->16737 16739->16737 16741 2ae9500 16740->16741 16742 2ae950b 16741->16742 16750 2ae976b 16741->16750 16754 2ae9770 16741->16754 16742->16733 16746 2ae94fb 16745->16746 16747 2ae950b 16746->16747 16748 2ae976b LoadLibraryExW 16746->16748 16749 2ae9770 LoadLibraryExW 16746->16749 16747->16733 16748->16747 16749->16747 16751 2ae9770 16750->16751 16753 2ae97a9 16751->16753 16758 2ae8890 16751->16758 16753->16742 16755 2ae9784 16754->16755 16756 2ae97a9 16755->16756 16757 2ae8890 LoadLibraryExW 16755->16757 16756->16742 16757->16756 16759 2ae9950 LoadLibraryExW 16758->16759 16761 2ae99c9 16759->16761 16761->16753 16763 2aeb6c5 16762->16763 16764 2aeb6ff 16763->16764 16766 2ae9e74 16763->16766 16764->16729 16768 2ae9e7f 16766->16768 16767 2aec3f8 16768->16767 16770 2aeba24 16768->16770 16771 2aeba2f 16770->16771 16772 2ae56ec LoadLibraryExW 16771->16772 16773 2aec467 16772->16773 16773->16767 16774 2aeef00 16775 2aeef2a 16774->16775 16776 2aeefd1 16775->16776 16778 2aefca8 16775->16778 16781 2aedb1c 16778->16781 16782 2aefcf8 CreateWindowExW 16781->16782 16784 2aefe1c 16782->16784 16799 2aeb7d0 16800 2aeb836 16799->16800 16803 2aebd98 16800->16803 16806 2aeb9c4 16803->16806 16807 2aebe00 DuplicateHandle 16806->16807 16808 2aeb8e5 16807->16808

                                                                          Executed Functions

                                                                          Function 02AEDB1C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 551 2aedb1c-2aefd5e 553 2aefd69-2aefd70 551->553 554 2aefd60-2aefd66 551->554 555 2aefd7b-2aefe1a CreateWindowExW 553->555 556 2aefd72-2aefd78 553->556 554->553 558 2aefe1c-2aefe22 555->558 559 2aefe23-2aefe5b 555->559 556->555 558->559 563 2aefe5d-2aefe60 559->563 564 2aefe68 559->564 563->564
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02AEFE0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: 338f849f63c8b097343dfc0604f36baa8cd40caba60734c2fefe1f61d2afd3e3
                                                                          • Instruction ID: 4e9d4b11063cb7cc6b865ceeba939871a8846152f31dfcc4bbd84180452c3738
                                                                          • Opcode Fuzzy Hash: 338f849f63c8b097343dfc0604f36baa8cd40caba60734c2fefe1f61d2afd3e3
                                                                          • Instruction Fuzzy Hash: 2E51C0B1D003089FDF14CF99C984ADEBBB5FF48314F64852AE819AB210DB74A985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AEB9C4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 657 2aeb9c4-2aebe94 DuplicateHandle 659 2aebe9d-2aebeba 657->659 660 2aebe96-2aebe9c 657->660 660->659
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02AEBDC6,?,?,?,?,?), ref: 02AEBE87
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: e8d351e3ac9caa8fe80e5dbd7220b1aa91c3b968469912ed7ee7cd7f2f2d8188
                                                                          • Instruction ID: 28be3d7d4945297eb39842001606e0607662e7fa2c76dc7358c2c5ca89c14c0a
                                                                          • Opcode Fuzzy Hash: e8d351e3ac9caa8fe80e5dbd7220b1aa91c3b968469912ed7ee7cd7f2f2d8188
                                                                          • Instruction Fuzzy Hash: 6021F2B5904208AFDB10CFA9D984AEEFBF8FB48324F14845AE915A3310D374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AE8890 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 663 2ae8890-2ae9990 665 2ae9998-2ae99c7 LoadLibraryExW 663->665 666 2ae9992-2ae9995 663->666 667 2ae99c9-2ae99cf 665->667 668 2ae99d0-2ae99ed 665->668 666->665 667->668
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AE97A9,00000800,00000000,00000000), ref: 02AE99BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 7443bd2e6a645e86e3a0e5316655f6d78a9e8cafc40de2e795afd4e2faf52432
                                                                          • Instruction ID: acde7d3a8d30d4a656813b0c75c31bb29e7cb2613057dc312e5a606b3ec9e42a
                                                                          • Opcode Fuzzy Hash: 7443bd2e6a645e86e3a0e5316655f6d78a9e8cafc40de2e795afd4e2faf52432
                                                                          • Instruction Fuzzy Hash: C51103B69043099FDB10CF9AD584BDEFBF4AB88324F04842ED959B7210C778A545CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AE994B Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 671 2ae994b-2ae9990 673 2ae9998-2ae99c7 LoadLibraryExW 671->673 674 2ae9992-2ae9995 671->674 675 2ae99c9-2ae99cf 673->675 676 2ae99d0-2ae99ed 673->676 674->673 675->676
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AE97A9,00000800,00000000,00000000), ref: 02AE99BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: bde39873304a4326dbf6220ab70d27d701a3500abfeaebf26eed6fc74cceff72
                                                                          • Instruction ID: fd1967f696e013400fbdf66af4aff2965974a98442ac0d61c73177147a427191
                                                                          • Opcode Fuzzy Hash: bde39873304a4326dbf6220ab70d27d701a3500abfeaebf26eed6fc74cceff72
                                                                          • Instruction Fuzzy Hash: C11100B69042099FCB10CF9AC584BDEFBF8AB88324F04882ED459B7210C778A545CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AE96C3 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 679 2ae96c3-2ae9708 681 2ae970a-2ae970d 679->681 682 2ae9710-2ae973b GetModuleHandleW 679->682 681->682 683 2ae973d-2ae9743 682->683 684 2ae9744-2ae9758 682->684 683->684
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02AE972E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: b3cfee04c49ef54604d1ee7b2e8fa0ff7f688f14dd0bae27cf5526b4536496f3
                                                                          • Instruction ID: 26de621ce77992dd606086645e27f2708bb4463a6f6854efa80682180af56e7b
                                                                          • Opcode Fuzzy Hash: b3cfee04c49ef54604d1ee7b2e8fa0ff7f688f14dd0bae27cf5526b4536496f3
                                                                          • Instruction Fuzzy Hash: 6E11F0B5D002098FCB10CF9AC584B9FBBF9AB88224F14885AD419B7200D778A54ACFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AE96C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 686 2ae96c8-2ae9708 687 2ae970a-2ae970d 686->687 688 2ae9710-2ae973b GetModuleHandleW 686->688 687->688 689 2ae973d-2ae9743 688->689 690 2ae9744-2ae9758 688->690 689->690
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02AE972E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 57fdb0943eda668d3fb9dcf7b0de660e929e2dd480ee59aa900de28fab857ae0
                                                                          • Instruction ID: 6a9c9bd5e22dde8e3e535f9e059163a94b4cb519c9992fac4fd3b1af34989e57
                                                                          • Opcode Fuzzy Hash: 57fdb0943eda668d3fb9dcf7b0de660e929e2dd480ee59aa900de28fab857ae0
                                                                          • Instruction Fuzzy Hash: 2411F0B5D002098FCB10CF9AC544A9EBBF9AB88224F14885AD419A7200D774A54ACFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AEDB54 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 692 2aedb54-2aeffaa SetWindowLongW 694 2aeffac-2aeffb2 692->694 695 2aeffb3-2aeffc7 692->695 694->695
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02AEFF28,?,?,?,?), ref: 02AEFF9D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 1ca799f63cf01b18dfc7beaf3ec4cec241e42420c69a7ee581653baf2280a30f
                                                                          • Instruction ID: 46662ec4b00bb50114d48648be2eb51f1e337e8fad049d04db5d9fece37c6ff4
                                                                          • Opcode Fuzzy Hash: 1ca799f63cf01b18dfc7beaf3ec4cec241e42420c69a7ee581653baf2280a30f
                                                                          • Instruction Fuzzy Hash: A11133B59042089FDB10CF99D584BDEFBF8EB88324F10845AE815B3700C374A944CFA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056CB748 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 697 56cb748-56ce262 PostMessageW 699 56ce26b-56ce27f 697->699 700 56ce264-56ce26a 697->700 700->699
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 056CE255
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 22ef608ed7684aa9d5d0d8996b454cbe41e7fc86be442bc30a7a5e8527f4ac1f
                                                                          • Instruction ID: 29d29b59a156efd6945f337abe6581902848d9ae6adc7cac5dd093ba61ef25d7
                                                                          • Opcode Fuzzy Hash: 22ef608ed7684aa9d5d0d8996b454cbe41e7fc86be442bc30a7a5e8527f4ac1f
                                                                          • Instruction Fuzzy Hash: 0111F5B58043499FDB20CF99C584BEEBBF8FB48324F108459E955A7600C379A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD1D8 Relevance: .1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 08f64f404e4dd47f4ffd334c64c6e1b96b6463a180184a5d33884645b605d97f
                                                                          • Instruction ID: 67105ae852622c2f920ea9b7747681751d3ec9d1118776d974b6410f50fcfec5
                                                                          • Opcode Fuzzy Hash: 08f64f404e4dd47f4ffd334c64c6e1b96b6463a180184a5d33884645b605d97f
                                                                          • Instruction Fuzzy Hash: 83216A75508740DFCF09CF94E9C0B2ABF65FB88324F24C5AAE9044B646C336D856CBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD4A0 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8566058448baf201587dbf6a9b7319e8c8f41dbcb44d1fcbdff1a30900047bb4
                                                                          • Instruction ID: d69ad5c25430446703266b1317a2831618ecbba53796d2e25991b5f9d95f7d7e
                                                                          • Opcode Fuzzy Hash: 8566058448baf201587dbf6a9b7319e8c8f41dbcb44d1fcbdff1a30900047bb4
                                                                          • Instruction Fuzzy Hash: 892148B5504640DFDF09DF54E9C0B26BF75FB88328F6485A8E9054BA06C336D846CBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011BD01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294227551.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5d8e44f65d6ac9b850d816be21f5149623c71c2113791807de584c5c3d37286e
                                                                          • Instruction ID: 7311c6fdac354114269bdec2f3a7163895d437b731a2832fd7b8c03e69c89d2a
                                                                          • Opcode Fuzzy Hash: 5d8e44f65d6ac9b850d816be21f5149623c71c2113791807de584c5c3d37286e
                                                                          • Instruction Fuzzy Hash: AD212571508240DFCF1DDF54E5C0B66BB65FB84358F24C9A9E9094B246C33AD847CB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294227551.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9b5a4dcd115e69641762c3c2e28ed59073ce919ca37378d088593d738fffa8f3
                                                                          • Instruction ID: 1dc762134bbb593960fc0cb1d300d744f3b6ce5c4049fd78f82af59beedfe108
                                                                          • Opcode Fuzzy Hash: 9b5a4dcd115e69641762c3c2e28ed59073ce919ca37378d088593d738fffa8f3
                                                                          • Instruction Fuzzy Hash: F521F571504284DFDF0DDF94E5C0B66BB65FB84328F24C9ADE9094B246C336D846CB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011BD006 Relevance: .1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294227551.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 935a2f8a1f5ff4a0205c89396ad1a7e2187f797e0626bdb699095fbd390dcf62
                                                                          • Instruction ID: 4164be8c891470eaa69b3c1cada6b81d9d4f068c5f771f31018ff648d97a6e48
                                                                          • Opcode Fuzzy Hash: 935a2f8a1f5ff4a0205c89396ad1a7e2187f797e0626bdb699095fbd390dcf62
                                                                          • Instruction Fuzzy Hash: 312180755083809FCB06CF24D9D4B15BF71EB46314F28C5DAD8498B2A7C33A985ACB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD1D3 Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 16492e8e44600a2f6516922c8da787151718ebbbddf27e3267d3a2fdfa661a45
                                                                          • Instruction ID: 69f286b8800bdf7edb2ee9ddba5db4a3c89812d65b1866a880325b62c6a5af05
                                                                          • Opcode Fuzzy Hash: 16492e8e44600a2f6516922c8da787151718ebbbddf27e3267d3a2fdfa661a45
                                                                          • Instruction Fuzzy Hash: 07219076504680DFDF16CF54D9C4B16BF71FB84320F24C6AAD8044B656C336D45ACBA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD49B Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction ID: 189ffa49c61d6bee65b7f9d355c5ae97347aefcb551972705a220902dd95fa95
                                                                          • Opcode Fuzzy Hash: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction Fuzzy Hash: F011DF76904680CFCF16CF54D5C0B16BF71FB84324F2486A9D8454B617C336D45ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011BD1CF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294227551.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction ID: 1dea8a60567a83bd81d2e0293715432144b60c047a81d98cd33d2cd7fd92bfec
                                                                          • Opcode Fuzzy Hash: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction Fuzzy Hash: 4811BB75904280DFCF1ACF54D5C0B55BFA1FB84328F28C6A9D8494B656C33AD84ACB62
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD76D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 764a9fb1f8e3eae9ede21b98a3baf764ebee8832e440c89718b4ac4a9a82a94f
                                                                          • Instruction ID: d1442e820af8b1c4c19ec4b98cf3bf72d5aa96a0b57516073c65fb0c6222eac9
                                                                          • Opcode Fuzzy Hash: 764a9fb1f8e3eae9ede21b98a3baf764ebee8832e440c89718b4ac4a9a82a94f
                                                                          • Instruction Fuzzy Hash: F6012835008B849AEF1C4AA6E980766BFCCEB40628F048059EE054A542C3389884CA72
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 011AD76C Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294153459.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_11ad000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 20563c7d90cef38fca6378d342a870fd19c84618ee7636e6678caf4b1dd71b89
                                                                          • Instruction ID: a11b44c5be56ecf3c01910fa351c7a7b675fa388cc2877a62e1d825d98ff26bb
                                                                          • Opcode Fuzzy Hash: 20563c7d90cef38fca6378d342a870fd19c84618ee7636e6678caf4b1dd71b89
                                                                          • Instruction Fuzzy Hash: F6F0FC754047849EEB158E56DCC4B62FFD8EB41734F18C05AED441B687C3785844CA71
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 056CB0A0 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ch8A$u0S
                                                                          • API String ID: 0-2138403113
                                                                          • Opcode ID: 2d71292fcea1435139b63e49401aa7b6f1d3b5161a7df716a1746a6b0745b3c0
                                                                          • Instruction ID: 7a45c8e2ecfff5fa653707296a802d71d6c79f7c92d69651b6db8b50df6a2621
                                                                          • Opcode Fuzzy Hash: 2d71292fcea1435139b63e49401aa7b6f1d3b5161a7df716a1746a6b0745b3c0
                                                                          • Instruction Fuzzy Hash: 7E71E674E1520ACF8B04CFEAD5825AEBFF2FF89300F50946AD415A7254DB349A42CF99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056CB090 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: ch8A$u0S
                                                                          • API String ID: 0-2138403113
                                                                          • Opcode ID: f7138df0a20f4b6e769c75d34c27fd46c7e7015a981aa20a1f100a9f72759395
                                                                          • Instruction ID: dbe93cff271928abe04c21262164c524ffde1e17e0c6d7192274ef681ecd0950
                                                                          • Opcode Fuzzy Hash: f7138df0a20f4b6e769c75d34c27fd46c7e7015a981aa20a1f100a9f72759395
                                                                          • Instruction Fuzzy Hash: D771E474E14209CFCB04CFAAD5865AEBFF2FF88300F54946AD415A7254EB349A42CF99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C6DD8 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: I&
                                                                          • API String ID: 0-288571399
                                                                          • Opcode ID: d9dd7d7d67116a5c77cbacb7a57748dd5d975aa001b60f888fbcd28fb18dbd28
                                                                          • Instruction ID: 039926d577adda31e3ce4dd0beea47438658e20e4e54118558f01060e83b8128
                                                                          • Opcode Fuzzy Hash: d9dd7d7d67116a5c77cbacb7a57748dd5d975aa001b60f888fbcd28fb18dbd28
                                                                          • Instruction Fuzzy Hash: 3AD19B70E0821A8FCB04CFA9C5456BEBFB2EF89254F1484AED515B7355EB349A02CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056CA828 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: [7Q5
                                                                          • API String ID: 0-3917417628
                                                                          • Opcode ID: a7b1bac06b015341f684c30214472de06df55c5e8ac1039f78ac3fb5b9975379
                                                                          • Instruction ID: 1672f682f0ac3033287bb642ff857229983041c6cde0b41070a2c6438454f704
                                                                          • Opcode Fuzzy Hash: a7b1bac06b015341f684c30214472de06df55c5e8ac1039f78ac3fb5b9975379
                                                                          • Instruction Fuzzy Hash: D2A11774E15219CFDB14CFA9C980AAEFBB2FF89304F1481A9D509A7355DB30AA41CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056CA819 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: [7Q5
                                                                          • API String ID: 0-3917417628
                                                                          • Opcode ID: ec08765873f9086a67181f2e7a26776a79f19bb6919ff86062e8d2af990f7b0e
                                                                          • Instruction ID: f06c13bfeff06884e1acb7fd93b3f2299a7f52331719a40567fded1b33648424
                                                                          • Opcode Fuzzy Hash: ec08765873f9086a67181f2e7a26776a79f19bb6919ff86062e8d2af990f7b0e
                                                                          • Instruction Fuzzy Hash: 45A11974E15219CFCB14CFA9C981AAEFBB2FF89304F1481A9D509A7355DB309A42CF61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AEE580 Relevance: .3, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0a70f618f11bdfaf25e1f8afd8f0950f2019535dda84d047a629c0a7041b34d3
                                                                          • Instruction ID: 8de861d010a8b79ea655eeadaeabdbb218d2bbab462be23c13f41932c6d31afb
                                                                          • Opcode Fuzzy Hash: 0a70f618f11bdfaf25e1f8afd8f0950f2019535dda84d047a629c0a7041b34d3
                                                                          • Instruction Fuzzy Hash: BE12D3B1511746ABE730CF65F99E2DD3BA0B745328B90E208D2616FAD8D7B8114ACF84
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C0007 Relevance: .3, Instructions: 314COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b75b28ef510110a163f473c86d474b0bc7c5f1d52e9fb12ee489528a97ca02fa
                                                                          • Instruction ID: 6a0627ce3b9b0cc6d3190143b44d78caafaa37f25069038c383f02b1f56c2e69
                                                                          • Opcode Fuzzy Hash: b75b28ef510110a163f473c86d474b0bc7c5f1d52e9fb12ee489528a97ca02fa
                                                                          • Instruction Fuzzy Hash: 0AD13774E0420ADFCB44CFA5C4858AEFFB2FF89310B55C99AD515AB214D734AA46CF90
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C0040 Relevance: .3, Instructions: 302COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 64bd7d9fa9da59d784e38f20f7fe237fd64c9c5e3e7b767f24ce16072889381d
                                                                          • Instruction ID: a7030d693abf1c2584a4a604e5ecf7eaaa0db38c8eecb6672a00e3c4b2b93d93
                                                                          • Opcode Fuzzy Hash: 64bd7d9fa9da59d784e38f20f7fe237fd64c9c5e3e7b767f24ce16072889381d
                                                                          • Instruction Fuzzy Hash: 8CD11770E0420ADFCB44CFA5C4858AEFFB2FF89310B259999D516AB314D734AA46CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02AEBCF4 Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.294497786.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_2ae0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a51f3929e106fcd0cea8a8794ddbb2d74d64bee165f71592cce60d1bd3a92b25
                                                                          • Instruction ID: 936f009dd0150523b4e9c4910b36c13d27b9a342e1b9c5210a3a5b0f8866f41d
                                                                          • Opcode Fuzzy Hash: a51f3929e106fcd0cea8a8794ddbb2d74d64bee165f71592cce60d1bd3a92b25
                                                                          • Instruction Fuzzy Hash: CAA18F32E006098FCF15DFB5C8845DDBBB6FF85304B15816AE806AB224DF31A946CF40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C6910 Relevance: .3, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dd1b3e36cd814877656cca5657875153add1a8b779ac2ec60675305595420e64
                                                                          • Instruction ID: 7cb330374b1d5b96ca310a0ff29383715a836d7ab37925f6f9b9f1008c4c9a7f
                                                                          • Opcode Fuzzy Hash: dd1b3e36cd814877656cca5657875153add1a8b779ac2ec60675305595420e64
                                                                          • Instruction Fuzzy Hash: 15B1F574E052598FCB08CFA9C5419AEFBF2EF89310F24C16AD505BB355E7349942CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C6900 Relevance: .2, Instructions: 246COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 97cff3b634d83afe04327deb9478d450408aeb0de88ad72de4e2bd6e5895c544
                                                                          • Instruction ID: 5412413c3846bc6aae1e7928cb040d820002a6967903ad5d865e79a582669892
                                                                          • Opcode Fuzzy Hash: 97cff3b634d83afe04327deb9478d450408aeb0de88ad72de4e2bd6e5895c544
                                                                          • Instruction Fuzzy Hash: 33A10674E052598FCB08CFA9C5419AEFBF2FF89310F24C16AC405AB315D7349942CB58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C6020 Relevance: .2, Instructions: 237COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a96e2ae456df28d20f674f3ebdea246a86b8251a613dbb1fd19148a70eb8e277
                                                                          • Instruction ID: 1e5d9cedd8ddbb86bff4f6933a913ed8ed53fcb8bbee20122f1534b1cbd0924d
                                                                          • Opcode Fuzzy Hash: a96e2ae456df28d20f674f3ebdea246a86b8251a613dbb1fd19148a70eb8e277
                                                                          • Instruction Fuzzy Hash: F1B10774E15219CFDB14CFA9C980AAEFBB2FF89204F2481AAD509A7355DB309941CF64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C601C Relevance: .2, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4390a988d3f20450d1bba0d70cdc18f39562519cc460091dc6928ab0eee838f9
                                                                          • Instruction ID: 8b05bf1d4c72e12c0282d8de1639aaa19de1a4284037c16b3085f0d995116f5d
                                                                          • Opcode Fuzzy Hash: 4390a988d3f20450d1bba0d70cdc18f39562519cc460091dc6928ab0eee838f9
                                                                          • Instruction Fuzzy Hash: EAA12774E15219CFDB14CFA9C980AAEFBF2FF89204F2481AAD509A7355DB309941CF64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C72D0 Relevance: .2, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c31c267d47b09980a757b19b5331b35dd6687c2eeca895a8ca0f3ca095d5067c
                                                                          • Instruction ID: 2c6c70faa9d661d8e3ac529b111325a5f477f088662a9b818ef3a78d9721541e
                                                                          • Opcode Fuzzy Hash: c31c267d47b09980a757b19b5331b35dd6687c2eeca895a8ca0f3ca095d5067c
                                                                          • Instruction Fuzzy Hash: 90913B74E142199BCB14CFA9C9809AEFBB2FF89304F24C1ADD919A7355D730A941CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C72C1 Relevance: .2, Instructions: 198COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f945a8cf7c76a247ca87da980c53d230e0e3f335a6cffb62c3af6f5df138ba98
                                                                          • Instruction ID: 23bc5f3d73524e409c78fc41bba103cffd25d968ad3ef0bd7c12fbc5f4c7ec13
                                                                          • Opcode Fuzzy Hash: f945a8cf7c76a247ca87da980c53d230e0e3f335a6cffb62c3af6f5df138ba98
                                                                          • Instruction Fuzzy Hash: D0911A74E142598BCB14CFA9C980AAEFBB2FF89304F25C1ADD819A7355D7309941CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C60D7 Relevance: .2, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 45f0c98dd7a5a4288a6596b2d53cc76c92181cd0490f3670dd748014a2f5c2fd
                                                                          • Instruction ID: 7baba5b93c52a13fcbce6c6a7d3b75f0c13481a611afdfc6eea13ee8e9ea28d2
                                                                          • Opcode Fuzzy Hash: 45f0c98dd7a5a4288a6596b2d53cc76c92181cd0490f3670dd748014a2f5c2fd
                                                                          • Instruction Fuzzy Hash: 3F913874E15219DFCB14CFA8C980AADFBB2FF89304F219199D909A7356D730A941CF64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C0EC8 Relevance: .2, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bcdd3b2503ed506e64d65737cfbd2977b5ac8a8c72cebbc83482452c18d783bc
                                                                          • Instruction ID: e29e58d301437af7e1e720367f41670f92902a62f98f533d531e6b2d8ee35c8c
                                                                          • Opcode Fuzzy Hash: bcdd3b2503ed506e64d65737cfbd2977b5ac8a8c72cebbc83482452c18d783bc
                                                                          • Instruction Fuzzy Hash: C7810374E1520ADFCB04CF99D5849AEFBF2FF89210F1494AAE815AB325D734AA41CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C0EB8 Relevance: .2, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a34456eb2ac4e853e32e30670cf0f5de640b82c78424b6de787d6f6af34d4f2a
                                                                          • Instruction ID: 3229844303b31dc1da3128ed8ef18d6c187b54feb24a061c28b8babbabee4059
                                                                          • Opcode Fuzzy Hash: a34456eb2ac4e853e32e30670cf0f5de640b82c78424b6de787d6f6af34d4f2a
                                                                          • Instruction Fuzzy Hash: 0E81E374E1520ADFCB04CF99D5849AEFBF2FF88210F14956AE815AB325D734AA42CF50
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C22D0 Relevance: .2, Instructions: 185COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3ff2f8b263b2771f72b847fed1f9c87d9f5db965fb31bc6ca5d2eef585645f88
                                                                          • Instruction ID: b3256d55ed288b0f0518aa2e47618821fceff8b0733bf834ca37bb19c21dc141
                                                                          • Opcode Fuzzy Hash: 3ff2f8b263b2771f72b847fed1f9c87d9f5db965fb31bc6ca5d2eef585645f88
                                                                          • Instruction Fuzzy Hash: BF710579E05209CFCB04CFA9C541AEEFBF2FB89210F24906AD859B7314D7349A42CB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C22E0 Relevance: .2, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d0760921c5ae8d36f232407a6c1e997d4dca220d4ae13a993a7f7ebcbf08936a
                                                                          • Instruction ID: 28cf1cb05d91cdc67109733cac9f93e2e44571f578adca48639d329aee4098f3
                                                                          • Opcode Fuzzy Hash: d0760921c5ae8d36f232407a6c1e997d4dca220d4ae13a993a7f7ebcbf08936a
                                                                          • Instruction Fuzzy Hash: 5961F374E05209DFCB04CFAAD5819EEFBF2FF89210F24946AD819B7214D7309A42CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C0BFA Relevance: .1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7e781bbf53b38ee7b00e97307492e41d27277dacda56218f0bfef6e95a526230
                                                                          • Instruction ID: 51ffb577ec5c1bf8d859a72785d7a7bc03d020e228482bdfc8a0279540a037e5
                                                                          • Opcode Fuzzy Hash: 7e781bbf53b38ee7b00e97307492e41d27277dacda56218f0bfef6e95a526230
                                                                          • Instruction Fuzzy Hash: E9513B70E0520AEBCB44CF95C4886BEFBF2FB89314F1085ADC515A7244D7349A42CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C9688 Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 74ba34c08c3fbc3167ea22fd77804690870ca388121763d860a1220413326a1d
                                                                          • Instruction ID: b25935a3c4f5979f7b794a9addb50f20da4b16e645568ae869b5d28c1bb69430
                                                                          • Opcode Fuzzy Hash: 74ba34c08c3fbc3167ea22fd77804690870ca388121763d860a1220413326a1d
                                                                          • Instruction Fuzzy Hash: E1416E71E1A2088BDF08CFA5D9415EEBBF6FB8D310F14A46AD106F7254DB35A902CB24
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C32AB Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d93b7678b4ee1032479dffc93878ceb4dd4c0db7cb9e8e05fff01cdaf2b0f351
                                                                          • Instruction ID: 877ac1575d0ed40eeb9cbcafc6ff2a67ecee5b513d9b747f9b05146206a437d1
                                                                          • Opcode Fuzzy Hash: d93b7678b4ee1032479dffc93878ceb4dd4c0db7cb9e8e05fff01cdaf2b0f351
                                                                          • Instruction Fuzzy Hash: 08415A71E116188BEB18CF6BCD4539AFBF3AFC9200F14C1BA950CA6214DB345A468F41
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C2510 Relevance: .1, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: da0d58b970f7e0f4fb5c1a2aefbd67de361244ff9ae357010e5b8a5988758456
                                                                          • Instruction ID: f3fac4fa060d60984216474e8987ccadf9193e44e00647e0d719074d04eae3f3
                                                                          • Opcode Fuzzy Hash: da0d58b970f7e0f4fb5c1a2aefbd67de361244ff9ae357010e5b8a5988758456
                                                                          • Instruction Fuzzy Hash: C341FAB5E0560A9BCB08CFA9C5915AEFBF2FF89300F64D5AAC805B7214D7349A41CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C2520 Relevance: .1, Instructions: 108COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ac7ee24ac9755748ad22068508a667d4dce0d8f203a6004a7f50ebb2896b166e
                                                                          • Instruction ID: 28c1b7b698157dab1f96e0cc7a22110f888bffccf98a77884fecd4fd26d16cd2
                                                                          • Opcode Fuzzy Hash: ac7ee24ac9755748ad22068508a667d4dce0d8f203a6004a7f50ebb2896b166e
                                                                          • Instruction Fuzzy Hash: C341E7B4E0560A9BCB08CFA9C5915AEFBF2FF89300F64D1AAC805B7214D7349A41CF94
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C32D0 Relevance: .1, Instructions: 106COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f98d5c14cabe5a6181fe89927976d747af2540638ee6ef8a779c76fc4fbb8ebb
                                                                          • Instruction ID: f87b9785155b9238150658b3c752c206fe4a36d4d38881c4b699e3253e029ed2
                                                                          • Opcode Fuzzy Hash: f98d5c14cabe5a6181fe89927976d747af2540638ee6ef8a779c76fc4fbb8ebb
                                                                          • Instruction Fuzzy Hash: 93414EB1E156188BEB18DF6B8D4569EFBF7BFC8300F14C1BA950DA6214DB301A868F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C20C8 Relevance: .1, Instructions: 104COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d9347b536dcd53d9bb405fc11ac446a2fa9aed8c54542a0c56917daed910712f
                                                                          • Instruction ID: 6fa469eb41ac3bf5462780ddcb4998defd680a7703a6238516ea08e87373bf92
                                                                          • Opcode Fuzzy Hash: d9347b536dcd53d9bb405fc11ac446a2fa9aed8c54542a0c56917daed910712f
                                                                          • Instruction Fuzzy Hash: 6141F7B4E0460A9BCB04CFAAC9505AEFFF2FF89300F14D46AD915A7254D7349A42CF95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C20D8 Relevance: .1, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9d07a77702f5b14f8ae252ddb51cbfa9d5677e48520768bfe862511af2f15383
                                                                          • Instruction ID: e9f6e315e420d8bb7eda33f1c2ad14563a10496970d2aa1bdb4f861c55718a26
                                                                          • Opcode Fuzzy Hash: 9d07a77702f5b14f8ae252ddb51cbfa9d5677e48520768bfe862511af2f15383
                                                                          • Instruction Fuzzy Hash: 4E41E4B8E0460A9BCB04CFAAD5905AEFFB2FF89300F24D06AD955A7214D7349A42CF54
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C84D0 Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2600aa22b2afb788c6f54777ea658c0afcfca0219e524499664b919affb7a8b5
                                                                          • Instruction ID: daec9b1d4c9b693b9b51aadd9a2d9338675b5c5f9b4ccf1fa3e339b3001054cb
                                                                          • Opcode Fuzzy Hash: 2600aa22b2afb788c6f54777ea658c0afcfca0219e524499664b919affb7a8b5
                                                                          • Instruction Fuzzy Hash: A6111771E116199BDB58CFAAD9406EEFBF7EBC8210F14C06AD508B7214DB705A018F91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C2700 Relevance: .1, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: abaed76adf8eaf4e8e4356f3755a787bc79a1720503d25b6e6f7de2bb1f9c7e3
                                                                          • Instruction ID: 90bd6c6722a6302a61d016f20417722e80d8352973c097b67f925662706db508
                                                                          • Opcode Fuzzy Hash: abaed76adf8eaf4e8e4356f3755a787bc79a1720503d25b6e6f7de2bb1f9c7e3
                                                                          • Instruction Fuzzy Hash: DF11ECB1E046189BEB18CFABD84469EFBF7AFC8310F04C17AD918A6214EB3445568F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C84BF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10652988054906dd4f8f722e7477d013de325cc575ea03984be13dcb5b708ef8
                                                                          • Instruction ID: a4beee952aebf8854a9c531d0a7eac6fddc209d4f5ad5b24a96db578bcdfa4a7
                                                                          • Opcode Fuzzy Hash: 10652988054906dd4f8f722e7477d013de325cc575ea03984be13dcb5b708ef8
                                                                          • Instruction Fuzzy Hash: 54111F71E116199BDB58CFAAD9516EEBBF3BFC8200F14C06AD808B7258DB704A05CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 056C26F9 Relevance: .1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.300916138.00000000056C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056C0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_56c0000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3945e5a0544cbdc5afa7f06b24a2caeaccd6e05f0c046c73a2f7b5d91535ad1d
                                                                          • Instruction ID: 308ffb91985ce274d073d1153c8a92544fcd4a8c77ac313fdd3ae358240cca98
                                                                          • Opcode Fuzzy Hash: 3945e5a0544cbdc5afa7f06b24a2caeaccd6e05f0c046c73a2f7b5d91535ad1d
                                                                          • Instruction Fuzzy Hash: F211D0B1E006189BEB0CCFABD94569EFAF3AFC8300F04C17AC908B6258DB3445468F51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:19.9%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:161
                                                                          Total number of Limit Nodes:4
                                                                          execution_graph 30195 2b2add0 30196 2b2adee 30195->30196 30199 2b29c5c 30196->30199 30198 2b2ae25 30201 2b2c8f0 LoadLibraryA 30199->30201 30202 2b2c9cc 30201->30202 30222 2b24540 30223 2b24554 30222->30223 30226 2b2478a 30223->30226 30233 2b24870 30226->30233 30237 2b2496c 30226->30237 30241 2b2485f 30226->30241 30245 2b249e8 30226->30245 30249 2b24986 30226->30249 30227 2b2455d 30234 2b248b4 30233->30234 30235 2b249ab 30234->30235 30253 2b24c67 30234->30253 30238 2b2491f 30237->30238 30239 2b249ab 30238->30239 30240 2b24c67 2 API calls 30238->30240 30240->30239 30242 2b24870 30241->30242 30243 2b249ab 30242->30243 30244 2b24c67 2 API calls 30242->30244 30244->30243 30246 2b249ee 30245->30246 30247 2b24a00 30246->30247 30266 2b24f1f 30246->30266 30247->30227 30250 2b24999 30249->30250 30251 2b249ab 30249->30251 30252 2b24c67 2 API calls 30250->30252 30252->30251 30254 2b24c86 30253->30254 30258 2b24cbb 30254->30258 30262 2b24cc8 30254->30262 30255 2b24c96 30255->30235 30259 2b24cc8 30258->30259 30260 2b24d55 30259->30260 30261 2b24d2c RtlEncodePointer 30259->30261 30260->30255 30261->30260 30263 2b24d02 30262->30263 30264 2b24d2c RtlEncodePointer 30263->30264 30265 2b24d55 30263->30265 30264->30265 30265->30255 30267 2b24f8f 30266->30267 30268 2b24f2a 30266->30268 30269 2b24fd7 RtlEncodePointer 30267->30269 30270 2b25000 30267->30270 30268->30247 30269->30270 30270->30247 30271 5e7c770 30273 5e7c779 30271->30273 30272 5e7c875 30273->30272 30276 5e7c881 30273->30276 30301 5e7c890 30273->30301 30277 5e7c890 30276->30277 30278 5e7c8d7 30277->30278 30326 5e7d764 30277->30326 30330 5e7da9d 30277->30330 30334 5e7d71d 30277->30334 30338 5e7d98a 30277->30338 30342 5e7da0f 30277->30342 30346 5e7d68f 30277->30346 30352 5e7d601 30277->30352 30358 5e7d830 30277->30358 30362 5e7d8b5 30277->30362 30366 5e7db2b 30277->30366 30370 5e7d7ab 30277->30370 30374 5e7da56 30277->30374 30378 5e7d6d6 30277->30378 30384 5e7d9c8 30277->30384 30388 5e7d648 30277->30388 30394 5e7d943 30277->30394 30398 5e7d8fc 30277->30398 30402 5e7db72 30277->30402 30406 5e7d7f2 30277->30406 30410 5e7d877 30277->30410 30414 5e7d5e0 30277->30414 30420 5e7dae4 30277->30420 30302 5e7c8af 30301->30302 30303 5e7c8d7 30302->30303 30304 5e7d764 KiUserExceptionDispatcher 30302->30304 30305 5e7dae4 KiUserExceptionDispatcher 30302->30305 30306 5e7d5e0 2 API calls 30302->30306 30307 5e7d877 KiUserExceptionDispatcher 30302->30307 30308 5e7d7f2 KiUserExceptionDispatcher 30302->30308 30309 5e7db72 KiUserExceptionDispatcher 30302->30309 30310 5e7d8fc KiUserExceptionDispatcher 30302->30310 30311 5e7d943 KiUserExceptionDispatcher 30302->30311 30312 5e7d648 2 API calls 30302->30312 30313 5e7d9c8 KiUserExceptionDispatcher 30302->30313 30314 5e7d6d6 2 API calls 30302->30314 30315 5e7da56 KiUserExceptionDispatcher 30302->30315 30316 5e7d7ab KiUserExceptionDispatcher 30302->30316 30317 5e7db2b KiUserExceptionDispatcher 30302->30317 30318 5e7d8b5 KiUserExceptionDispatcher 30302->30318 30319 5e7d830 KiUserExceptionDispatcher 30302->30319 30320 5e7d601 2 API calls 30302->30320 30321 5e7d68f 2 API calls 30302->30321 30322 5e7da0f KiUserExceptionDispatcher 30302->30322 30323 5e7d98a KiUserExceptionDispatcher 30302->30323 30324 5e7d71d KiUserExceptionDispatcher 30302->30324 30325 5e7da9d KiUserExceptionDispatcher 30302->30325 30304->30303 30305->30303 30306->30303 30307->30303 30308->30303 30309->30303 30310->30303 30311->30303 30312->30303 30313->30303 30314->30303 30315->30303 30316->30303 30317->30303 30318->30303 30319->30303 30320->30303 30321->30303 30322->30303 30323->30303 30324->30303 30325->30303 30327 5e7d776 KiUserExceptionDispatcher 30326->30327 30329 5e7dbb4 30327->30329 30329->30278 30331 5e7daaf KiUserExceptionDispatcher 30330->30331 30333 5e7dbb4 30331->30333 30333->30278 30335 5e7d72f KiUserExceptionDispatcher 30334->30335 30337 5e7dbb4 30335->30337 30337->30278 30339 5e7d99c KiUserExceptionDispatcher 30338->30339 30341 5e7dbb4 30339->30341 30341->30278 30343 5e7da21 KiUserExceptionDispatcher 30342->30343 30345 5e7dbb4 30343->30345 30345->30278 30347 5e7d6a1 KiUserExceptionDispatcher 30346->30347 30349 5e7d71b KiUserExceptionDispatcher 30347->30349 30351 5e7dbb4 30349->30351 30351->30278 30353 5e7d613 KiUserExceptionDispatcher 30352->30353 30355 5e7d71b KiUserExceptionDispatcher 30353->30355 30357 5e7dbb4 30355->30357 30357->30278 30359 5e7d842 KiUserExceptionDispatcher 30358->30359 30361 5e7dbb4 30359->30361 30361->30278 30363 5e7d8c7 KiUserExceptionDispatcher 30362->30363 30365 5e7dbb4 30363->30365 30365->30278 30367 5e7db3d KiUserExceptionDispatcher 30366->30367 30369 5e7dbb4 30367->30369 30369->30278 30371 5e7d7bd KiUserExceptionDispatcher 30370->30371 30373 5e7dbb4 30371->30373 30373->30278 30375 5e7da68 KiUserExceptionDispatcher 30374->30375 30377 5e7dbb4 30375->30377 30377->30278 30379 5e7d6e8 KiUserExceptionDispatcher 30378->30379 30381 5e7d71b KiUserExceptionDispatcher 30379->30381 30383 5e7dbb4 30381->30383 30383->30278 30385 5e7d9da KiUserExceptionDispatcher 30384->30385 30387 5e7dbb4 30385->30387 30387->30278 30389 5e7d65a KiUserExceptionDispatcher 30388->30389 30391 5e7d71b KiUserExceptionDispatcher 30389->30391 30393 5e7dbb4 30391->30393 30393->30278 30395 5e7d955 KiUserExceptionDispatcher 30394->30395 30397 5e7dbb4 30395->30397 30397->30278 30399 5e7d90e KiUserExceptionDispatcher 30398->30399 30401 5e7dbb4 30399->30401 30401->30278 30403 5e7db84 KiUserExceptionDispatcher 30402->30403 30405 5e7dbb4 30403->30405 30405->30278 30407 5e7d804 KiUserExceptionDispatcher 30406->30407 30409 5e7dbb4 30407->30409 30409->30278 30411 5e7d889 KiUserExceptionDispatcher 30410->30411 30413 5e7dbb4 30411->30413 30413->30278 30415 5e7d5e6 KiUserExceptionDispatcher 30414->30415 30417 5e7d71b KiUserExceptionDispatcher 30415->30417 30419 5e7dbb4 30417->30419 30419->30278 30421 5e7daf6 KiUserExceptionDispatcher 30420->30421 30423 5e7dbb4 30421->30423 30423->30278 30203 5e7c0c8 30204 5e7c3d6 30203->30204 30205 5e7c0fc 30203->30205 30205->30204 30208 5e7c3e0 30205->30208 30213 5e7c3f0 30205->30213 30209 5e7c3fe 30208->30209 30210 5e7c421 30208->30210 30209->30204 30211 5e7c446 30210->30211 30218 5e7afe4 30210->30218 30211->30204 30214 5e7c3fe 30213->30214 30215 5e7c421 30213->30215 30214->30204 30216 5e7c446 30215->30216 30217 5e7afe4 DeleteFileW 30215->30217 30216->30204 30217->30216 30219 5e7c5c0 DeleteFileW 30218->30219 30221 5e7c63f 30219->30221 30221->30211

                                                                          Executed Functions

                                                                          Function 05E7D5E0 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 5e7d5e0-5e7e2f6 KiUserExceptionDispatcher * 2 141 5e7e2fc-5e7e34d 0->141
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7D6FC
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: cace106db3e2003b52516da31e4d1e61e32475a7882e87ae3367cf9332f3e732
                                                                          • Instruction ID: 31dbe1aa83763313657bf6fbd92bcd5bead91616ce873d0e2b32e143f661abf3
                                                                          • Opcode Fuzzy Hash: cace106db3e2003b52516da31e4d1e61e32475a7882e87ae3367cf9332f3e732
                                                                          • Instruction Fuzzy Hash: 4A02A738A01258CFCB65DF60D98869ABBB2FF4938AF1041E9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D601 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 144 5e7d601-5e7e2f6 KiUserExceptionDispatcher * 2 285 5e7e2fc-5e7e34d 144->285
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7D6FC
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 4d7419e39cd27f08fcdfb833b6243c93654f897dea57828a9843af2e840d4a77
                                                                          • Instruction ID: cf0f4de645427ebe1c6679c278d4eadb547f5312d4e899d8e2fdac4fda23c06e
                                                                          • Opcode Fuzzy Hash: 4d7419e39cd27f08fcdfb833b6243c93654f897dea57828a9843af2e840d4a77
                                                                          • Instruction Fuzzy Hash: 4102A738A01258CFCB65DF70D988699BBB2FF4938AF1041E9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D648 Relevance: 3.3, APIs: 2, Instructions: 340COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 288 5e7d648-5e7e2f6 KiUserExceptionDispatcher * 2 426 5e7e2fc-5e7e34d 288->426
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7D6FC
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 89931c5f83e5699576bc62e5a525544eb8c183f71ef507db2ae1d730cd4678dd
                                                                          • Instruction ID: 0a0c0446eec33faea475cf1b9268d5c4ef4653df240a20a9c8ea5f26016e7765
                                                                          • Opcode Fuzzy Hash: 89931c5f83e5699576bc62e5a525544eb8c183f71ef507db2ae1d730cd4678dd
                                                                          • Instruction Fuzzy Hash: 9702A738A01268CFCB65DF70D988699BBB2FF4938AF1041E9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D68F Relevance: 3.3, APIs: 2, Instructions: 333COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 429 5e7d68f-5e7e2f6 KiUserExceptionDispatcher * 2 564 5e7e2fc-5e7e34d 429->564
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7D6FC
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: bc4e3e32308ea92863cde677f894215ace9ade03f11750f88b63f516b995ab95
                                                                          • Instruction ID: 558ccb40113560b93af799321445539c5fa8cdaae23707d62f999828982156a6
                                                                          • Opcode Fuzzy Hash: bc4e3e32308ea92863cde677f894215ace9ade03f11750f88b63f516b995ab95
                                                                          • Instruction Fuzzy Hash: F902B738A01268CFCB65DF70D988699BBB2FF4938AF1041E9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D6D6 Relevance: 3.3, APIs: 2, Instructions: 326COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 567 5e7d6d6-5e7e2f6 KiUserExceptionDispatcher * 2 699 5e7e2fc-5e7e34d 567->699
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7D6FC
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: eb59b761d7c3f518f72d4e82d7e1e1b05643383edca0ed7d7252a89f032058aa
                                                                          • Instruction ID: c52d6b918ab4bd954e7c2acc2a70f2294a4b1bcc4a2a6382d5868cc56350ad9b
                                                                          • Opcode Fuzzy Hash: eb59b761d7c3f518f72d4e82d7e1e1b05643383edca0ed7d7252a89f032058aa
                                                                          • Instruction Fuzzy Hash: BB02A738A01268CFCB65DF70D988699BBB2FF4938AF1041D9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D71D Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 702 5e7d71d-5e7e2f6 KiUserExceptionDispatcher 832 5e7e2fc-5e7e34d 702->832
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: a6537b5b2d6611c6dcc17b0a52a0ae0f232b1ab5c8ec77b3f4e877f3e0aab4ef
                                                                          • Instruction ID: e878ae509365fad43727c4e757f80aa3912694735275743cca337c2f3faa2060
                                                                          • Opcode Fuzzy Hash: a6537b5b2d6611c6dcc17b0a52a0ae0f232b1ab5c8ec77b3f4e877f3e0aab4ef
                                                                          • Instruction Fuzzy Hash: 1DF1A538A01368CFCB65DF60D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D764 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 835 5e7d764-5e7e2f6 KiUserExceptionDispatcher 962 5e7e2fc-5e7e34d 835->962
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 11cb837b1e198005ea50edbf499b3769ca6e1248ed27e52cacb02db674d425ab
                                                                          • Instruction ID: fbe314184b136ebddfc608e94c7d3e98bacd73ea1c2093156694ad61ca9c81a6
                                                                          • Opcode Fuzzy Hash: 11cb837b1e198005ea50edbf499b3769ca6e1248ed27e52cacb02db674d425ab
                                                                          • Instruction Fuzzy Hash: 98F1A638A05368CFCB65DF60D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D7AB Relevance: 1.8, APIs: 1, Instructions: 305COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 965 5e7d7ab-5e7e2f6 KiUserExceptionDispatcher 1089 5e7e2fc-5e7e34d 965->1089
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 2f60864d2735600bd950c47c0b9e05ba1bb1b760037237b1be4c58c97d713d38
                                                                          • Instruction ID: fd5489f149c8d492dc2f09d2623864574630d48abc5c2b9c26300c2dfe3c059c
                                                                          • Opcode Fuzzy Hash: 2f60864d2735600bd950c47c0b9e05ba1bb1b760037237b1be4c58c97d713d38
                                                                          • Instruction Fuzzy Hash: 01F1A638A05368CFCB65DF60D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D7F2 Relevance: 1.8, APIs: 1, Instructions: 296COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1092 5e7d7f2-5e7e2f6 KiUserExceptionDispatcher 1213 5e7e2fc-5e7e34d 1092->1213
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: f3870baa333af9a1ed828fd7aff71c804bd9bdccb50fe6581cc7c690dbc1d5b3
                                                                          • Instruction ID: 6a9cc61e9ce5de62295ee486f9d1df3c62108cd95ec336e895fdc4d374a48962
                                                                          • Opcode Fuzzy Hash: f3870baa333af9a1ed828fd7aff71c804bd9bdccb50fe6581cc7c690dbc1d5b3
                                                                          • Instruction Fuzzy Hash: B9F1A638A05268CFCB65DF70D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D830 Relevance: 1.8, APIs: 1, Instructions: 291COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1216 5e7d830-5e7e2f6 KiUserExceptionDispatcher 1334 5e7e2fc-5e7e34d 1216->1334
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: a095e3138648681e68fb0087b90241b5df8bc50dfa5ee4b41b0e5876a73cff97
                                                                          • Instruction ID: ba65a6753ee8f5dd6988c76c4d5595732fd30310b26d0416f30ea85741f6804a
                                                                          • Opcode Fuzzy Hash: a095e3138648681e68fb0087b90241b5df8bc50dfa5ee4b41b0e5876a73cff97
                                                                          • Instruction Fuzzy Hash: D1E1B638A01268CFCB65DF70D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF51
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D877 Relevance: 1.8, APIs: 1, Instructions: 282COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1337 5e7d877-5e7e2f6 KiUserExceptionDispatcher 1452 5e7e2fc-5e7e34d 1337->1452
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 44bf28e1cb8a675f8ebe1512b63a6b42185b663bc79f6c9b468220f357fb81da
                                                                          • Instruction ID: 621b8e6eae7e564a960f192617c40ccca153f70046ad488fd9f1146dddef3235
                                                                          • Opcode Fuzzy Hash: 44bf28e1cb8a675f8ebe1512b63a6b42185b663bc79f6c9b468220f357fb81da
                                                                          • Instruction Fuzzy Hash: E3E1A638A05268CFCB65DF60D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D8B5 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1455 5e7d8b5-5e7e2f6 KiUserExceptionDispatcher 1567 5e7e2fc-5e7e34d 1455->1567
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 293396078f4422ae520a478aa19cb124b29f14705642426a699b2522631c14cc
                                                                          • Instruction ID: 75be117c9d80e3a58014c6251b0b109044624bfc19d46a3c828d441d0b79025a
                                                                          • Opcode Fuzzy Hash: 293396078f4422ae520a478aa19cb124b29f14705642426a699b2522631c14cc
                                                                          • Instruction Fuzzy Hash: 55E1C638A01268CFCB65DF70D98869ABBB2FF4938AF1041D9D54AA7350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D8FC Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1570 5e7d8fc-5e7e2f6 KiUserExceptionDispatcher 1679 5e7e2fc-5e7e34d 1570->1679
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 585dbd0947dff3f44a97d7122f0cda190c2c307aaa29891d07f10795ff51116a
                                                                          • Instruction ID: dd40e89ce40caccfc91cb00581f526e84510374749b9402341fbf69647890448
                                                                          • Opcode Fuzzy Hash: 585dbd0947dff3f44a97d7122f0cda190c2c307aaa29891d07f10795ff51116a
                                                                          • Instruction Fuzzy Hash: 67E1B638A05268CFCB65DF70D98869ABBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D943 Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1682 5e7d943-5e7e2f6 KiUserExceptionDispatcher 1788 5e7e2fc-5e7e34d 1682->1788
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: fa241c79880b21b49f1e7cb3f4a3b3885183a78f2baa476a41875ea9b28222b5
                                                                          • Instruction ID: 67aa353be5adcf20543f3cd9c6b0244b12a1cf7720f229715d252e7d067c6f7d
                                                                          • Opcode Fuzzy Hash: fa241c79880b21b49f1e7cb3f4a3b3885183a78f2baa476a41875ea9b28222b5
                                                                          • Instruction Fuzzy Hash: 00D1B638A05268CFCB65DF60D988699BBB2FF4938AF1041D9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D98A Relevance: 1.8, APIs: 1, Instructions: 254COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1791 5e7d98a-5e7e2f6 KiUserExceptionDispatcher 1894 5e7e2fc-5e7e34d 1791->1894
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: cc2ed1bf11bd8a6b4f9b4d8624a748678fb11b23de35b7f6cbc1ec307adf2be2
                                                                          • Instruction ID: a02f18d436c7a03a39a2654d8fd9458fc9219fb44599e5827ff34d77a818a9e9
                                                                          • Opcode Fuzzy Hash: cc2ed1bf11bd8a6b4f9b4d8624a748678fb11b23de35b7f6cbc1ec307adf2be2
                                                                          • Instruction Fuzzy Hash: 79D1B638A05268CFCB65DF60D988699BBB2FF4938AF1041E9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7D9C8 Relevance: 1.7, APIs: 1, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: f0c067f28f7b7f9a77a23f1588c77b5bc81e2d5959a5b5bc63cc194880578199
                                                                          • Instruction ID: a9d727d7599c8d6da0162646de502a7492e960658db0fb8e4bc5439ffca294b2
                                                                          • Opcode Fuzzy Hash: f0c067f28f7b7f9a77a23f1588c77b5bc81e2d5959a5b5bc63cc194880578199
                                                                          • Instruction Fuzzy Hash: 68D1B538A05268CFCB65DF60D988699BBB2FF4938AF1041E9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DA0F Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: f09591afd9997f08698d231d500f1141ff781bca4e10586c8752ae31fb4f7de3
                                                                          • Instruction ID: aca116c36ee69bc4301121fac8621acfe115ea5beaad994b18a068e33f807138
                                                                          • Opcode Fuzzy Hash: f09591afd9997f08698d231d500f1141ff781bca4e10586c8752ae31fb4f7de3
                                                                          • Instruction Fuzzy Hash: D1C1C538A05268CFCB65DF60D988699BBB2FF4938AF1041E9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DA56 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 22d6ee38def1cfeeb9686c16d933c5d4ef412e290f5d3cef48d326ce7b6cdc69
                                                                          • Instruction ID: 8ca793c075412c660019af4586d001c6124c2a7897a9aa711d00fdb4d2b289b2
                                                                          • Opcode Fuzzy Hash: 22d6ee38def1cfeeb9686c16d933c5d4ef412e290f5d3cef48d326ce7b6cdc69
                                                                          • Instruction Fuzzy Hash: 17C1C638A01268CFCB65DF60D988699BBB2FF4538AF1041E9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DA9D Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: d74192bde4eeb96769acbc7fbbec2858cd46860761f6e4afd681c946cce5c064
                                                                          • Instruction ID: fa43191c45a33de1b13997fdf6e011313c21eb4c77f4e93c7bef957538c77289
                                                                          • Opcode Fuzzy Hash: d74192bde4eeb96769acbc7fbbec2858cd46860761f6e4afd681c946cce5c064
                                                                          • Instruction Fuzzy Hash: 70C1C538A01268CFCB65DF60D98869ABBB2FF4538AF1041E9D54EA7350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DAE4 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 33925a2a504c8d88df6c8a6743cc46b135184e36ae2b57a58ec6ff0368b7c3bd
                                                                          • Instruction ID: ff01beb3bebbb4d143035c1afa207617e971cb5b267e423a1c5e1e12756bcbbc
                                                                          • Opcode Fuzzy Hash: 33925a2a504c8d88df6c8a6743cc46b135184e36ae2b57a58ec6ff0368b7c3bd
                                                                          • Instruction Fuzzy Hash: 1BB1C538A01268CFCB65DF60D98869ABBB2FF4538AF1041E9D54EA7350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DB2B Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 7243041590e660901dbb71b05e7f2c55af9517b550585ee5937fed57d1c38cdf
                                                                          • Instruction ID: ff29b9a891f9268f1417e33a56e99533d619cfb94c4e56251609f9322d156de7
                                                                          • Opcode Fuzzy Hash: 7243041590e660901dbb71b05e7f2c55af9517b550585ee5937fed57d1c38cdf
                                                                          • Instruction Fuzzy Hash: 0FB1C538A01268CFCB65DF60D988699BBB2FF4938AF1041E9D54EA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7DB72 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • KiUserExceptionDispatcher.NTDLL ref: 05E7DB98
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DispatcherExceptionUser
                                                                          • String ID:
                                                                          • API String ID: 6842923-0
                                                                          • Opcode ID: 9a45c440ed45cf80af6d1c2cb1ea0caf9751f679d57987a82452775889ea10b8
                                                                          • Instruction ID: 7cdbb0be5e484724ee11a674274ee7201a4ee6c77e3e574d74ad5dc3ef7e5e3c
                                                                          • Opcode Fuzzy Hash: 9a45c440ed45cf80af6d1c2cb1ea0caf9751f679d57987a82452775889ea10b8
                                                                          • Instruction Fuzzy Hash: 20B1B438A05268CFCB65DF70D988699BBB2FF4938AF1041D9D54AA3350DB356E81CF11
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02B2C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 02B2C9BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.509126305.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_2b20000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 51c52eb0454fbcf3eec123d0d2fba6603333d4664051b39afe15940816c3c953
                                                                          • Instruction ID: b503c07a31ad18bc68f2a37b3c5f10cac91d783f9105d776c6dc241064165351
                                                                          • Opcode Fuzzy Hash: 51c52eb0454fbcf3eec123d0d2fba6603333d4664051b39afe15940816c3c953
                                                                          • Instruction Fuzzy Hash: 453143B1D043598FDB14CFA8C884B9EBFB1FB08314F15866AE85AB7280D7749489CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02B29C5C Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(?), ref: 02B2C9BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.509126305.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_2b20000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 735327489a22597670228ecf9cc8d9f3599cd25351744e1fee7583b2a9f83000
                                                                          • Instruction ID: 64b29fa0af3e3fd20bdddb38028528abdf0d6c422e6c22f609932b133e895859
                                                                          • Opcode Fuzzy Hash: 735327489a22597670228ecf9cc8d9f3599cd25351744e1fee7583b2a9f83000
                                                                          • Instruction Fuzzy Hash: BA3132B1D003599FDB14CFA8C885B9EBFB1FB08314F15856AE81AB7280D7749889CF95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7C568 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 05E7C630
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 28b1bd126cace44c1afd05dfda1a2ee726877c7e751d32189b8f6b4d2ee8171c
                                                                          • Instruction ID: 7cbc42aa9da1dc4a57c902de188e38e3e2de13e29c3083ba1fdd345c854a9557
                                                                          • Opcode Fuzzy Hash: 28b1bd126cace44c1afd05dfda1a2ee726877c7e751d32189b8f6b4d2ee8171c
                                                                          • Instruction Fuzzy Hash: 6131E171D087898FDB11CFA9C94479EBFB4BF49314F0584AAD488A7241D7389905CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02B24F1F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02B24FED
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.509126305.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_2b20000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: c30e99196c86abe0ffca3467924a5ab20baab49f17a4a7ab2f736c310696214b
                                                                          • Instruction ID: 3bdbcd4b51d829759e2c47975f6c51e0e49a6e3d0e16901a9f596228ea43e994
                                                                          • Opcode Fuzzy Hash: c30e99196c86abe0ffca3467924a5ab20baab49f17a4a7ab2f736c310696214b
                                                                          • Instruction Fuzzy Hash: C6219D709153548FDB10EFA8D94879ABBF0FB49308F10845AE40DEB740CBB9A548CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 05E7AFE4 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 05E7C630
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.512409941.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_5e70000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteFile
                                                                          • String ID:
                                                                          • API String ID: 4033686569-0
                                                                          • Opcode ID: 2ec2d43cd0f98bfcf7eebd1cdd2c98e0d76c187c58967fa60be428b963fd86dd
                                                                          • Instruction ID: cd1f78169e9c6a5f5145567c4519e9ec93420aedfbf879d813090c0545098cb4
                                                                          • Opcode Fuzzy Hash: 2ec2d43cd0f98bfcf7eebd1cdd2c98e0d76c187c58967fa60be428b963fd86dd
                                                                          • Instruction Fuzzy Hash: 372144B1C0461A8BCB10CF9AC5847AEFBF4FB48324F15852AD859B7240D738AA45CFE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02B24CBB Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02B24D42
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.509126305.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_2b20000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: 4ebb6b26a1d2ebc151acf6fb15b34cd2cd54659d9a845f7fe98fc645ef459d91
                                                                          • Instruction ID: d16dd12c084205a3cc3211bdc83ca2328a59a1c430c0bc23e31bf9d0ae33e5ca
                                                                          • Opcode Fuzzy Hash: 4ebb6b26a1d2ebc151acf6fb15b34cd2cd54659d9a845f7fe98fc645ef459d91
                                                                          • Instruction Fuzzy Hash: BA219A719003498FDB50EFA9C94979EBBF8FB45328F14846AD409B7B00D7786949CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02B24CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlEncodePointer.NTDLL(00000000), ref: 02B24D42
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.509126305.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_2b20000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID: EncodePointer
                                                                          • String ID:
                                                                          • API String ID: 2118026453-0
                                                                          • Opcode ID: 2d3915b25f5ff9ca6a0ca55a765b7dec664e46da58c78bf7139a3e41f1a60fa1
                                                                          • Instruction ID: b035b83fdfdda3c457c5e5eae5f2f5628e812c49917cbb4011db633985190044
                                                                          • Opcode Fuzzy Hash: 2d3915b25f5ff9ca6a0ca55a765b7dec664e46da58c78bf7139a3e41f1a60fa1
                                                                          • Instruction Fuzzy Hash: 7311AC709003498FCB10EFA9C90879EBBF8FB45328F10846AD409B7B00CB786949CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CE16B Relevance: .4, Instructions: 363COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.508736494.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_12cd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: feab65f59283d390f3e2df4eadedde6ff79dd0782734e530b96839a41daa300b
                                                                          • Instruction ID: d24165ca784095d399022b3af4f0891264d453b8a20a67f7925ffa56b8be2a08
                                                                          • Opcode Fuzzy Hash: feab65f59283d390f3e2df4eadedde6ff79dd0782734e530b96839a41daa300b
                                                                          • Instruction Fuzzy Hash: E7817D7141E7C08FDB138B648CA1691BFB49F03224B1E86DBD580DF1A3D22D9909D763
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012BD4D8 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.508666938.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_12bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 72a2525852e8b1ce18ece9fbbdf7277aca530b4b63abd96f09582f71239b8abc
                                                                          • Instruction ID: c580bda66df86704c9026d39c50c1155a467581ac65397288779613acda60a97
                                                                          • Opcode Fuzzy Hash: 72a2525852e8b1ce18ece9fbbdf7277aca530b4b63abd96f09582f71239b8abc
                                                                          • Instruction Fuzzy Hash: 7D216AB1514248DFCB01CF54E9C0BA6BF65FB8836CF248568EA054B206C336D846CBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012CE3DC Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.508736494.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_12cd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 50d64165807074ee59153aa71f9909c407aabeafcfb6accc025bd697f2cf7c04
                                                                          • Instruction ID: 71422d527f31e46e70dc2873c75e1853cc7a68ee2deefbbda1bdc1f5e930b152
                                                                          • Opcode Fuzzy Hash: 50d64165807074ee59153aa71f9909c407aabeafcfb6accc025bd697f2cf7c04
                                                                          • Instruction Fuzzy Hash: 922125B1514240DFDB21DF14D5C0B26FF65FB84724F24C6ADDB094B246C37AD846CAA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 012BD4D3 Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.508666938.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_12bd000_PI PDF.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction ID: 11e1f7e60f7e19b85da7b550cdc0cb18b83a13d7f6389283047100858df8ab1d
                                                                          • Opcode Fuzzy Hash: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction Fuzzy Hash: C911D376504285CFCB12CF54D5C4B96BF71FB84328F24C6A9D9050B657C33AD45ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Execution Graph

                                                                          Execution Coverage:11.6%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:321
                                                                          Total number of Limit Nodes:11
                                                                          execution_graph 32506 750d4f0 32507 750d533 VirtualAllocEx 32506->32507 32508 750d56a 32507->32508 32564 750d6b0 32565 750d6fb WriteProcessMemory 32564->32565 32567 750d74c 32565->32567 32518 33393f0 32520 33394e8 2 API calls 32518->32520 32521 33394d8 2 API calls 32518->32521 32519 33393ff 32520->32519 32521->32519 32568 333b7d0 GetCurrentProcess 32569 333b843 32568->32569 32570 333b84a GetCurrentThread 32568->32570 32569->32570 32571 333b880 32570->32571 32572 333b887 GetCurrentProcess 32570->32572 32571->32572 32573 333b8bd 32572->32573 32574 333b8e5 GetCurrentThreadId 32573->32574 32575 333b916 32574->32575 32526 7503a19 32528 75059a0 VirtualProtect 32526->32528 32529 75059a8 VirtualProtect 32526->32529 32527 7503a2a 32528->32527 32529->32527 32530 7508c99 32534 750afb8 32530->32534 32539 750afa9 32530->32539 32531 7508be0 32535 750afd5 32534->32535 32544 750b308 32535->32544 32548 750b2f8 32535->32548 32536 750aff8 32536->32531 32540 750afd5 32539->32540 32542 750b308 CreateProcessW 32540->32542 32543 750b2f8 CreateProcessW 32540->32543 32541 750aff8 32541->32531 32542->32541 32543->32541 32545 750b32f 32544->32545 32546 750b388 32545->32546 32552 750ba10 32545->32552 32546->32536 32549 750b32f 32548->32549 32550 750b388 32549->32550 32551 750ba10 CreateProcessW 32549->32551 32550->32536 32551->32549 32553 750ba43 32552->32553 32554 750bbfd 32553->32554 32556 750cff0 32553->32556 32554->32545 32557 750d06f CreateProcessW 32556->32557 32559 750d158 32557->32559 32560 333fcf8 32561 333fd60 CreateWindowExW 32560->32561 32563 333fe1c 32561->32563 32356 750525f 32360 75059a0 32356->32360 32363 75059a8 32356->32363 32357 7505270 32361 75059f0 VirtualProtect 32360->32361 32362 7505a2a 32361->32362 32362->32357 32364 75059f0 VirtualProtect 32363->32364 32365 7505a2a 32364->32365 32365->32357 32509 750d360 32510 750d3a8 SetThreadContext 32509->32510 32512 750d3e6 32510->32512 32580 750d420 32581 750d46b ReadProcessMemory 32580->32581 32582 750d4ae 32581->32582 32366 33368a0 32367 33368b7 32366->32367 32370 33355e4 32367->32370 32369 33368c4 32371 33355ef 32370->32371 32374 333568c 32371->32374 32373 3336995 32373->32369 32375 3335697 32374->32375 32378 33356bc 32375->32378 32377 3336a7a 32377->32373 32379 33356c7 32378->32379 32382 33356ec 32379->32382 32381 3336b6a 32381->32377 32383 33356f7 32382->32383 32384 333727e 32383->32384 32391 58e68c0 32383->32391 32396 58ed750 32383->32396 32400 58ed740 32383->32400 32404 58e68d0 32383->32404 32385 33372bc 32384->32385 32409 333b4f8 32384->32409 32385->32381 32392 58e68c3 32391->32392 32393 58e68de 32392->32393 32414 58e6d20 32392->32414 32419 58e6d40 32392->32419 32393->32384 32397 58ed75f 32396->32397 32451 58ed858 32396->32451 32455 58ed849 32396->32455 32397->32384 32402 58ed858 3 API calls 32400->32402 32403 58ed849 3 API calls 32400->32403 32401 58ed75f 32401->32384 32402->32401 32403->32401 32405 58e68d5 32404->32405 32407 58e6d20 3 API calls 32405->32407 32408 58e6d40 3 API calls 32405->32408 32406 58e68de 32406->32384 32407->32406 32408->32406 32410 333b529 32409->32410 32411 333b54d 32410->32411 32460 333b6aa 32410->32460 32464 333b6b8 32410->32464 32411->32385 32415 58e6d25 32414->32415 32416 58e6d14 32415->32416 32423 33394e8 32415->32423 32431 33394d8 32415->32431 32416->32393 32420 58e6d4f 32419->32420 32421 33394e8 2 API calls 32419->32421 32422 33394d8 2 API calls 32419->32422 32420->32393 32421->32420 32422->32420 32424 33394fb 32423->32424 32425 3339513 32424->32425 32439 3339770 32424->32439 32443 3339760 32424->32443 32425->32416 32426 333950b 32426->32425 32427 3339710 GetModuleHandleW 32426->32427 32428 333973d 32427->32428 32428->32416 32432 33394fb 32431->32432 32433 3339513 32432->32433 32437 3339770 LoadLibraryExW 32432->32437 32438 3339760 LoadLibraryExW 32432->32438 32433->32416 32434 333950b 32434->32433 32435 3339710 GetModuleHandleW 32434->32435 32436 333973d 32435->32436 32436->32416 32437->32434 32438->32434 32440 3339784 32439->32440 32441 33397a9 32440->32441 32447 3338890 32440->32447 32441->32426 32444 3339784 32443->32444 32445 33397a9 32444->32445 32446 3338890 LoadLibraryExW 32444->32446 32445->32426 32446->32445 32448 3339950 LoadLibraryExW 32447->32448 32450 33399c9 32448->32450 32450->32441 32453 33394e8 2 API calls 32451->32453 32454 33394d8 2 API calls 32451->32454 32452 58ed86a 32452->32397 32453->32452 32454->32452 32456 58ed858 32455->32456 32458 33394e8 2 API calls 32456->32458 32459 33394d8 2 API calls 32456->32459 32457 58ed86a 32457->32397 32458->32457 32459->32457 32461 333b6c5 32460->32461 32462 333b6ff 32461->32462 32468 3339e74 32461->32468 32462->32411 32465 333b6c5 32464->32465 32466 3339e74 3 API calls 32465->32466 32467 333b6ff 32465->32467 32466->32467 32467->32411 32469 3339e7f 32468->32469 32471 333c3f8 32469->32471 32472 333ba24 32469->32472 32471->32471 32473 333ba2f 32472->32473 32474 33356ec 3 API calls 32473->32474 32475 333c467 32474->32475 32477 333c4a0 32475->32477 32479 333e1d8 32475->32479 32485 333e1f0 32475->32485 32477->32471 32481 333e26e 32479->32481 32482 333e221 32479->32482 32480 333e22d 32480->32477 32481->32477 32482->32480 32491 333e535 32482->32491 32495 333e538 32482->32495 32487 333e221 32485->32487 32488 333e26e 32485->32488 32486 333e22d 32486->32477 32487->32486 32489 333e535 2 API calls 32487->32489 32490 333e538 2 API calls 32487->32490 32488->32477 32489->32488 32490->32488 32492 333e538 32491->32492 32493 33394e8 LoadLibraryExW GetModuleHandleW 32492->32493 32494 333e541 32493->32494 32494->32481 32496 33394e8 LoadLibraryExW GetModuleHandleW 32495->32496 32497 333e541 32496->32497 32497->32481 32513 333be00 DuplicateHandle 32514 333be96 32513->32514 32583 58e4878 32584 58e48a5 32583->32584 32649 58e444c 32584->32649 32587 58e444c 3 API calls 32588 58e493a 32587->32588 32589 58e444c 3 API calls 32588->32589 32590 58e496d 32589->32590 32653 58e4464 32590->32653 32593 58e444c 3 API calls 32594 58e49d3 32593->32594 32595 58e444c 3 API calls 32594->32595 32596 58e4a06 32595->32596 32597 58e444c 3 API calls 32596->32597 32598 58e4a39 32597->32598 32599 58e444c 3 API calls 32598->32599 32600 58e4a6c 32599->32600 32601 58e444c 3 API calls 32600->32601 32602 58e4a9f 32601->32602 32603 58e444c 3 API calls 32602->32603 32604 58e4ad2 32603->32604 32605 58e444c 3 API calls 32604->32605 32606 58e4b05 32605->32606 32607 58e444c 3 API calls 32606->32607 32608 58e4b38 32607->32608 32609 58e444c 3 API calls 32608->32609 32610 58e4b6b 32609->32610 32611 58e444c 3 API calls 32610->32611 32612 58e4b9e 32611->32612 32613 58e444c 3 API calls 32612->32613 32614 58e4bd1 32613->32614 32615 58e444c 3 API calls 32614->32615 32616 58e4c04 32615->32616 32657 58e4474 32616->32657 32618 58e4c6f 32619 58e4474 3 API calls 32618->32619 32620 58e4d90 32619->32620 32621 58e4474 3 API calls 32620->32621 32622 58e4eb1 32621->32622 32623 58e4474 3 API calls 32622->32623 32624 58e4ff2 32623->32624 32625 58e4474 3 API calls 32624->32625 32626 58e50ee 32625->32626 32627 58e4474 3 API calls 32626->32627 32628 58e5245 32627->32628 32629 58e4474 3 API calls 32628->32629 32630 58e539c 32629->32630 32631 58e4474 3 API calls 32630->32631 32632 58e54f2 32631->32632 32633 58e4474 3 API calls 32632->32633 32634 58e5647 32633->32634 32635 58e4474 3 API calls 32634->32635 32636 58e57a1 32635->32636 32637 58e4474 3 API calls 32636->32637 32638 58e58fb 32637->32638 32639 58e4474 3 API calls 32638->32639 32640 58e5a54 32639->32640 32641 58e4474 3 API calls 32640->32641 32642 58e5ba9 32641->32642 32643 58e4474 3 API calls 32642->32643 32644 58e5d03 32643->32644 32645 58e4474 3 API calls 32644->32645 32646 58e5e5d 32645->32646 32647 58e4474 3 API calls 32646->32647 32648 58e5fb6 32647->32648 32650 58e4457 32649->32650 32661 58e4524 32650->32661 32652 58e4907 32652->32587 32654 58e446f 32653->32654 32675 58e482c 32654->32675 32656 58e49a0 32656->32593 32658 58e447f 32657->32658 32680 58ec5e8 32658->32680 32660 58ee606 32660->32618 32662 58e452f 32661->32662 32665 33356ec 3 API calls 32662->32665 32666 3336fe1 32662->32666 32663 58e683c 32663->32652 32665->32663 32667 333701b 32666->32667 32669 333727e 32667->32669 32671 58e68c0 3 API calls 32667->32671 32672 58e68d0 3 API calls 32667->32672 32673 58ed740 3 API calls 32667->32673 32674 58ed750 3 API calls 32667->32674 32668 33372bc 32668->32663 32669->32668 32670 333b4f8 3 API calls 32669->32670 32670->32668 32671->32669 32672->32669 32673->32669 32674->32669 32676 58e4837 32675->32676 32677 3336fe1 3 API calls 32676->32677 32678 58e7002 32676->32678 32679 33356ec 3 API calls 32676->32679 32677->32678 32678->32656 32679->32678 32681 58ec5f3 32680->32681 32682 58ee6c0 32681->32682 32686 58ee6d0 32681->32686 32690 58ee6e0 32681->32690 32682->32660 32687 58ee6e0 32686->32687 32689 58ee7a5 32687->32689 32694 58ec63c 32687->32694 32691 58ee70f 32690->32691 32692 58ec63c 3 API calls 32691->32692 32693 58ee7a5 32691->32693 32692->32693 32695 58ec647 32694->32695 32696 58eef8a 32695->32696 32697 58e68c0 3 API calls 32695->32697 32698 58e68d0 3 API calls 32695->32698 32696->32689 32697->32696 32698->32696 32515 750d868 32516 750d8a9 ResumeThread 32515->32516 32517 750d8d6 32516->32517 32699 750dea8 32700 750e033 32699->32700 32702 750dece 32699->32702 32702->32700 32705 333ff38 SetWindowLongW 32702->32705 32707 333ff40 SetWindowLongW 32702->32707 32709 750b6c0 32702->32709 32706 333ffac 32705->32706 32706->32702 32708 333ffac 32707->32708 32708->32702 32710 750e128 PostMessageW 32709->32710 32711 750e194 32710->32711 32711->32702 32712 167d01c 32713 167d034 32712->32713 32714 167d08e 32713->32714 32717 58e0c08 32713->32717 32722 58e0bf8 32713->32722 32718 58e0c35 32717->32718 32719 58e0c67 32718->32719 32727 58e0d82 32718->32727 32732 58e0d90 32718->32732 32723 58e0bfb 32722->32723 32724 58e0c67 32723->32724 32725 58e0d82 2 API calls 32723->32725 32726 58e0d90 2 API calls 32723->32726 32725->32724 32726->32724 32729 58e0da4 32727->32729 32728 58e0e30 32728->32719 32737 58e0e48 32729->32737 32740 58e0e37 32729->32740 32734 58e0da4 32732->32734 32733 58e0e30 32733->32719 32735 58e0e48 2 API calls 32734->32735 32736 58e0e37 2 API calls 32734->32736 32735->32733 32736->32733 32738 58e0e59 32737->32738 32745 58e2462 32737->32745 32738->32728 32741 58e0e3b 32740->32741 32742 58e0e72 32740->32742 32743 58e0e59 32741->32743 32744 58e2462 2 API calls 32741->32744 32743->32728 32744->32743 32749 58e2480 32745->32749 32753 58e2490 32745->32753 32746 58e247a 32746->32738 32750 58e24d2 32749->32750 32752 58e24d9 32749->32752 32751 58e252a CallWindowProcW 32750->32751 32750->32752 32751->32752 32752->32746 32754 58e24d2 32753->32754 32756 58e24d9 32753->32756 32755 58e252a CallWindowProcW 32754->32755 32754->32756 32755->32756 32756->32746

                                                                          Executed Functions

                                                                          Function 0750F270 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bdff1e86a1bfc424dabd4b30f8339c4397913e48215c79a33b38ceaf128234ca
                                                                          • Instruction ID: 2d0f69a1b52b3e4cb7f44068a6bedbc9dbe197ffa5c2b84740579bba1a0535b5
                                                                          • Opcode Fuzzy Hash: bdff1e86a1bfc424dabd4b30f8339c4397913e48215c79a33b38ceaf128234ca
                                                                          • Instruction Fuzzy Hash: BE117CB0D042598BCB24CFB5C858BEDBBF0BB4E315F14956AD401B32C0C7758944CBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333B7C0 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0333B830
                                                                          • GetCurrentThread.KERNEL32 ref: 0333B86D
                                                                          • GetCurrentProcess.KERNEL32 ref: 0333B8AA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0333B903
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 6dc4818c04463e34221159aaa5a5bff93874aedd8c40b305fa5f4ac7d61ff6e8
                                                                          • Instruction ID: 91e3f852c7868161e4d180767d0e957fc14bfa28d40da538b21b2374093bac6d
                                                                          • Opcode Fuzzy Hash: 6dc4818c04463e34221159aaa5a5bff93874aedd8c40b305fa5f4ac7d61ff6e8
                                                                          • Instruction Fuzzy Hash: 7D5153B49046488FDB10CFA9CA88B9EFBF4EF49305F248599E459A7360DB349884CF65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333B7D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32 ref: 0333B830
                                                                          • GetCurrentThread.KERNEL32 ref: 0333B86D
                                                                          • GetCurrentProcess.KERNEL32 ref: 0333B8AA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0333B903
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: Current$ProcessThread
                                                                          • String ID:
                                                                          • API String ID: 2063062207-0
                                                                          • Opcode ID: 794631b3b9f6ade6abc2ce2209f28ac7e403c938cabdaf9d4228dc69899f28b1
                                                                          • Instruction ID: 580687621bfe109f4143577dfaf92288df55eae647752043ead72bed379e057e
                                                                          • Opcode Fuzzy Hash: 794631b3b9f6ade6abc2ce2209f28ac7e403c938cabdaf9d4228dc69899f28b1
                                                                          • Instruction Fuzzy Hash: 255151B49042488FDB14CFA9CA88B9EFBF4EF89305F248559E419A7360DB349884CF65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 033394E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 965 33394e8-33394fd call 3336fd4 968 3339513-3339517 965->968 969 33394ff 965->969 970 333952b-333956c 968->970 971 3339519-3339523 968->971 1018 3339505 call 3339770 969->1018 1019 3339505 call 3339760 969->1019 976 3339579-3339587 970->976 977 333956e-3339576 970->977 971->970 972 333950b-333950d 972->968 974 3339648-3339708 972->974 1013 3339710-333973b GetModuleHandleW 974->1013 1014 333970a-333970d 974->1014 979 33395ab-33395ad 976->979 980 3339589-333958e 976->980 977->976 983 33395b0-33395b7 979->983 981 3339590-3339597 call 3338834 980->981 982 3339599 980->982 986 333959b-33395a9 981->986 982->986 987 33395c4-33395cb 983->987 988 33395b9-33395c1 983->988 986->983 990 33395d8-33395e1 call 3338844 987->990 991 33395cd-33395d5 987->991 988->987 995 33395e3-33395eb 990->995 996 33395ee-33395f3 990->996 991->990 995->996 998 3339611-3339615 996->998 999 33395f5-33395fc 996->999 1020 3339618 call 3339a41 998->1020 1021 3339618 call 3339a68 998->1021 999->998 1000 33395fe-333960e call 3338854 call 3338864 999->1000 1000->998 1003 333961b-333961e 1006 3339641-3339647 1003->1006 1007 3339620-333963e 1003->1007 1007->1006 1015 3339744-3339758 1013->1015 1016 333973d-3339743 1013->1016 1014->1013 1016->1015 1018->972 1019->972 1020->1003 1021->1003
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0333972E
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 7cc614d8562bceda1b87cae4ecc2d662e8da4747776a8d83d9127e5b91fe8ea2
                                                                          • Instruction ID: 46b9bcae5a330ab94d862adc4d26e3cfa606bbd9a0c815e2f54b4b137642650a
                                                                          • Opcode Fuzzy Hash: 7cc614d8562bceda1b87cae4ecc2d662e8da4747776a8d83d9127e5b91fe8ea2
                                                                          • Instruction Fuzzy Hash: A9714470A00B058FD764DF2AC48075AB7F5BF89214F048A2DE48ADBB50DB75E849CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750CFF0 Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1022 750cff0-750d07b 1024 750d086-750d08d 1022->1024 1025 750d07d-750d083 1022->1025 1026 750d098-750d0ae 1024->1026 1027 750d08f-750d095 1024->1027 1025->1024 1028 750d0b0-750d0b6 1026->1028 1029 750d0b9-750d156 CreateProcessW 1026->1029 1027->1026 1028->1029 1031 750d158-750d15e 1029->1031 1032 750d15f-750d1d3 1029->1032 1031->1032 1040 750d1e5-750d1ec 1032->1040 1041 750d1d5-750d1db 1032->1041 1042 750d203 1040->1042 1043 750d1ee-750d1fd 1040->1043 1041->1040 1043->1042
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0750D143
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID:
                                                                          • API String ID: 963392458-0
                                                                          • Opcode ID: 4a6b0ab03efd6424b19a4ee618561dc98e66a6d409fd9675f36cafb890f84cb2
                                                                          • Instruction ID: 47b83055778183a7817aedd249432568695286d85052483864e570ae3362523d
                                                                          • Opcode Fuzzy Hash: 4a6b0ab03efd6424b19a4ee618561dc98e66a6d409fd9675f36cafb890f84cb2
                                                                          • Instruction Fuzzy Hash: FB5106B1900319DFDB64CF95C980BDDBBB5BF48314F05809AE908B7250DB719A89CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333FCEC Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1045 333fcec-333fd5e 1047 333fd60-333fd66 1045->1047 1048 333fd69-333fd70 1045->1048 1047->1048 1049 333fd72-333fd78 1048->1049 1050 333fd7b-333fdb3 1048->1050 1049->1050 1051 333fdbb-333fe1a CreateWindowExW 1050->1051 1052 333fe23-333fe5b 1051->1052 1053 333fe1c-333fe22 1051->1053 1057 333fe68 1052->1057 1058 333fe5d-333fe60 1052->1058 1053->1052 1059 333fe69 1057->1059 1058->1057 1059->1059
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0333FE0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: cbf7cf7e6cc3e18683bd1c35530285c401d4e5ee66c2d15dc2300f7d53f5a945
                                                                          • Instruction ID: a220fa751b91cd7aac57f3d0d058b2d05b6a61cc5954670d2a67f30dc3504309
                                                                          • Opcode Fuzzy Hash: cbf7cf7e6cc3e18683bd1c35530285c401d4e5ee66c2d15dc2300f7d53f5a945
                                                                          • Instruction Fuzzy Hash: D851CFB1D00309DFDB14CF99C984ADEFBB5BF88314F64812AE819AB210D775A985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333FCF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1060 333fcf8-333fd5e 1061 333fd60-333fd66 1060->1061 1062 333fd69-333fd70 1060->1062 1061->1062 1063 333fd72-333fd78 1062->1063 1064 333fd7b-333fe1a CreateWindowExW 1062->1064 1063->1064 1066 333fe23-333fe5b 1064->1066 1067 333fe1c-333fe22 1064->1067 1071 333fe68 1066->1071 1072 333fe5d-333fe60 1066->1072 1067->1066 1073 333fe69 1071->1073 1072->1071 1073->1073
                                                                          APIs
                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0333FE0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: dd9451a939394310a47b70943e48e23a878d3ccfb3186a71e620c3fa7ab3c4f8
                                                                          • Instruction ID: 3bc40aafe7ade589d22be1343b3815b3eb0fd7721dbb739dee0abeee3f81c12f
                                                                          • Opcode Fuzzy Hash: dd9451a939394310a47b70943e48e23a878d3ccfb3186a71e620c3fa7ab3c4f8
                                                                          • Instruction Fuzzy Hash: C941CEB1D00309DFDB14CF99C984ADEFBB5BF88314F64812AE819AB210D775A985CF91
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 058E2490 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1074 58e2490-58e24cc 1075 58e257c-58e259c 1074->1075 1076 58e24d2-58e24d7 1074->1076 1083 58e259f-58e25ac 1075->1083 1077 58e252a-58e2562 CallWindowProcW 1076->1077 1078 58e24d9-58e2510 1076->1078 1080 58e256b-58e257a 1077->1080 1081 58e2564-58e256a 1077->1081 1084 58e2519-58e2528 1078->1084 1085 58e2512-58e2518 1078->1085 1080->1083 1081->1080 1084->1083 1085->1084
                                                                          APIs
                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 058E2551
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.398187160.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_58e0000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: CallProcWindow
                                                                          • String ID:
                                                                          • API String ID: 2714655100-0
                                                                          • Opcode ID: 300ca8cc2a98ee55732ee212f9f1a857ce0deeb50c659af06223237394b3d87b
                                                                          • Instruction ID: 97c5f7afb04a2e3d4baa3a14939fe143019a4f9421baa4ad2b2b61d4a2b719b4
                                                                          • Opcode Fuzzy Hash: 300ca8cc2a98ee55732ee212f9f1a857ce0deeb50c659af06223237394b3d87b
                                                                          • Instruction Fuzzy Hash: DD414BB8900705CFCB14CF99C588AAABBFAFB89314F14C459D919AB321D770E845CFA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333BDF8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1183 333bdf8-333bdfd 1184 333be00-333be94 DuplicateHandle 1183->1184 1185 333be96-333be9c 1184->1185 1186 333be9d-333beba 1184->1186 1185->1186
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0333BE87
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: 81d6b5770a75ea372722d778ab8a698bb9b23e4f7eb746b9583474617070c1bb
                                                                          • Instruction ID: dafd88da8bb632921357d2bd18781147a7dbba92ebce4807c49dc42d5eb9da86
                                                                          • Opcode Fuzzy Hash: 81d6b5770a75ea372722d778ab8a698bb9b23e4f7eb746b9583474617070c1bb
                                                                          • Instruction Fuzzy Hash: DF21F4B5900208DFDB10CFA9D984ADEFBF4EB48324F14841AE954A3310D374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750D6B0 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1189 750d6b0-750d701 1191 750d711-750d74a WriteProcessMemory 1189->1191 1192 750d703-750d70f 1189->1192 1193 750d753-750d774 1191->1193 1194 750d74c-750d752 1191->1194 1192->1191 1194->1193
                                                                          APIs
                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0750D73D
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessWrite
                                                                          • String ID:
                                                                          • API String ID: 3559483778-0
                                                                          • Opcode ID: 48b36009abaf972535b2a273fcdbf80e41646a6d20f5f404b37a1b4d1fd0915c
                                                                          • Instruction ID: 3c285d6d5c91d552bd4333504248e91542d262ca0f516192e2c9027f481aceec
                                                                          • Opcode Fuzzy Hash: 48b36009abaf972535b2a273fcdbf80e41646a6d20f5f404b37a1b4d1fd0915c
                                                                          • Instruction Fuzzy Hash: F221E2B5A003599FCB10CF9AC985BDEBBF4FB48314F54842AE918A7250D778A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333BE00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1196 333be00-333be94 DuplicateHandle 1197 333be96-333be9c 1196->1197 1198 333be9d-333beba 1196->1198 1197->1198
                                                                          APIs
                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0333BE87
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: DuplicateHandle
                                                                          • String ID:
                                                                          • API String ID: 3793708945-0
                                                                          • Opcode ID: a9ea933a58f2e6489643f71fde9c3bcc5d0f5e1f099dfaa8ef2893f7c5230384
                                                                          • Instruction ID: 34b9c98dcc3f4aaf6521b8b1e8f2e479f1b687b6f62a77e6e57d8aa8e9b9446f
                                                                          • Opcode Fuzzy Hash: a9ea933a58f2e6489643f71fde9c3bcc5d0f5e1f099dfaa8ef2893f7c5230384
                                                                          • Instruction Fuzzy Hash: 9C21C4B5901208DFDB10CF99D984ADEFBF8FB48324F14841AE954A7350D374A954DFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750D420 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1201 750d420-750d4ac ReadProcessMemory 1203 750d4b5-750d4d6 1201->1203 1204 750d4ae-750d4b4 1201->1204 1204->1203
                                                                          APIs
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0750D49F
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: MemoryProcessRead
                                                                          • String ID:
                                                                          • API String ID: 1726664587-0
                                                                          • Opcode ID: cf9d6c3ace10719910f872efc74c182aa97daa3c80760f03912601d784b47ac3
                                                                          • Instruction ID: 40bd8533502e79eb3204b895fd65e23c5cd26d733191a0a41ca9c55acd250789
                                                                          • Opcode Fuzzy Hash: cf9d6c3ace10719910f872efc74c182aa97daa3c80760f03912601d784b47ac3
                                                                          • Instruction Fuzzy Hash: 5F21E2B59007599FCB10CF9AC984BDEFBF4FB48320F10842AE918A7250D379A944DFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750D360 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 0750D3D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: ContextThread
                                                                          • String ID:
                                                                          • API String ID: 1591575202-0
                                                                          • Opcode ID: d73861dfec6a94db21fff881cb0f41a8142a64e8e1c8ac51c1cbb095f6e67cf4
                                                                          • Instruction ID: 7f1a1f59d83cc56ee4638c5311838d81e9789a212ace7404063da13a3cf4ffa2
                                                                          • Opcode Fuzzy Hash: d73861dfec6a94db21fff881cb0f41a8142a64e8e1c8ac51c1cbb095f6e67cf4
                                                                          • Instruction Fuzzy Hash: 722106B1E0061A9FCB10CF9AD5857DEFBF8BB48224F44812AD518B3380D778A9448FA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03339949 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,033397A9,00000800,00000000,00000000), ref: 033399BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 51aa0b0eb51e390e7be21988d4699b6a09a39863bbed3a5da64b2cdcf3f23787
                                                                          • Instruction ID: 6af4dd472f0915c5ee9cde2c5b9b0004d759cb2b712f87c5e2e2d2d7670951c9
                                                                          • Opcode Fuzzy Hash: 51aa0b0eb51e390e7be21988d4699b6a09a39863bbed3a5da64b2cdcf3f23787
                                                                          • Instruction Fuzzy Hash: D71103B6900209CFCB10CF9AD984BDEFBF8AB89324F04842ED559A7700D3B5A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 075059A0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07505A1B
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 9cb89f6c521ba92ee029f59f3da7463e847e01ae5caca0e1cc1758b1ec75f11d
                                                                          • Instruction ID: 6770bf7d491676b7cc40d9af70da5b26bc73b27a3eb4e36f4803ecd81384c0dd
                                                                          • Opcode Fuzzy Hash: 9cb89f6c521ba92ee029f59f3da7463e847e01ae5caca0e1cc1758b1ec75f11d
                                                                          • Instruction Fuzzy Hash: 212147B59006499FCB10CF9AC484BDEFBF4FB48325F14842AE968A7240D7789945DFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 075059A8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07505A1B
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 9d6f7d8d1405e3a6bdf95ad5db7dbf335a664f0bd70b693bdfc9912fb371e955
                                                                          • Instruction ID: e8b4cd61cd0f65f7b45d1f3026f324bb027e0d03e599b2f60bdb36d2302755ad
                                                                          • Opcode Fuzzy Hash: 9d6f7d8d1405e3a6bdf95ad5db7dbf335a664f0bd70b693bdfc9912fb371e955
                                                                          • Instruction Fuzzy Hash: DD2126B59002099FCB10CF9AC584BDEFBF4FB48324F14842AE958A7240D778A954DFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 03338890 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,033397A9,00000800,00000000,00000000), ref: 033399BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 6ec64e645d3152ddb085f6bda0629da8e16dc4f3423932353410fe509f022c09
                                                                          • Instruction ID: 3858321f275bfc43042e555e7b0fdf4e35c0f2f9370bc5fc13dcbb4cdabee748
                                                                          • Opcode Fuzzy Hash: 6ec64e645d3152ddb085f6bda0629da8e16dc4f3423932353410fe509f022c09
                                                                          • Instruction Fuzzy Hash: 1B1106B5904209CFCB10CF9AD584BDEFBF4AB49314F04841ED555B7600C3B5A545CFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750D4F0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0750D55B
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: c9ba4116a14a24fd51621af5eb04bf43d71d7f1dcdda57c27d3ffd05b4a54ded
                                                                          • Instruction ID: 8e480823e30c29c2073023cf88eff142c84530dfe39b956b64ec99c1f88f2682
                                                                          • Opcode Fuzzy Hash: c9ba4116a14a24fd51621af5eb04bf43d71d7f1dcdda57c27d3ffd05b4a54ded
                                                                          • Instruction Fuzzy Hash: 2D11E3B5900649DFCB10CF9AD984BDEBBF4FB48324F14841AE928A7250D775A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750B6C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0750E185
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost
                                                                          • String ID:
                                                                          • API String ID: 410705778-0
                                                                          • Opcode ID: 2baf12b101cdbaeb8c54d1dc0fca234ad9ef08fb24d393c5d29d66f2f952a5e6
                                                                          • Instruction ID: 9d591098cad622dd908bce278c8cddabef903baffced40631ad40c4f58f20c25
                                                                          • Opcode Fuzzy Hash: 2baf12b101cdbaeb8c54d1dc0fca234ad9ef08fb24d393c5d29d66f2f952a5e6
                                                                          • Instruction Fuzzy Hash: D511E3B58043499FDB10DF99C985BDEBBF8FB48324F10885AE955A7240C375A944CFE1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 033396C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0333972E
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: HandleModule
                                                                          • String ID:
                                                                          • API String ID: 4139908857-0
                                                                          • Opcode ID: 5f1643d7982c1728519418a3d736331a25ec42f58b664c3c21db1d83e77ce083
                                                                          • Instruction ID: 45d69711aa8b435e442b1ace92c53a5390f0b2b6be1c7e803e2e2d0c0f5d934b
                                                                          • Opcode Fuzzy Hash: 5f1643d7982c1728519418a3d736331a25ec42f58b664c3c21db1d83e77ce083
                                                                          • Instruction Fuzzy Hash: 9F11DFB5D00649CFCB10CF9AC984BDEFBF4AB89224F14841AD859A7640D3B5A545CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333FF38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 0333FF9D
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: 2248826c532ff531d6ddec6f7b4879cdc6090d154c219e7ce8a696584309d092
                                                                          • Instruction ID: 1bf7eb00d9a72622ecb83980a17d8eaa847f325f7ffcc5f81e27492facb7c1e4
                                                                          • Opcode Fuzzy Hash: 2248826c532ff531d6ddec6f7b4879cdc6090d154c219e7ce8a696584309d092
                                                                          • Instruction Fuzzy Hash: 481103B59002098FDB20CF99D585BDEFBF4FB89324F14851AE954A7740C375A984CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0333FF40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,?,?), ref: 0333FF9D
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.392532920.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_3330000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow
                                                                          • String ID:
                                                                          • API String ID: 1378638983-0
                                                                          • Opcode ID: e152fd5e7f1ae9cf1af064ddbfc9cc10963f140b7cb4457be12a6d4397375880
                                                                          • Instruction ID: b2b70d6c9c149a197548de86f38ce731e7e2ba070f40e6685cbdaad3fb5b03f7
                                                                          • Opcode Fuzzy Hash: e152fd5e7f1ae9cf1af064ddbfc9cc10963f140b7cb4457be12a6d4397375880
                                                                          • Instruction Fuzzy Hash: FF1112B58002088FDB10CF99D584BDEFBF8EB89324F14851AE918B7340C374A944CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0750D868 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.399275645.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_7500000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID: ResumeThread
                                                                          • String ID:
                                                                          • API String ID: 947044025-0
                                                                          • Opcode ID: 64c8d36c5c811a6f2b6dc93e6916a72db9f8bac98b5ca223a1965efcce959d5a
                                                                          • Instruction ID: 43190483993ee7e60406948cc59b213cfb65a0fca8a1183d26cd76d02ed7769c
                                                                          • Opcode Fuzzy Hash: 64c8d36c5c811a6f2b6dc93e6916a72db9f8bac98b5ca223a1965efcce959d5a
                                                                          • Instruction Fuzzy Hash: 76110DB19006098FCB20DF9AD584BDEBBF8AB88324F10885AD518A7240C775A984CFA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166D4A0 Relevance: .1, Instructions: 75COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391310747.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_166d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1a77ac59e7dbc466b014e92802ccecd8b3871688be6fc77a0f7132493e1363bb
                                                                          • Instruction ID: 50722b86f5cd581233a95f43f4ce75690f20d34c3ac05a94690528d3503db849
                                                                          • Opcode Fuzzy Hash: 1a77ac59e7dbc466b014e92802ccecd8b3871688be6fc77a0f7132493e1363bb
                                                                          • Instruction Fuzzy Hash: 4E2145B1604240DFDB11DF94DDC0B26BF69FB88328F24C5A8E9454B746C336E856CBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167D1D4 Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391463212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_167d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bfbf009bf348a0df97bc8362ca122f59abd99101cdf6a49f1115861930b28935
                                                                          • Instruction ID: 60f6ee907a9e716b9d59dc41d31cd2eaa8051f4710ae742edc823ef12621dd59
                                                                          • Opcode Fuzzy Hash: bfbf009bf348a0df97bc8362ca122f59abd99101cdf6a49f1115861930b28935
                                                                          • Instruction Fuzzy Hash: A921F571604244EFDB01DF94D9C0B26BB65FF84324F24C9ADEA095B346C336D847CA61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167D01C Relevance: .1, Instructions: 72COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391463212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_167d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ffcce7af4c43e16ef2baefe204579a0d36a7d99a7165ae0354329163ac63e271
                                                                          • Instruction ID: 44d4ce6723f90a0387067af3114f97609f05703aa416b1fce560beedbd31b94b
                                                                          • Opcode Fuzzy Hash: ffcce7af4c43e16ef2baefe204579a0d36a7d99a7165ae0354329163ac63e271
                                                                          • Instruction Fuzzy Hash: 46210071608240DFCB12DF64D9C0B26BB65EF84354F24C9A9E90A4B346C33AD847CA61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166D49B Relevance: .1, Instructions: 56COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391310747.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_166d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction ID: f5c3853923a1ed1d0d8b19ae7de692a159a044ed615590db4e5198b7449b0915
                                                                          • Opcode Fuzzy Hash: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
                                                                          • Instruction Fuzzy Hash: 6A11EE72904280DFCB12CF48D9C0B16BF71FB84324F28C6A9D8450BA17C33AD45ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167D017 Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391463212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_167d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction ID: a73111903b42d425b30a5687b28adf1033ab860e41a749639efe82e561a2a00d
                                                                          • Opcode Fuzzy Hash: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction Fuzzy Hash: 7311BB75504280CFCB12CF14D9C4B15BBA1FB84324F28CAAAD8094B756C33AD44ACBA2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0167D1CF Relevance: .1, Instructions: 53COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391463212.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_167d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction ID: e4547cd9bd689093b0c0e15b31ce933e18a39f701e7a4513c023b8771f389d8f
                                                                          • Opcode Fuzzy Hash: 7de45770dd4605560558762572d020000ff3947882c87e3ed3cf7238edc5da06
                                                                          • Instruction Fuzzy Hash: 8511BB75904280DFCB12CF54C9C0B15BFA1FF84324F28CAA9D9494B756C33AD44ACB61
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166D76D Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391310747.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_166d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 27a847d83d2d8fe89042612ff129920843bd72d7ea3e6fbb75cc33f044936d0b
                                                                          • Instruction ID: 74b769986095c5464edc8fe4d0290fb9850ea585a19f26f6d840bc99cf1e8d77
                                                                          • Opcode Fuzzy Hash: 27a847d83d2d8fe89042612ff129920843bd72d7ea3e6fbb75cc33f044936d0b
                                                                          • Instruction Fuzzy Hash: B201D4712083849AEB108A66DD80B76FF9CEB41264F08845AEE445B282C37C9885CA72
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0166D76C Relevance: .0, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000013.00000002.391310747.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_19_2_166d000_bwjRNo.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2e5ab8ff8828359929abace3b4e87920ebc9d8eb5b928945902358313c7d1fef
                                                                          • Instruction ID: c1c77f9d2410d531985181e93ed1d8e1eeb488f86ee66c012ed190e5868245c3
                                                                          • Opcode Fuzzy Hash: 2e5ab8ff8828359929abace3b4e87920ebc9d8eb5b928945902358313c7d1fef
                                                                          • Instruction Fuzzy Hash: E7F062715083889EEB218A1ADC84B72FF9CEB45634F18C55AED485B687C3799844CAB1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%