Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PURCHASE ORDER-6350.exe

Overview

General Information

Sample name:PURCHASE ORDER-6350.exe
Analysis ID:1519455
MD5:f89e05b5582e853a9c1a425bb21736e6
SHA1:5bee740320eddd8182d71519f3bba8198062c1f1
SHA256:b470d179064081578ef2e125c88c726a11f4129dd2593ccb84e054779ed32a21
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PURCHASE ORDER-6350.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" MD5: F89E05B5582E853A9C1A425BB21736E6)
    • powershell.exe (PID: 7664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8032 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7772 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PURCHASE ORDER-6350.exe (PID: 7916 cmdline: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe" MD5: F89E05B5582E853A9C1A425BB21736E6)
  • fPtPRnPDTzobXQ.exe (PID: 7948 cmdline: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe MD5: F89E05B5582E853A9C1A425BB21736E6)
    • schtasks.exe (PID: 8160 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • fPtPRnPDTzobXQ.exe (PID: 7176 cmdline: "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe" MD5: F89E05B5582E853A9C1A425BB21736E6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2eff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17082:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2be20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: PURCHASE ORDER-6350.exe PID: 7460JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.PURCHASE ORDER-6350.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.PURCHASE ORDER-6350.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e1f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16282:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2eff3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17082:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe, ParentProcessId: 7460, ParentProcessName: PURCHASE ORDER-6350.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ProcessId: 7664, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe, ParentProcessId: 7460, ParentProcessName: PURCHASE ORDER-6350.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ProcessId: 7664, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe, ParentImage: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe, ParentProcessId: 7948, ParentProcessName: fPtPRnPDTzobXQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp", ProcessId: 8160, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe, ParentProcessId: 7460, ParentProcessName: PURCHASE ORDER-6350.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", ProcessId: 7772, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe, ParentProcessId: 7460, ParentProcessName: PURCHASE ORDER-6350.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ProcessId: 7664, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe", ParentImage: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe, ParentProcessId: 7460, ParentProcessName: PURCHASE ORDER-6350.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp", ProcessId: 7772, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeReversingLabs: Detection: 36%
            Multi AV Scanner detection for submitted file
            Source: PURCHASE ORDER-6350.exeReversingLabs: Detection: 36%
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: PURCHASE ORDER-6350.exeJoe Sandbox ML: detected
            Source: PURCHASE ORDER-6350.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PURCHASE ORDER-6350.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PURCHASE ORDER-6350.exe, PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: nLPq.pdb source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
            Source: Binary string: nLPq.pdbSHA256j source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 4x nop then jmp 0767537Dh0_2_076756F4
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1770780900.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, fPtPRnPDTzobXQ.exe, 00000009.00000002.1894943125.0000000003322000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776428016.0000000005804000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PURCHASE ORDER-6350.exe
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0042C283 NtClose,8_2_0042C283
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262B60 NtClose,LdrInitializeThunk,8_2_01262B60
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01262DF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01262C70
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012635C0 NtCreateMutant,LdrInitializeThunk,8_2_012635C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01264340 NtSetContextThread,8_2_01264340
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01264650 NtSuspendThread,8_2_01264650
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262BA0 NtEnumerateValueKey,8_2_01262BA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262B80 NtQueryInformationFile,8_2_01262B80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262BE0 NtQueryValueKey,8_2_01262BE0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262BF0 NtAllocateVirtualMemory,8_2_01262BF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262AB0 NtWaitForSingleObject,8_2_01262AB0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262AF0 NtWriteFile,8_2_01262AF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262AD0 NtReadFile,8_2_01262AD0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262D30 NtUnmapViewOfSection,8_2_01262D30
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262D00 NtSetInformationFile,8_2_01262D00
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262D10 NtMapViewOfSection,8_2_01262D10
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262DB0 NtEnumerateKey,8_2_01262DB0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262DD0 NtDelayExecution,8_2_01262DD0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262C00 NtQueryInformationProcess,8_2_01262C00
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262C60 NtCreateKey,8_2_01262C60
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262CA0 NtQueryInformationToken,8_2_01262CA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262CF0 NtOpenProcess,8_2_01262CF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262CC0 NtQueryVirtualMemory,8_2_01262CC0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262F30 NtCreateSection,8_2_01262F30
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262F60 NtCreateProcessEx,8_2_01262F60
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262FA0 NtQuerySection,8_2_01262FA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262FB0 NtResumeThread,8_2_01262FB0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262F90 NtProtectVirtualMemory,8_2_01262F90
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262FE0 NtCreateFile,8_2_01262FE0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262E30 NtWriteVirtualMemory,8_2_01262E30
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262EA0 NtAdjustPrivilegesToken,8_2_01262EA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262E80 NtReadVirtualMemory,8_2_01262E80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262EE0 NtQueueApcThread,8_2_01262EE0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01263010 NtOpenDirectoryObject,8_2_01263010
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01263090 NtSetValueKey,8_2_01263090
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012639B0 NtGetContextThread,8_2_012639B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01263D10 NtOpenProcessToken,8_2_01263D10
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01263D70 NtOpenThread,8_2_01263D70
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_02D6D5BC0_2_02D6D5BC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_076751880_2_07675188
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_076705C80_2_076705C8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_076705D80_2_076705D8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_07670E480_2_07670E48
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_07677EE80_2_07677EE8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_07670A100_2_07670A10
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0042E8E38_2_0042E8E3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0040FA418_2_0040FA41
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0040FA438_2_0040FA43
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004012608_2_00401260
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004023D08_2_004023D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004163EE8_2_004163EE
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004163F38_2_004163F3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0040FC638_2_0040FC63
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004014E08_2_004014E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0040DCE38_2_0040DCE3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00402F508_2_00402F50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004027308_2_00402730
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012201008_2_01220100
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CA1188_2_012CA118
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B81588_2_012B8158
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F01AA8_2_012F01AA
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E41A28_2_012E41A2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E81CC8_2_012E81CC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C20008_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EA3528_2_012EA352
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F03E68_2_012F03E6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E3F08_2_0123E3F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D02748_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B02C08_2_012B02C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012305358_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F05918_2_012F0591
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D44208_2_012D4420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E24468_2_012E2446
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DE4F68_2_012DE4F6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012307708_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012547508_2_01254750
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122C7C08_2_0122C7C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124C6E08_2_0124C6E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012469628_2_01246962
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A08_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012FA9A68_2_012FA9A6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123A8408_2_0123A840
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012328408_2_01232840
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012168B88_2_012168B8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E8F08_2_0125E8F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EAB408_2_012EAB40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E6BD78_2_012E6BD7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA808_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123AD008_2_0123AD00
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CCD1F8_2_012CCD1F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01248DBF8_2_01248DBF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122ADE08_2_0122ADE0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230C008_2_01230C00
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0CB58_2_012D0CB5
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220CF28_2_01220CF2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01272F288_2_01272F28
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01250F308_2_01250F30
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D2F308_2_012D2F30
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A4F408_2_012A4F40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AEFA08_2_012AEFA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01222FC88_2_01222FC8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EEE268_2_012EEE26
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230E598_2_01230E59
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242E908_2_01242E90
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012ECE938_2_012ECE93
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EEEDB8_2_012EEEDB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012FB16B8_2_012FB16B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126516C8_2_0126516C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121F1728_2_0121F172
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123B1B08_2_0123B1B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E70E98_2_012E70E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EF0E08_2_012EF0E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DF0CC8_2_012DF0CC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012370C08_2_012370C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E132D8_2_012E132D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121D34C8_2_0121D34C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0127739A8_2_0127739A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012352A08_2_012352A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D12ED8_2_012D12ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124B2C08_2_0124B2C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E75718_2_012E7571
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CD5B08_2_012CD5B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F95C38_2_012F95C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EF43F8_2_012EF43F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012214608_2_01221460
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EF7B08_2_012EF7B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012756308_2_01275630
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E16CC8_2_012E16CC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C59108_2_012C5910
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012399508_2_01239950
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124B9508_2_0124B950
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129D8008_2_0129D800
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012338E08_2_012338E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EFB768_2_012EFB76
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124FB808_2_0124FB80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A5BF08_2_012A5BF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126DBF98_2_0126DBF9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A3A6C8_2_012A3A6C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EFA498_2_012EFA49
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E7A468_2_012E7A46
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CDAAC8_2_012CDAAC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01275AA08_2_01275AA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D1AA38_2_012D1AA3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DDAC68_2_012DDAC6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E7D738_2_012E7D73
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01233D408_2_01233D40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E1D5A8_2_012E1D5A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124FDC08_2_0124FDC0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A9C328_2_012A9C32
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EFCF28_2_012EFCF2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EFF098_2_012EFF09
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EFFB18_2_012EFFB1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01231F928_2_01231F92
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01239EB08_2_01239EB0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 9_2_017C4B019_2_017C4B01
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 9_2_017CD5BC9_2_017CD5BC
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0136010013_2_01360100
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013B600013_2_013B6000
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013F02C013_2_013F02C0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137053513_2_01370535
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137077013_2_01370770
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0139475013_2_01394750
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0136C7C013_2_0136C7C0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138C6E013_2_0138C6E0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138696213_2_01386962
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013729A013_2_013729A0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137284013_2_01372840
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137A84013_2_0137A840
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013568B813_2_013568B8
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013A889013_2_013A8890
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0139E8F013_2_0139E8F0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0136EA8013_2_0136EA80
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137AD0013_2_0137AD00
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137ED7A13_2_0137ED7A
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01388DBF13_2_01388DBF
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0136ADE013_2_0136ADE0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01378DC013_2_01378DC0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01370C0013_2_01370C00
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01360CF213_2_01360CF2
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01390F3013_2_01390F30
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013B2F2813_2_013B2F28
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013E4F4013_2_013E4F40
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013EEFA013_2_013EEFA0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01362FC813_2_01362FC8
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01370E5913_2_01370E59
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01382E9013_2_01382E90
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0135F17213_2_0135F172
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013A516C13_2_013A516C
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137B1B013_2_0137B1B0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0135D34C13_2_0135D34C
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013733F313_2_013733F3
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013752A013_2_013752A0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138D2F013_2_0138D2F0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138B2C013_2_0138B2C0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0136146013_2_01361460
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137349713_2_01373497
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013B74E013_2_013B74E0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137B73013_2_0137B730
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137995013_2_01379950
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138B95013_2_0138B950
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0137599013_2_01375990
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013DD80013_2_013DD800
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013738E013_2_013738E0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138FB8013_2_0138FB80
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013ADBF913_2_013ADBF9
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013E5BF013_2_013E5BF0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013E3A6C13_2_013E3A6C
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01373D4013_2_01373D40
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_0138FDC013_2_0138FDC0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013E9C3213_2_013E9C32
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01389C2013_2_01389C20
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01371F9213_2_01371F92
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01379EB013_2_01379EB0
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: String function: 013B7E54 appears 96 times
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: String function: 013DEA12 appears 36 times
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: String function: 0129EA12 appears 86 times
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: String function: 0121B970 appears 265 times
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: String function: 012AF290 appears 105 times
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: String function: 01277E54 appears 108 times
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: String function: 01265130 appears 58 times
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1772488639.0000000004232000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350.exe
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1762744588.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PURCHASE ORDER-6350.exe
            Source: PURCHASE ORDER-6350.exe, 00000000.00000002.1784968693.0000000009D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PURCHASE ORDER-6350.exe
            Source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.000000000131D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PURCHASE ORDER-6350.exe
            Source: PURCHASE ORDER-6350.exeBinary or memory string: OriginalFilenamenLPq.exe6 vs PURCHASE ORDER-6350.exe
            Source: PURCHASE ORDER-6350.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: PURCHASE ORDER-6350.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: fPtPRnPDTzobXQ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Rk723ArKiTbtcml8Ra.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Rk723ArKiTbtcml8Ra.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@19/15@0/0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMutant created: \Sessions\1\BaseNamedObjects\WPqDITmJcliYxcgAOiUD
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD091.tmpJump to behavior
            Source: PURCHASE ORDER-6350.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PURCHASE ORDER-6350.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PURCHASE ORDER-6350.exeReversingLabs: Detection: 36%
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile read: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: PURCHASE ORDER-6350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PURCHASE ORDER-6350.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: PURCHASE ORDER-6350.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PURCHASE ORDER-6350.exe, PURCHASE ORDER-6350.exe, 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: nLPq.pdb source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr
            Source: Binary string: nLPq.pdbSHA256j source: PURCHASE ORDER-6350.exe, fPtPRnPDTzobXQ.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: PURCHASE ORDER-6350.exe, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: fPtPRnPDTzobXQ.exe.0.dr, VentanaPrincipal.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
            Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.cs.Net Code: SyyWBierHE System.Reflection.Assembly.Load(byte[])
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.cs.Net Code: SyyWBierHE System.Reflection.Assembly.Load(byte[])
            Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
            Source: PURCHASE ORDER-6350.exeStatic PE information: 0xEA84B806 [Sun Sep 5 23:06:46 2094 UTC]
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 0_2_07674B02 push esp; retf 0_2_07674B09
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0041A87D push esp; retf 8_2_0041A87E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0040710D pushfd ; retf 8_2_0040710E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00423916 push esi; retf 8_2_0042392E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00423923 push esi; retf 8_2_0042392E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004031D0 push eax; ret 8_2_004031D2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00418B76 push ebx; retf 8_2_00418B77
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00423B35 push cs; retf 8_2_00423B36
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0041A3C1 push edi; retf 8_2_0041A3C7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004143E3 push edi; iretd 8_2_004143EF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00423C2F push C67CA722h; ret 8_2_00423C34
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00411DA3 push edi; iretd 8_2_00411DAF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_00424700 push ecx; retf 8_2_00424749
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004247A8 push edi; ret 8_2_004247AC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_011F225F pushad ; ret 8_2_011F27F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_011F27FA pushad ; ret 8_2_011F27F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012209AD push ecx; mov dword ptr [esp], ecx8_2_012209B6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_011F283D push eax; iretd 8_2_011F2858
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_011F1368 push eax; iretd 8_2_011F1369
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 9_2_017CE9FB pushfd ; retf 9_2_017CEA01
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 9_2_017CF113 push eax; iretd 9_2_017CF119
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013AC54F push 8B013367h; ret 13_2_013AC554
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013AC54D pushfd ; ret 13_2_013AC54E
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013609AD push ecx; mov dword ptr [esp], ecx13_2_013609B6
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013AC9D7 push edi; ret 13_2_013AC9D9
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01331344 push eax; iretd 13_2_01331369
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_01331FEC push eax; iretd 13_2_01331FED
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeCode function: 13_2_013B7E99 push ecx; ret 13_2_013B7EAC
            Source: PURCHASE ORDER-6350.exeStatic PE information: section name: .text entropy: 7.849261127100481
            Source: fPtPRnPDTzobXQ.exe.0.drStatic PE information: section name: .text entropy: 7.849261127100481
            Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.PURCHASE ORDER-6350.exe.59d0000.2.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 0.2.PURCHASE ORDER-6350.exe.2fc6f18.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, KsrdrsOdVPvjmXHTLr.csHigh entropy of concatenated method names: 'lwjZCVnYA4', 'dyrZNdF7q0', 'vIdZBMkjeB', 'swaZktlEtA', 'X11ZfRHwZs', 'haRZ162bjV', 'gvaZ7Sqgh4', 'RtxZrpD7BU', 'jijZtO34RU', 'R6fZFbJHY5'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, undML2y4V1go0ZJeQP.csHigh entropy of concatenated method names: 'WgjXHjfv8v', 'L4lXi39TNQ', 'ympXyHJEX5', 'duyXlf5fMI', 'KPiXe4XulY', 'BmcXE01wop', 'hxyX48CNgJ', 'DpwX0EX0lh', 'IvqXYy3sBr', 'Y2UXwJIKvk'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, VCADiltTrh3sqYg5xc.csHigh entropy of concatenated method names: 'eXZPkCiWWT', 'cB3P19eler', 'zRKPrLqx8l', 'dmkPtL7iHU', 'ogIPX7TrfL', 'sJMPuItO8V', 'Ha4P5bSnUW', 'GkfPdI89QD', 'W52PjYk61V', 'NJoPn1Ddj1'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, iBiV2C2Vc6aMIgSOoj.csHigh entropy of concatenated method names: 'hVW5b3hCgh', 'rbF5VgTfOG', 'zVbd9o5kVD', 'pLmd6rxbAs', 'c7A5DbU7Zh', 'UBw5iyBOVr', 'u125G2eDg9', 'Qli5yMsUJe', 'n115lHkOsX', 'SP75AotGGd'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, E6tjfjQhZwuvpgS8ED.csHigh entropy of concatenated method names: 'MgXxKQvDWQ', 'z4FxamfRYw', 'TUcxhsNmfi', 'I6wxZu1luv', 'y0VxR3Hxqw', 'yZthcfvKls', 'GQPh26aPdN', 'FbMhgyZE4I', 'yrvhbSfed6', 'ynBh3A5d5A'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, aJbcMuGWYyPnxPuAfh.csHigh entropy of concatenated method names: 'qTILrEPJar', 'KElLtmyxpO', 'txNLQm0i1x', 'dueLeZER2i', 'clRL4BM0vx', 'xeHL039IY2', 'pToLwNFI7X', 'G8KLs4p4m3', 'SeILHHNPPa', 'JWvLDe9I0o'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, lNVCUfPgOf8vVXOPFR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAnq3EH8o9', 'Vg3qVVXawN', 'AraqzE8AtX', 'dAES9wAnkn', 'u1IS6W8W7R', 'eisSqoa0Fq', 'K9QSSpi6nI', 'xnasH2IBeFeuNihjVkU'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, zqpCvEwpXNDhxphlvP.csHigh entropy of concatenated method names: 'oo4ZvpKQHi', 'jKUZPc7dD2', 'yVNZxEFB8W', 'PYBxV5orUb', 'H5xxz5fH3t', 'WvWZ9DyCGP', 'taMZ6Ksi11', 'hCeZq4l6h9', 'GGXZSsMfpJ', 'bmLZWKR64J'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, zMkoDZzFwaQcW7eJCv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hggjLFi6Hk', 'yVIjX57ivJ', 'WKajuLK3Jq', 'Teoj5EF60I', 'mwrjdw9BQ1', 'gHhjjtfaec', 'le0jneLRyA'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, qAx10cWHgAE7nPkcKV.csHigh entropy of concatenated method names: 'sKl6Zk723A', 'eiT6Rbtcml', 'STr6oh3sqY', 'W5x6TcS2LZ', 'GsQ6XlHt6t', 'rfj6uhZwuv', 'thXPv1Euw3kghU9j3e', 'hLB4EkpJgJwv2RckfG', 'cvo6679yHD', 'aLj6SVJFfj'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, bQqa3CbKB0K6BwvSlg.csHigh entropy of concatenated method names: 'rPkdvJT43s', 'kXhda0xSmI', 'Y9CdPp4NJc', 'x7odh7hspb', 'l6Qdx6aXrp', 'EmodZsR6hI', 'ih1dRjm3jw', 'KPddIlqgHF', 'BPwdoalF1D', 'VkNdTPVOWn'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, AZMFiKAOIrw31C7ywp.csHigh entropy of concatenated method names: 'ToString', 'j9puDvnjNA', 'NP6ueTk8qh', 'paJuE872rx', 'mxcu47MA2F', 'Uk2u0YSX2F', 'mqBuYJnVFP', 'vqcuw8Nq3Y', 'XpfusntDHl', 'R3WuOBeDBQ'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Rk723ArKiTbtcml8Ra.csHigh entropy of concatenated method names: 'jefaynLnSb', 'NpDal1Jvnm', 'uJXaAPtNmb', 'm57aMiqMfA', 'kvkacsnXZ4', 'yVYa2xfcUF', 'NEdagRP5bQ', 'w8oabBhH2M', 'UMBa3lFgVR', 'XGwaV96dHb'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, ya5aN7q4QEmDi4qyRj.csHigh entropy of concatenated method names: 'vfIBLAuQc', 'PuDkZyN0u', 'ALU16HUJt', 'FKS7q5VnB', 'cv4t8TaKk', 'aP9FRhqn2', 'MDGl6U9tYrAdePDbRM', 'zmv5kpsOHf3I65GBDr', 'NLNdjesep', 'U5xnCIiqH'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, TLjILTVf9QWymvEYaL.csHigh entropy of concatenated method names: 'QBRj68XjUb', 'nGnjS7h44o', 'tWBjWQgAFG', 'AyOjvnpWE7', 'M0Pjaih2Qo', 'n35jhqEY6t', 'NoMjxyw3kS', 'APbdg5HgOc', 'hJsdbt7lqy', 'Ye8d3oh28j'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, FZ6QukRAeDIuJEHifZ.csHigh entropy of concatenated method names: 'g0USKMhSSG', 'isaSvRbuQu', 'we0SaR2PaO', 'CdBSPSRIGU', 'kNAShPxLIy', 'DTLSxRCktm', 'pgASZOASDP', 'bBTSRdlS4L', 'IpdSId6KTP', 'eANSoFQpCK'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Ij5Reu6SUZNHtMPmcKG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HXnnyt86rd', 'FWtnlVrZJN', 'LwinAP1tsd', 'ePDnMVGydv', 'rEqncbBs5d', 'Pm8n2RQvSJ', 'agcng05vpg'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, d2LZDOFei5OokQsQlH.csHigh entropy of concatenated method names: 'dCkhfS24nG', 'jj4h7YK8I6', 'NYGPERgsBW', 'mpUP4mhmRn', 'ANfP0jhQBD', 'iMMPYSrSLa', 'Vb8PwU2LZH', 'jKAPsBHaQe', 'fMFPORoREE', 'd6rPH9xEcH'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, EBAJ9F69KN4UpmhYvh7.csHigh entropy of concatenated method names: 'e66jCiCMTI', 'OWCjNjMyBk', 'OI3jBIYHad', 'RFIjkHXgb5', 'FV3jfdF1VP', 'QJmj1BvpqW', 'DBFj7W5Yq1', 'xNrjr4BF5l', 'RNljtlgNw7', 'SeajFWmEEj'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, iN9InB3Hg4ond1noeE.csHigh entropy of concatenated method names: 'j3JdQtmdkB', 'u3Vde5Jtyq', 'PfUdEUEw8Z', 'XGLd4IBv2h', 'Flwdy5WvTi', 'Mx5d0wF3Nv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, lxPrpGa8NRbiScClQu.csHigh entropy of concatenated method names: 'Dispose', 'n4e63KxOdI', 'KXcqeXC3wM', 'kbhvvjEFvw', 'LqQ6Vqa3CK', 'z0K6z6BwvS', 'ProcessDialogKey', 'Sgxq9N9InB', 'Ng4q6ond1n', 'meEqqMLjIL'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, t1MhDy4HE7FMV40LBR.csHigh entropy of concatenated method names: 'R2Kx8EALSL', 'wArxCFfqLi', 'qNOxBIbT8q', 'Lyhxkej93Q', 'X5dx1NRupe', 'ATTx7HR8pb', 'zp0xtcpmns', 'G2UxFgZmho', 'WGujAZ3YPOchmnrvlEj', 'O3NtXQ3HEqDY72diVvl'
            Source: 0.2.PURCHASE ORDER-6350.exe.4256100.1.raw.unpack, Yhvd09McYIBPwo6BUE.csHigh entropy of concatenated method names: 'ekg5oBlOj8', 'eKq5TBM7OE', 'ToString', 'r0I5vTOPKv', 'Gv05ayXeoV', 'Y235PiNUQm', 'L3i5hpMGsi', 'JoI5xQNVBH', 'F0r5Zo6Fhc', 'JD65RpYMF8'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, KsrdrsOdVPvjmXHTLr.csHigh entropy of concatenated method names: 'lwjZCVnYA4', 'dyrZNdF7q0', 'vIdZBMkjeB', 'swaZktlEtA', 'X11ZfRHwZs', 'haRZ162bjV', 'gvaZ7Sqgh4', 'RtxZrpD7BU', 'jijZtO34RU', 'R6fZFbJHY5'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, undML2y4V1go0ZJeQP.csHigh entropy of concatenated method names: 'WgjXHjfv8v', 'L4lXi39TNQ', 'ympXyHJEX5', 'duyXlf5fMI', 'KPiXe4XulY', 'BmcXE01wop', 'hxyX48CNgJ', 'DpwX0EX0lh', 'IvqXYy3sBr', 'Y2UXwJIKvk'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, VCADiltTrh3sqYg5xc.csHigh entropy of concatenated method names: 'eXZPkCiWWT', 'cB3P19eler', 'zRKPrLqx8l', 'dmkPtL7iHU', 'ogIPX7TrfL', 'sJMPuItO8V', 'Ha4P5bSnUW', 'GkfPdI89QD', 'W52PjYk61V', 'NJoPn1Ddj1'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, iBiV2C2Vc6aMIgSOoj.csHigh entropy of concatenated method names: 'hVW5b3hCgh', 'rbF5VgTfOG', 'zVbd9o5kVD', 'pLmd6rxbAs', 'c7A5DbU7Zh', 'UBw5iyBOVr', 'u125G2eDg9', 'Qli5yMsUJe', 'n115lHkOsX', 'SP75AotGGd'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, E6tjfjQhZwuvpgS8ED.csHigh entropy of concatenated method names: 'MgXxKQvDWQ', 'z4FxamfRYw', 'TUcxhsNmfi', 'I6wxZu1luv', 'y0VxR3Hxqw', 'yZthcfvKls', 'GQPh26aPdN', 'FbMhgyZE4I', 'yrvhbSfed6', 'ynBh3A5d5A'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, aJbcMuGWYyPnxPuAfh.csHigh entropy of concatenated method names: 'qTILrEPJar', 'KElLtmyxpO', 'txNLQm0i1x', 'dueLeZER2i', 'clRL4BM0vx', 'xeHL039IY2', 'pToLwNFI7X', 'G8KLs4p4m3', 'SeILHHNPPa', 'JWvLDe9I0o'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, lNVCUfPgOf8vVXOPFR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAnq3EH8o9', 'Vg3qVVXawN', 'AraqzE8AtX', 'dAES9wAnkn', 'u1IS6W8W7R', 'eisSqoa0Fq', 'K9QSSpi6nI', 'xnasH2IBeFeuNihjVkU'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, zqpCvEwpXNDhxphlvP.csHigh entropy of concatenated method names: 'oo4ZvpKQHi', 'jKUZPc7dD2', 'yVNZxEFB8W', 'PYBxV5orUb', 'H5xxz5fH3t', 'WvWZ9DyCGP', 'taMZ6Ksi11', 'hCeZq4l6h9', 'GGXZSsMfpJ', 'bmLZWKR64J'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, zMkoDZzFwaQcW7eJCv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hggjLFi6Hk', 'yVIjX57ivJ', 'WKajuLK3Jq', 'Teoj5EF60I', 'mwrjdw9BQ1', 'gHhjjtfaec', 'le0jneLRyA'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, qAx10cWHgAE7nPkcKV.csHigh entropy of concatenated method names: 'sKl6Zk723A', 'eiT6Rbtcml', 'STr6oh3sqY', 'W5x6TcS2LZ', 'GsQ6XlHt6t', 'rfj6uhZwuv', 'thXPv1Euw3kghU9j3e', 'hLB4EkpJgJwv2RckfG', 'cvo6679yHD', 'aLj6SVJFfj'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, bQqa3CbKB0K6BwvSlg.csHigh entropy of concatenated method names: 'rPkdvJT43s', 'kXhda0xSmI', 'Y9CdPp4NJc', 'x7odh7hspb', 'l6Qdx6aXrp', 'EmodZsR6hI', 'ih1dRjm3jw', 'KPddIlqgHF', 'BPwdoalF1D', 'VkNdTPVOWn'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, AZMFiKAOIrw31C7ywp.csHigh entropy of concatenated method names: 'ToString', 'j9puDvnjNA', 'NP6ueTk8qh', 'paJuE872rx', 'mxcu47MA2F', 'Uk2u0YSX2F', 'mqBuYJnVFP', 'vqcuw8Nq3Y', 'XpfusntDHl', 'R3WuOBeDBQ'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Rk723ArKiTbtcml8Ra.csHigh entropy of concatenated method names: 'jefaynLnSb', 'NpDal1Jvnm', 'uJXaAPtNmb', 'm57aMiqMfA', 'kvkacsnXZ4', 'yVYa2xfcUF', 'NEdagRP5bQ', 'w8oabBhH2M', 'UMBa3lFgVR', 'XGwaV96dHb'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, ya5aN7q4QEmDi4qyRj.csHigh entropy of concatenated method names: 'vfIBLAuQc', 'PuDkZyN0u', 'ALU16HUJt', 'FKS7q5VnB', 'cv4t8TaKk', 'aP9FRhqn2', 'MDGl6U9tYrAdePDbRM', 'zmv5kpsOHf3I65GBDr', 'NLNdjesep', 'U5xnCIiqH'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, TLjILTVf9QWymvEYaL.csHigh entropy of concatenated method names: 'QBRj68XjUb', 'nGnjS7h44o', 'tWBjWQgAFG', 'AyOjvnpWE7', 'M0Pjaih2Qo', 'n35jhqEY6t', 'NoMjxyw3kS', 'APbdg5HgOc', 'hJsdbt7lqy', 'Ye8d3oh28j'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, FZ6QukRAeDIuJEHifZ.csHigh entropy of concatenated method names: 'g0USKMhSSG', 'isaSvRbuQu', 'we0SaR2PaO', 'CdBSPSRIGU', 'kNAShPxLIy', 'DTLSxRCktm', 'pgASZOASDP', 'bBTSRdlS4L', 'IpdSId6KTP', 'eANSoFQpCK'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Ij5Reu6SUZNHtMPmcKG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HXnnyt86rd', 'FWtnlVrZJN', 'LwinAP1tsd', 'ePDnMVGydv', 'rEqncbBs5d', 'Pm8n2RQvSJ', 'agcng05vpg'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, d2LZDOFei5OokQsQlH.csHigh entropy of concatenated method names: 'dCkhfS24nG', 'jj4h7YK8I6', 'NYGPERgsBW', 'mpUP4mhmRn', 'ANfP0jhQBD', 'iMMPYSrSLa', 'Vb8PwU2LZH', 'jKAPsBHaQe', 'fMFPORoREE', 'd6rPH9xEcH'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, EBAJ9F69KN4UpmhYvh7.csHigh entropy of concatenated method names: 'e66jCiCMTI', 'OWCjNjMyBk', 'OI3jBIYHad', 'RFIjkHXgb5', 'FV3jfdF1VP', 'QJmj1BvpqW', 'DBFj7W5Yq1', 'xNrjr4BF5l', 'RNljtlgNw7', 'SeajFWmEEj'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, iN9InB3Hg4ond1noeE.csHigh entropy of concatenated method names: 'j3JdQtmdkB', 'u3Vde5Jtyq', 'PfUdEUEw8Z', 'XGLd4IBv2h', 'Flwdy5WvTi', 'Mx5d0wF3Nv', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, lxPrpGa8NRbiScClQu.csHigh entropy of concatenated method names: 'Dispose', 'n4e63KxOdI', 'KXcqeXC3wM', 'kbhvvjEFvw', 'LqQ6Vqa3CK', 'z0K6z6BwvS', 'ProcessDialogKey', 'Sgxq9N9InB', 'Ng4q6ond1n', 'meEqqMLjIL'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, t1MhDy4HE7FMV40LBR.csHigh entropy of concatenated method names: 'R2Kx8EALSL', 'wArxCFfqLi', 'qNOxBIbT8q', 'Lyhxkej93Q', 'X5dx1NRupe', 'ATTx7HR8pb', 'zp0xtcpmns', 'G2UxFgZmho', 'WGujAZ3YPOchmnrvlEj', 'O3NtXQ3HEqDY72diVvl'
            Source: 0.2.PURCHASE ORDER-6350.exe.9d50000.3.raw.unpack, Yhvd09McYIBPwo6BUE.csHigh entropy of concatenated method names: 'ekg5oBlOj8', 'eKq5TBM7OE', 'ToString', 'r0I5vTOPKv', 'Gv05ayXeoV', 'Y235PiNUQm', 'L3i5hpMGsi', 'JoI5xQNVBH', 'F0r5Zo6Fhc', 'JD65RpYMF8'
            Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
            Source: 9.2.fPtPRnPDTzobXQ.exe.3306f2c.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeFile created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER-6350.exe PID: 7460, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: fPtPRnPDTzobXQ.exe PID: 7948, type: MEMORYSTR
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: 9EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: AEE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: B120000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: C120000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 17C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 7BD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 8BD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 8D70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeMemory allocated: 9D70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126096E rdtsc 8_2_0126096E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2540Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4779Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeAPI coverage: 0.3 %
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 2540 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep count: 98 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe TID: 7920Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe TID: 8108Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe TID: 7180Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: fPtPRnPDTzobXQ.exe, 00000009.00000002.1854768936.00000000015B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126096E rdtsc 8_2_0126096E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_004173A3 LdrLoadDll,8_2_004173A3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01250124 mov eax, dword ptr fs:[00000030h]8_2_01250124
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov eax, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE10E mov ecx, dword ptr fs:[00000030h]8_2_012CE10E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CA118 mov ecx, dword ptr fs:[00000030h]8_2_012CA118
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h]8_2_012CA118
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h]8_2_012CA118
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CA118 mov eax, dword ptr fs:[00000030h]8_2_012CA118
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E0115 mov eax, dword ptr fs:[00000030h]8_2_012E0115
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4164 mov eax, dword ptr fs:[00000030h]8_2_012F4164
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4164 mov eax, dword ptr fs:[00000030h]8_2_012F4164
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h]8_2_012B4144
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h]8_2_012B4144
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B4144 mov ecx, dword ptr fs:[00000030h]8_2_012B4144
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h]8_2_012B4144
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B4144 mov eax, dword ptr fs:[00000030h]8_2_012B4144
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B8158 mov eax, dword ptr fs:[00000030h]8_2_012B8158
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226154 mov eax, dword ptr fs:[00000030h]8_2_01226154
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226154 mov eax, dword ptr fs:[00000030h]8_2_01226154
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121C156 mov eax, dword ptr fs:[00000030h]8_2_0121C156
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01260185 mov eax, dword ptr fs:[00000030h]8_2_01260185
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DC188 mov eax, dword ptr fs:[00000030h]8_2_012DC188
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DC188 mov eax, dword ptr fs:[00000030h]8_2_012DC188
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C4180 mov eax, dword ptr fs:[00000030h]8_2_012C4180
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C4180 mov eax, dword ptr fs:[00000030h]8_2_012C4180
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A019F mov eax, dword ptr fs:[00000030h]8_2_012A019F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A019F mov eax, dword ptr fs:[00000030h]8_2_012A019F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A019F mov eax, dword ptr fs:[00000030h]8_2_012A019F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A019F mov eax, dword ptr fs:[00000030h]8_2_012A019F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h]8_2_0121A197
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h]8_2_0121A197
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A197 mov eax, dword ptr fs:[00000030h]8_2_0121A197
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F61E5 mov eax, dword ptr fs:[00000030h]8_2_012F61E5
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012501F8 mov eax, dword ptr fs:[00000030h]8_2_012501F8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E61C3 mov eax, dword ptr fs:[00000030h]8_2_012E61C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E61C3 mov eax, dword ptr fs:[00000030h]8_2_012E61C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h]8_2_0129E1D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h]8_2_0129E1D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0129E1D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h]8_2_0129E1D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E1D0 mov eax, dword ptr fs:[00000030h]8_2_0129E1D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A020 mov eax, dword ptr fs:[00000030h]8_2_0121A020
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121C020 mov eax, dword ptr fs:[00000030h]8_2_0121C020
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6030 mov eax, dword ptr fs:[00000030h]8_2_012B6030
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A4000 mov ecx, dword ptr fs:[00000030h]8_2_012A4000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C2000 mov eax, dword ptr fs:[00000030h]8_2_012C2000
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h]8_2_0123E016
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h]8_2_0123E016
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h]8_2_0123E016
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E016 mov eax, dword ptr fs:[00000030h]8_2_0123E016
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124C073 mov eax, dword ptr fs:[00000030h]8_2_0124C073
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01222050 mov eax, dword ptr fs:[00000030h]8_2_01222050
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6050 mov eax, dword ptr fs:[00000030h]8_2_012A6050
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012180A0 mov eax, dword ptr fs:[00000030h]8_2_012180A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B80A8 mov eax, dword ptr fs:[00000030h]8_2_012B80A8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E60B8 mov eax, dword ptr fs:[00000030h]8_2_012E60B8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E60B8 mov ecx, dword ptr fs:[00000030h]8_2_012E60B8
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122208A mov eax, dword ptr fs:[00000030h]8_2_0122208A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0121A0E3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A60E0 mov eax, dword ptr fs:[00000030h]8_2_012A60E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012280E9 mov eax, dword ptr fs:[00000030h]8_2_012280E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121C0F0 mov eax, dword ptr fs:[00000030h]8_2_0121C0F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012620F0 mov ecx, dword ptr fs:[00000030h]8_2_012620F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A20DE mov eax, dword ptr fs:[00000030h]8_2_012A20DE
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h]8_2_012F8324
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F8324 mov ecx, dword ptr fs:[00000030h]8_2_012F8324
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h]8_2_012F8324
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F8324 mov eax, dword ptr fs:[00000030h]8_2_012F8324
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h]8_2_0125A30B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h]8_2_0125A30B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A30B mov eax, dword ptr fs:[00000030h]8_2_0125A30B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121C310 mov ecx, dword ptr fs:[00000030h]8_2_0121C310
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01240310 mov ecx, dword ptr fs:[00000030h]8_2_01240310
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C437C mov eax, dword ptr fs:[00000030h]8_2_012C437C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F634F mov eax, dword ptr fs:[00000030h]8_2_012F634F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A2349 mov eax, dword ptr fs:[00000030h]8_2_012A2349
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov eax, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov eax, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov eax, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov ecx, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov eax, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A035C mov eax, dword ptr fs:[00000030h]8_2_012A035C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EA352 mov eax, dword ptr fs:[00000030h]8_2_012EA352
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C8350 mov ecx, dword ptr fs:[00000030h]8_2_012C8350
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h]8_2_0121E388
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h]8_2_0121E388
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E388 mov eax, dword ptr fs:[00000030h]8_2_0121E388
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124438F mov eax, dword ptr fs:[00000030h]8_2_0124438F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124438F mov eax, dword ptr fs:[00000030h]8_2_0124438F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218397 mov eax, dword ptr fs:[00000030h]8_2_01218397
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218397 mov eax, dword ptr fs:[00000030h]8_2_01218397
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218397 mov eax, dword ptr fs:[00000030h]8_2_01218397
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012303E9 mov eax, dword ptr fs:[00000030h]8_2_012303E9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h]8_2_0123E3F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h]8_2_0123E3F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E3F0 mov eax, dword ptr fs:[00000030h]8_2_0123E3F0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012563FF mov eax, dword ptr fs:[00000030h]8_2_012563FF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DC3CD mov eax, dword ptr fs:[00000030h]8_2_012DC3CD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A3C0 mov eax, dword ptr fs:[00000030h]8_2_0122A3C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h]8_2_012283C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h]8_2_012283C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h]8_2_012283C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012283C0 mov eax, dword ptr fs:[00000030h]8_2_012283C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A63C0 mov eax, dword ptr fs:[00000030h]8_2_012A63C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h]8_2_012CE3DB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h]8_2_012CE3DB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE3DB mov ecx, dword ptr fs:[00000030h]8_2_012CE3DB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CE3DB mov eax, dword ptr fs:[00000030h]8_2_012CE3DB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C43D4 mov eax, dword ptr fs:[00000030h]8_2_012C43D4
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C43D4 mov eax, dword ptr fs:[00000030h]8_2_012C43D4
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121823B mov eax, dword ptr fs:[00000030h]8_2_0121823B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224260 mov eax, dword ptr fs:[00000030h]8_2_01224260
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224260 mov eax, dword ptr fs:[00000030h]8_2_01224260
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224260 mov eax, dword ptr fs:[00000030h]8_2_01224260
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121826B mov eax, dword ptr fs:[00000030h]8_2_0121826B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D0274 mov eax, dword ptr fs:[00000030h]8_2_012D0274
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A8243 mov eax, dword ptr fs:[00000030h]8_2_012A8243
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A8243 mov ecx, dword ptr fs:[00000030h]8_2_012A8243
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121A250 mov eax, dword ptr fs:[00000030h]8_2_0121A250
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F625D mov eax, dword ptr fs:[00000030h]8_2_012F625D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226259 mov eax, dword ptr fs:[00000030h]8_2_01226259
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DA250 mov eax, dword ptr fs:[00000030h]8_2_012DA250
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DA250 mov eax, dword ptr fs:[00000030h]8_2_012DA250
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012302A0 mov eax, dword ptr fs:[00000030h]8_2_012302A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012302A0 mov eax, dword ptr fs:[00000030h]8_2_012302A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov ecx, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B62A0 mov eax, dword ptr fs:[00000030h]8_2_012B62A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E284 mov eax, dword ptr fs:[00000030h]8_2_0125E284
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E284 mov eax, dword ptr fs:[00000030h]8_2_0125E284
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h]8_2_012A0283
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h]8_2_012A0283
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A0283 mov eax, dword ptr fs:[00000030h]8_2_012A0283
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h]8_2_012302E1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h]8_2_012302E1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012302E1 mov eax, dword ptr fs:[00000030h]8_2_012302E1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h]8_2_0122A2C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h]8_2_0122A2C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h]8_2_0122A2C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h]8_2_0122A2C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A2C3 mov eax, dword ptr fs:[00000030h]8_2_0122A2C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F62D6 mov eax, dword ptr fs:[00000030h]8_2_012F62D6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230535 mov eax, dword ptr fs:[00000030h]8_2_01230535
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h]8_2_0124E53E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h]8_2_0124E53E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h]8_2_0124E53E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h]8_2_0124E53E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E53E mov eax, dword ptr fs:[00000030h]8_2_0124E53E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6500 mov eax, dword ptr fs:[00000030h]8_2_012B6500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4500 mov eax, dword ptr fs:[00000030h]8_2_012F4500
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125656A mov eax, dword ptr fs:[00000030h]8_2_0125656A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125656A mov eax, dword ptr fs:[00000030h]8_2_0125656A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125656A mov eax, dword ptr fs:[00000030h]8_2_0125656A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228550 mov eax, dword ptr fs:[00000030h]8_2_01228550
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228550 mov eax, dword ptr fs:[00000030h]8_2_01228550
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h]8_2_012A05A7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h]8_2_012A05A7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A05A7 mov eax, dword ptr fs:[00000030h]8_2_012A05A7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012445B1 mov eax, dword ptr fs:[00000030h]8_2_012445B1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012445B1 mov eax, dword ptr fs:[00000030h]8_2_012445B1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01222582 mov eax, dword ptr fs:[00000030h]8_2_01222582
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01222582 mov ecx, dword ptr fs:[00000030h]8_2_01222582
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01254588 mov eax, dword ptr fs:[00000030h]8_2_01254588
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E59C mov eax, dword ptr fs:[00000030h]8_2_0125E59C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012225E0 mov eax, dword ptr fs:[00000030h]8_2_012225E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E5E7 mov eax, dword ptr fs:[00000030h]8_2_0124E5E7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C5ED mov eax, dword ptr fs:[00000030h]8_2_0125C5ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C5ED mov eax, dword ptr fs:[00000030h]8_2_0125C5ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E5CF mov eax, dword ptr fs:[00000030h]8_2_0125E5CF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E5CF mov eax, dword ptr fs:[00000030h]8_2_0125E5CF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012265D0 mov eax, dword ptr fs:[00000030h]8_2_012265D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A5D0 mov eax, dword ptr fs:[00000030h]8_2_0125A5D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A5D0 mov eax, dword ptr fs:[00000030h]8_2_0125A5D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h]8_2_0121E420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h]8_2_0121E420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121E420 mov eax, dword ptr fs:[00000030h]8_2_0121E420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121C427 mov eax, dword ptr fs:[00000030h]8_2_0121C427
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A6420 mov eax, dword ptr fs:[00000030h]8_2_012A6420
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A430 mov eax, dword ptr fs:[00000030h]8_2_0125A430
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01258402 mov eax, dword ptr fs:[00000030h]8_2_01258402
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01258402 mov eax, dword ptr fs:[00000030h]8_2_01258402
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01258402 mov eax, dword ptr fs:[00000030h]8_2_01258402
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AC460 mov ecx, dword ptr fs:[00000030h]8_2_012AC460
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h]8_2_0124A470
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h]8_2_0124A470
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124A470 mov eax, dword ptr fs:[00000030h]8_2_0124A470
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125E443 mov eax, dword ptr fs:[00000030h]8_2_0125E443
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DA456 mov eax, dword ptr fs:[00000030h]8_2_012DA456
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121645D mov eax, dword ptr fs:[00000030h]8_2_0121645D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124245A mov eax, dword ptr fs:[00000030h]8_2_0124245A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012264AB mov eax, dword ptr fs:[00000030h]8_2_012264AB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012544B0 mov ecx, dword ptr fs:[00000030h]8_2_012544B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AA4B0 mov eax, dword ptr fs:[00000030h]8_2_012AA4B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012DA49A mov eax, dword ptr fs:[00000030h]8_2_012DA49A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012204E5 mov ecx, dword ptr fs:[00000030h]8_2_012204E5
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C720 mov eax, dword ptr fs:[00000030h]8_2_0125C720
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C720 mov eax, dword ptr fs:[00000030h]8_2_0125C720
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125273C mov eax, dword ptr fs:[00000030h]8_2_0125273C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125273C mov ecx, dword ptr fs:[00000030h]8_2_0125273C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125273C mov eax, dword ptr fs:[00000030h]8_2_0125273C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129C730 mov eax, dword ptr fs:[00000030h]8_2_0129C730
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C700 mov eax, dword ptr fs:[00000030h]8_2_0125C700
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220710 mov eax, dword ptr fs:[00000030h]8_2_01220710
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01250710 mov eax, dword ptr fs:[00000030h]8_2_01250710
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228770 mov eax, dword ptr fs:[00000030h]8_2_01228770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230770 mov eax, dword ptr fs:[00000030h]8_2_01230770
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125674D mov esi, dword ptr fs:[00000030h]8_2_0125674D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125674D mov eax, dword ptr fs:[00000030h]8_2_0125674D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125674D mov eax, dword ptr fs:[00000030h]8_2_0125674D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220750 mov eax, dword ptr fs:[00000030h]8_2_01220750
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262750 mov eax, dword ptr fs:[00000030h]8_2_01262750
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262750 mov eax, dword ptr fs:[00000030h]8_2_01262750
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AE75D mov eax, dword ptr fs:[00000030h]8_2_012AE75D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A4755 mov eax, dword ptr fs:[00000030h]8_2_012A4755
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012207AF mov eax, dword ptr fs:[00000030h]8_2_012207AF
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D47A0 mov eax, dword ptr fs:[00000030h]8_2_012D47A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C678E mov eax, dword ptr fs:[00000030h]8_2_012C678E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012427ED mov eax, dword ptr fs:[00000030h]8_2_012427ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012427ED mov eax, dword ptr fs:[00000030h]8_2_012427ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012427ED mov eax, dword ptr fs:[00000030h]8_2_012427ED
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AE7E1 mov eax, dword ptr fs:[00000030h]8_2_012AE7E1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012247FB mov eax, dword ptr fs:[00000030h]8_2_012247FB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012247FB mov eax, dword ptr fs:[00000030h]8_2_012247FB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122C7C0 mov eax, dword ptr fs:[00000030h]8_2_0122C7C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A07C3 mov eax, dword ptr fs:[00000030h]8_2_012A07C3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123E627 mov eax, dword ptr fs:[00000030h]8_2_0123E627
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01256620 mov eax, dword ptr fs:[00000030h]8_2_01256620
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01258620 mov eax, dword ptr fs:[00000030h]8_2_01258620
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122262C mov eax, dword ptr fs:[00000030h]8_2_0122262C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E609 mov eax, dword ptr fs:[00000030h]8_2_0129E609
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123260B mov eax, dword ptr fs:[00000030h]8_2_0123260B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01262619 mov eax, dword ptr fs:[00000030h]8_2_01262619
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E866E mov eax, dword ptr fs:[00000030h]8_2_012E866E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E866E mov eax, dword ptr fs:[00000030h]8_2_012E866E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A660 mov eax, dword ptr fs:[00000030h]8_2_0125A660
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A660 mov eax, dword ptr fs:[00000030h]8_2_0125A660
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01252674 mov eax, dword ptr fs:[00000030h]8_2_01252674
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0123C640 mov eax, dword ptr fs:[00000030h]8_2_0123C640
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C6A6 mov eax, dword ptr fs:[00000030h]8_2_0125C6A6
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012566B0 mov eax, dword ptr fs:[00000030h]8_2_012566B0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224690 mov eax, dword ptr fs:[00000030h]8_2_01224690
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224690 mov eax, dword ptr fs:[00000030h]8_2_01224690
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h]8_2_0129E6F2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h]8_2_0129E6F2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h]8_2_0129E6F2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E6F2 mov eax, dword ptr fs:[00000030h]8_2_0129E6F2
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A06F1 mov eax, dword ptr fs:[00000030h]8_2_012A06F1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A06F1 mov eax, dword ptr fs:[00000030h]8_2_012A06F1
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0125A6C7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A6C7 mov eax, dword ptr fs:[00000030h]8_2_0125A6C7
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A892A mov eax, dword ptr fs:[00000030h]8_2_012A892A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B892B mov eax, dword ptr fs:[00000030h]8_2_012B892B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E908 mov eax, dword ptr fs:[00000030h]8_2_0129E908
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129E908 mov eax, dword ptr fs:[00000030h]8_2_0129E908
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AC912 mov eax, dword ptr fs:[00000030h]8_2_012AC912
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218918 mov eax, dword ptr fs:[00000030h]8_2_01218918
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218918 mov eax, dword ptr fs:[00000030h]8_2_01218918
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01246962 mov eax, dword ptr fs:[00000030h]8_2_01246962
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01246962 mov eax, dword ptr fs:[00000030h]8_2_01246962
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01246962 mov eax, dword ptr fs:[00000030h]8_2_01246962
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126096E mov eax, dword ptr fs:[00000030h]8_2_0126096E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126096E mov edx, dword ptr fs:[00000030h]8_2_0126096E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0126096E mov eax, dword ptr fs:[00000030h]8_2_0126096E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C4978 mov eax, dword ptr fs:[00000030h]8_2_012C4978
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C4978 mov eax, dword ptr fs:[00000030h]8_2_012C4978
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AC97C mov eax, dword ptr fs:[00000030h]8_2_012AC97C
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A0946 mov eax, dword ptr fs:[00000030h]8_2_012A0946
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4940 mov eax, dword ptr fs:[00000030h]8_2_012F4940
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012329A0 mov eax, dword ptr fs:[00000030h]8_2_012329A0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012209AD mov eax, dword ptr fs:[00000030h]8_2_012209AD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012209AD mov eax, dword ptr fs:[00000030h]8_2_012209AD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A89B3 mov esi, dword ptr fs:[00000030h]8_2_012A89B3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A89B3 mov eax, dword ptr fs:[00000030h]8_2_012A89B3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012A89B3 mov eax, dword ptr fs:[00000030h]8_2_012A89B3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AE9E0 mov eax, dword ptr fs:[00000030h]8_2_012AE9E0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012529F9 mov eax, dword ptr fs:[00000030h]8_2_012529F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012529F9 mov eax, dword ptr fs:[00000030h]8_2_012529F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B69C0 mov eax, dword ptr fs:[00000030h]8_2_012B69C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122A9D0 mov eax, dword ptr fs:[00000030h]8_2_0122A9D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012549D0 mov eax, dword ptr fs:[00000030h]8_2_012549D0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EA9D3 mov eax, dword ptr fs:[00000030h]8_2_012EA9D3
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov eax, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov eax, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov eax, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov ecx, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov eax, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01242835 mov eax, dword ptr fs:[00000030h]8_2_01242835
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125A830 mov eax, dword ptr fs:[00000030h]8_2_0125A830
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C483A mov eax, dword ptr fs:[00000030h]8_2_012C483A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C483A mov eax, dword ptr fs:[00000030h]8_2_012C483A
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AC810 mov eax, dword ptr fs:[00000030h]8_2_012AC810
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AE872 mov eax, dword ptr fs:[00000030h]8_2_012AE872
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AE872 mov eax, dword ptr fs:[00000030h]8_2_012AE872
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6870 mov eax, dword ptr fs:[00000030h]8_2_012B6870
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6870 mov eax, dword ptr fs:[00000030h]8_2_012B6870
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01232840 mov ecx, dword ptr fs:[00000030h]8_2_01232840
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01250854 mov eax, dword ptr fs:[00000030h]8_2_01250854
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224859 mov eax, dword ptr fs:[00000030h]8_2_01224859
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01224859 mov eax, dword ptr fs:[00000030h]8_2_01224859
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220887 mov eax, dword ptr fs:[00000030h]8_2_01220887
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012AC89D mov eax, dword ptr fs:[00000030h]8_2_012AC89D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EA8E4 mov eax, dword ptr fs:[00000030h]8_2_012EA8E4
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C8F9 mov eax, dword ptr fs:[00000030h]8_2_0125C8F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125C8F9 mov eax, dword ptr fs:[00000030h]8_2_0125C8F9
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124E8C0 mov eax, dword ptr fs:[00000030h]8_2_0124E8C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F08C0 mov eax, dword ptr fs:[00000030h]8_2_012F08C0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124EB20 mov eax, dword ptr fs:[00000030h]8_2_0124EB20
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124EB20 mov eax, dword ptr fs:[00000030h]8_2_0124EB20
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E8B28 mov eax, dword ptr fs:[00000030h]8_2_012E8B28
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012E8B28 mov eax, dword ptr fs:[00000030h]8_2_012E8B28
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F4B00 mov eax, dword ptr fs:[00000030h]8_2_012F4B00
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129EB1D mov eax, dword ptr fs:[00000030h]8_2_0129EB1D
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0121CB7E mov eax, dword ptr fs:[00000030h]8_2_0121CB7E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D4B4B mov eax, dword ptr fs:[00000030h]8_2_012D4B4B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D4B4B mov eax, dword ptr fs:[00000030h]8_2_012D4B4B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6B40 mov eax, dword ptr fs:[00000030h]8_2_012B6B40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012B6B40 mov eax, dword ptr fs:[00000030h]8_2_012B6B40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012EAB40 mov eax, dword ptr fs:[00000030h]8_2_012EAB40
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012C8B42 mov eax, dword ptr fs:[00000030h]8_2_012C8B42
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01218B50 mov eax, dword ptr fs:[00000030h]8_2_01218B50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h]8_2_012F2B57
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h]8_2_012F2B57
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h]8_2_012F2B57
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012F2B57 mov eax, dword ptr fs:[00000030h]8_2_012F2B57
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CEB50 mov eax, dword ptr fs:[00000030h]8_2_012CEB50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230BBE mov eax, dword ptr fs:[00000030h]8_2_01230BBE
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230BBE mov eax, dword ptr fs:[00000030h]8_2_01230BBE
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D4BB0 mov eax, dword ptr fs:[00000030h]8_2_012D4BB0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012D4BB0 mov eax, dword ptr fs:[00000030h]8_2_012D4BB0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h]8_2_01228BF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h]8_2_01228BF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228BF0 mov eax, dword ptr fs:[00000030h]8_2_01228BF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124EBFC mov eax, dword ptr fs:[00000030h]8_2_0124EBFC
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012ACBF0 mov eax, dword ptr fs:[00000030h]8_2_012ACBF0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h]8_2_01240BCB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h]8_2_01240BCB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01240BCB mov eax, dword ptr fs:[00000030h]8_2_01240BCB
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h]8_2_01220BCD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h]8_2_01220BCD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01220BCD mov eax, dword ptr fs:[00000030h]8_2_01220BCD
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CEBD0 mov eax, dword ptr fs:[00000030h]8_2_012CEBD0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125CA24 mov eax, dword ptr fs:[00000030h]8_2_0125CA24
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0124EA2E mov eax, dword ptr fs:[00000030h]8_2_0124EA2E
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01244A35 mov eax, dword ptr fs:[00000030h]8_2_01244A35
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01244A35 mov eax, dword ptr fs:[00000030h]8_2_01244A35
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125CA38 mov eax, dword ptr fs:[00000030h]8_2_0125CA38
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012ACA11 mov eax, dword ptr fs:[00000030h]8_2_012ACA11
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h]8_2_0125CA6F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h]8_2_0125CA6F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0125CA6F mov eax, dword ptr fs:[00000030h]8_2_0125CA6F
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_012CEA60 mov eax, dword ptr fs:[00000030h]8_2_012CEA60
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129CA72 mov eax, dword ptr fs:[00000030h]8_2_0129CA72
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0129CA72 mov eax, dword ptr fs:[00000030h]8_2_0129CA72
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01226A50 mov eax, dword ptr fs:[00000030h]8_2_01226A50
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230A5B mov eax, dword ptr fs:[00000030h]8_2_01230A5B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01230A5B mov eax, dword ptr fs:[00000030h]8_2_01230A5B
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228AA0 mov eax, dword ptr fs:[00000030h]8_2_01228AA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01228AA0 mov eax, dword ptr fs:[00000030h]8_2_01228AA0
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_01276AA4 mov eax, dword ptr fs:[00000030h]8_2_01276AA4
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeCode function: 8_2_0122EA80 mov eax, dword ptr fs:[00000030h]8_2_0122EA80
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeMemory written: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeProcess created: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeProcess created: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Users\user\Desktop\PURCHASE ORDER-6350.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeQueries volume information: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PURCHASE ORDER-6350.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.PURCHASE ORDER-6350.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519455 Sample: PURCHASE ORDER-6350.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 7 PURCHASE ORDER-6350.exe 7 2->7         started        11 fPtPRnPDTzobXQ.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\fPtPRnPDTzobXQ.exe, PE32 7->36 dropped 38 C:\...\fPtPRnPDTzobXQ.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD091.tmp, XML 7->40 dropped 42 C:\Users\user\...\PURCHASE ORDER-6350.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 PURCHASE ORDER-6350.exe 7->20         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 22 schtasks.exe 1 11->22         started        24 fPtPRnPDTzobXQ.exe 11->24         started        signatures5 process6 signatures7 60 Loading BitLocker PowerShell Module 13->60 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PURCHASE ORDER-6350.exe37%ReversingLabsByteCode-MSIL.Infostealer.LokiBot
            PURCHASE ORDER-6350.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe37%ReversingLabsByteCode-MSIL.Infostealer.LokiBot

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.comPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersGPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/?PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/bThePURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers?PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.tiro.comPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.goodfont.co.krPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.comlPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sajatypeworks.comPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.typography.netDPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/cabarga.htmlNPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cn/cThePURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/staff/dennis.htmPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.founder.com.cn/cnPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers/frere-user.htmlPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.jiyu-kobo.co.jp/PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.galapagosdesign.com/DPleasePURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designers8PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fonts.comPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sandoll.co.krPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.urwpp.deDPleasePURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.zhongyicts.com.cnPURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePURCHASE ORDER-6350.exe, 00000000.00000002.1770780900.0000000002FE2000.00000004.00000800.00020000.00000000.sdmp, fPtPRnPDTzobXQ.exe, 00000009.00000002.1894943125.0000000003322000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.sakkal.comPURCHASE ORDER-6350.exe, 00000000.00000002.1776428016.0000000005804000.00000004.00000020.00020000.00000000.sdmp, PURCHASE ORDER-6350.exe, 00000000.00000002.1776818082.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1519455
            Start date and time:2024-09-26 15:13:49 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 57s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:18
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:PURCHASE ORDER-6350.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@19/15@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 72
            • Number of non-executed functions: 287
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: PURCHASE ORDER-6350.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:14:44API Interceptor4x Sleep call for process: PURCHASE ORDER-6350.exe modified
            09:14:46API Interceptor30x Sleep call for process: powershell.exe modified
            09:14:51API Interceptor4x Sleep call for process: fPtPRnPDTzobXQ.exe modified
            14:14:46Task SchedulerRun new task: fPtPRnPDTzobXQ path: C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PURCHASE ORDER-6350.exe.log

            Download File
            Process:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fPtPRnPDTzobXQ.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):2232
            Entropy (8bit):5.3792772635987225
            Encrypted:false
            SSDEEP:48:bWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//x0Uyus:bLHxvCsIfA2KRHmOugw1s
            MD5:F080EBD749A51476BD560B6E3B51F01B
            SHA1:C12B9ADD8612DD4581A71E73E782C9DC4DA7B0A9
            SHA-256:BA02F5DD01AFDD92CC650BA11BB67299FB0781DCD134CB4DAADAA3D7C3DE80E0
            SHA-512:9572BC290A55D29A630380084737637E3D99062F68E0813B33A0C4D5D6F9278CCACAD8181ED4B6262EE4B0288BC3919A469F20A8568518C7EB387966D7C03E43
            Malicious:false
            Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rtfqxeq.cdh.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5lpzwhm.wjg.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5acxq3i.5ej.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nip2so1y.owr.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2nhutoj.orl.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdj4atp2.ssw.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmmlhuuy.mm4.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xipeto1i.szt.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\tmpD091.tmp

            Download File
            Process:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1580
            Entropy (8bit):5.119847062513488
            Encrypted:false
            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaMGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
            MD5:37AEF537816822237D05DC9F4FA43A08
            SHA1:FB8BA421773FFAD1570EFA2B39A78A21E04FB57B
            SHA-256:F8EC9B29C4109136A37E7B5CF479EFCEA97A44F0C525F49EEF8E2C876F92C4EF
            SHA-512:DE422B500A834788B1F7AD81824D7BF95C78D8905D9F30AE70AA08CF4D1C7276C666876647FD83C89CD5D15A0CBEE14DB8EA03547FD0F2851750D3AA73ACC6C3
            Malicious:true
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

            C:\Users\user\AppData\Local\Temp\tmpE850.tmp

            Download File
            Process:C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1580
            Entropy (8bit):5.119847062513488
            Encrypted:false
            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaMGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
            MD5:37AEF537816822237D05DC9F4FA43A08
            SHA1:FB8BA421773FFAD1570EFA2B39A78A21E04FB57B
            SHA-256:F8EC9B29C4109136A37E7B5CF479EFCEA97A44F0C525F49EEF8E2C876F92C4EF
            SHA-512:DE422B500A834788B1F7AD81824D7BF95C78D8905D9F30AE70AA08CF4D1C7276C666876647FD83C89CD5D15A0CBEE14DB8EA03547FD0F2851750D3AA73ACC6C3
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

            C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe

            Download File
            Process:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):707584
            Entropy (8bit):7.840094433064861
            Encrypted:false
            SSDEEP:12288:Di1oAZok+gk0S8+Hvmwva4kcWepgDCaPC/tmV9yLbeWtF0G8bQb:DyPZok+hn8m9a4kcWtGuyLavI
            MD5:F89E05B5582E853A9C1A425BB21736E6
            SHA1:5BEE740320EDDD8182D71519F3BBA8198062C1F1
            SHA-256:B470D179064081578EF2E125C88C726A11F4129DD2593CCB84E054779ED32A21
            SHA-512:F2E6084228ABD17104045206833D7CC33AB8CDC2E7A1B93525F7D214526AC8F6C9D8BDC9D48AB60A3AB9E9EEC70D6C7BC5D47906502EBDF1AF603E2FDF3F6415
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 37%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.................................O...O....... ...........................L...p............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........C...8......8....|...O............................................{....*.0............{.....+..*.0............{.....+..*..(........}......}......d}......}....*..0..&..........{.....X}.....k"..HBZ.{....k[...+..*..s0...}......}.....(.......(.....*b..{....o....r...po....&*...0............{.....{....o....o#.....{.....{....o....o%.....{.....{....o....-.r...p+.rO..po'.....{....o......,..{....r{..po)....+3.{....o......,..{....r...po)....+..{....r...po).....{.....{....o....o.

            C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.840094433064861
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:PURCHASE ORDER-6350.exe
            File size:707'584 bytes
            MD5:f89e05b5582e853a9c1a425bb21736e6
            SHA1:5bee740320eddd8182d71519f3bba8198062c1f1
            SHA256:b470d179064081578ef2e125c88c726a11f4129dd2593ccb84e054779ed32a21
            SHA512:f2e6084228abd17104045206833d7cc33ab8cdc2e7a1b93525f7d214526ac8f6c9d8bdc9d48ab60a3ab9e9eec70d6c7bc5d47906502ebdf1af603e2fdf3f6415
            SSDEEP:12288:Di1oAZok+gk0S8+Hvmwva4kcWepgDCaPC/tmV9yLbeWtF0G8bQb:DyPZok+hn8m9a4kcWtGuyLavI
            TLSH:5EE401523566C919D0E25BB01966D2F82BBA1D8CB421D7478BCBBCEF7C797012E403A7
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x4adea2
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0xEA84B806 [Sun Sep 5 23:06:46 2094 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xade4f0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x620.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xacc4c0x70.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xabea80xac000c23167e4de0625109b899ba6a6dbdfcbFalse0.9342892668968024data7.849261127100481IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xae0000x6200x80008b562ad28be85da568a5331dcae73f6False0.33642578125data3.4437775296784214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xb00000xc0x2008200fc39a18b162cdb5a0f958f32bc67False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0xae0900x390data0.4232456140350877
            RT_MANIFEST0xae4300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:09:14:43
            Start date:26/09/2024
            Path:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Imagebase:0x9f0000
            File size:707'584 bytes
            MD5 hash:F89E05B5582E853A9C1A425BB21736E6
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:09:14:45
            Start date:26/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Imagebase:0x910000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:09:14:45
            Start date:26/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:09:14:45
            Start date:26/09/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
            Imagebase:0x910000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:09:14:46
            Start date:26/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:09:14:46
            Start date:26/09/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD091.tmp"
            Imagebase:0xf0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:09:14:46
            Start date:26/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:09:14:46
            Start date:26/09/2024
            Path:C:\Users\user\Desktop\PURCHASE ORDER-6350.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\PURCHASE ORDER-6350.exe"
            Imagebase:0x6d0000
            File size:707'584 bytes
            MD5 hash:F89E05B5582E853A9C1A425BB21736E6
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1896034522.0000000000D00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:9
            Start time:09:14:46
            Start date:26/09/2024
            Path:C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            Imagebase:0xee0000
            File size:707'584 bytes
            MD5 hash:F89E05B5582E853A9C1A425BB21736E6
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 37%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:10
            Start time:09:14:49
            Start date:26/09/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff693ab0000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:09:14:52
            Start date:26/09/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fPtPRnPDTzobXQ" /XML "C:\Users\user\AppData\Local\Temp\tmpE850.tmp"
            Imagebase:0xf0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:09:14:52
            Start date:26/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:09:14:52
            Start date:26/09/2024
            Path:C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\fPtPRnPDTzobXQ.exe"
            Imagebase:0x830000
            File size:707'584 bytes
            MD5 hash:F89E05B5582E853A9C1A425BB21736E6
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:11.6%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:3.8%
              Total number of Nodes:239
              Total number of Limit Nodes:22
              execution_graph 22275 7672186 22276 7671f53 22275->22276 22277 767205b 22276->22277 22281 7674ed6 22276->22281 22305 7674e70 22276->22305 22328 7674e60 22276->22328 22282 7674e64 22281->22282 22284 7674ed9 22281->22284 22283 7674e92 22282->22283 22351 76754b9 22282->22351 22356 76756ff 22282->22356 22361 7675630 22282->22361 22366 7675251 22282->22366 22374 7675672 22282->22374 22379 7675b72 22282->22379 22384 76753d2 22282->22384 22389 76753f3 22282->22389 22397 76757d3 22282->22397 22402 76759d4 22282->22402 22408 76756b4 22282->22408 22413 7675188 22282->22413 22422 7675589 22282->22422 22426 767540a 22282->22426 22431 76756cc 22282->22431 22436 767578f 22282->22436 22443 76755c0 22282->22443 22447 7675520 22282->22447 22452 7675965 22282->22452 22456 7675267 22282->22456 22283->22277 22284->22277 22306 7674e80 22305->22306 22307 7675267 4 API calls 22306->22307 22308 7675965 2 API calls 22306->22308 22309 7675520 2 API calls 22306->22309 22310 76755c0 2 API calls 22306->22310 22311 767578f 2 API calls 22306->22311 22312 76756cc 2 API calls 22306->22312 22313 767540a 2 API calls 22306->22313 22314 7675589 2 API calls 22306->22314 22315 7675188 4 API calls 22306->22315 22316 76756b4 2 API calls 22306->22316 22317 76759d4 2 API calls 22306->22317 22318 7674e92 22306->22318 22319 76757d3 2 API calls 22306->22319 22320 76753f3 4 API calls 22306->22320 22321 76753d2 2 API calls 22306->22321 22322 7675b72 2 API calls 22306->22322 22323 7675672 2 API calls 22306->22323 22324 7675251 4 API calls 22306->22324 22325 7675630 2 API calls 22306->22325 22326 76756ff 2 API calls 22306->22326 22327 76754b9 2 API calls 22306->22327 22307->22318 22308->22318 22309->22318 22310->22318 22311->22318 22312->22318 22313->22318 22314->22318 22315->22318 22316->22318 22317->22318 22318->22277 22319->22318 22320->22318 22321->22318 22322->22318 22323->22318 22324->22318 22325->22318 22326->22318 22327->22318 22329 7674e64 22328->22329 22330 7674e92 22329->22330 22331 7675267 4 API calls 22329->22331 22332 7675965 2 API calls 22329->22332 22333 7675520 2 API calls 22329->22333 22334 76755c0 2 API calls 22329->22334 22335 767578f 2 API calls 22329->22335 22336 76756cc 2 API calls 22329->22336 22337 767540a 2 API calls 22329->22337 22338 7675589 2 API calls 22329->22338 22339 7675188 4 API calls 22329->22339 22340 76756b4 2 API calls 22329->22340 22341 76759d4 2 API calls 22329->22341 22342 76757d3 2 API calls 22329->22342 22343 76753f3 4 API calls 22329->22343 22344 76753d2 2 API calls 22329->22344 22345 7675b72 2 API calls 22329->22345 22346 7675672 2 API calls 22329->22346 22347 7675251 4 API calls 22329->22347 22348 7675630 2 API calls 22329->22348 22349 76756ff 2 API calls 22329->22349 22350 76754b9 2 API calls 22329->22350 22330->22277 22331->22330 22332->22330 22333->22330 22334->22330 22335->22330 22336->22330 22337->22330 22338->22330 22339->22330 22340->22330 22341->22330 22342->22330 22343->22330 22344->22330 22345->22330 22346->22330 22347->22330 22348->22330 22349->22330 22350->22330 22352 76754bf 22351->22352 22465 76718b0 22352->22465 22469 76718b8 22352->22469 22353 76754f1 22353->22283 22357 7675618 22356->22357 22358 7675c4d 22357->22358 22473 76719a0 22357->22473 22477 76719a8 22357->22477 22362 7675566 22361->22362 22363 7675b60 22362->22363 22481 7671670 22362->22481 22485 7671669 22362->22485 22363->22283 22367 767525a 22366->22367 22489 7671b34 22367->22489 22493 7671b40 22367->22493 22375 7675618 22374->22375 22375->22374 22376 7675c4d 22375->22376 22377 76719a0 ReadProcessMemory 22375->22377 22378 76719a8 ReadProcessMemory 22375->22378 22377->22375 22378->22375 22380 76753db 22379->22380 22381 76753e6 22380->22381 22382 76718b0 WriteProcessMemory 22380->22382 22383 76718b8 WriteProcessMemory 22380->22383 22381->22283 22382->22380 22383->22380 22385 76753db 22384->22385 22386 76753e6 22385->22386 22387 76718b0 WriteProcessMemory 22385->22387 22388 76718b8 WriteProcessMemory 22385->22388 22386->22283 22387->22385 22388->22385 22390 76758e5 22389->22390 22391 7675400 22389->22391 22497 7671720 22390->22497 22501 7671719 22390->22501 22391->22283 22392 7675566 22392->22391 22393 7671670 ResumeThread 22392->22393 22394 7671669 ResumeThread 22392->22394 22393->22392 22394->22392 22398 7675566 22397->22398 22399 7675b60 22398->22399 22400 7671670 ResumeThread 22398->22400 22401 7671669 ResumeThread 22398->22401 22399->22283 22400->22398 22401->22398 22403 76759d4 2 API calls 22402->22403 22404 767596f 22403->22404 22405 767597f 22404->22405 22406 7671720 Wow64SetThreadContext 22404->22406 22407 7671719 Wow64SetThreadContext 22404->22407 22406->22405 22407->22405 22409 7675618 22408->22409 22410 7675c4d 22409->22410 22411 76719a0 ReadProcessMemory 22409->22411 22412 76719a8 ReadProcessMemory 22409->22412 22410->22410 22411->22409 22412->22409 22415 76751cb 22413->22415 22414 76752a1 22414->22283 22415->22414 22420 7671b34 CreateProcessA 22415->22420 22421 7671b40 CreateProcessA 22415->22421 22416 76753b3 22417 76753e6 22416->22417 22418 76718b0 WriteProcessMemory 22416->22418 22419 76718b8 WriteProcessMemory 22416->22419 22417->22283 22418->22416 22419->22416 22420->22416 22421->22416 22423 767558d 22422->22423 22505 76717f1 22423->22505 22509 76717f8 22423->22509 22427 76754d0 22426->22427 22428 76754f1 22427->22428 22429 76718b0 WriteProcessMemory 22427->22429 22430 76718b8 WriteProcessMemory 22427->22430 22428->22283 22429->22428 22430->22428 22432 767543f 22431->22432 22433 7675493 22432->22433 22434 76718b0 WriteProcessMemory 22432->22434 22435 76718b8 WriteProcessMemory 22432->22435 22433->22283 22434->22432 22435->22432 22439 76719a0 ReadProcessMemory 22436->22439 22440 76719a8 ReadProcessMemory 22436->22440 22437 7675c4d 22438 7675618 22438->22437 22441 76719a0 ReadProcessMemory 22438->22441 22442 76719a8 ReadProcessMemory 22438->22442 22439->22438 22440->22438 22441->22438 22442->22438 22444 767558d 22443->22444 22444->22443 22445 76717f1 VirtualAllocEx 22444->22445 22446 76717f8 VirtualAllocEx 22444->22446 22445->22444 22446->22444 22448 7675543 22447->22448 22450 76718b0 WriteProcessMemory 22448->22450 22451 76718b8 WriteProcessMemory 22448->22451 22449 7675d7e 22450->22449 22451->22449 22454 7671720 Wow64SetThreadContext 22452->22454 22455 7671719 Wow64SetThreadContext 22452->22455 22453 767597f 22454->22453 22455->22453 22458 767525a 22456->22458 22457 76752a1 22457->22283 22458->22457 22463 7671b34 CreateProcessA 22458->22463 22464 7671b40 CreateProcessA 22458->22464 22459 76753b3 22460 76753e6 22459->22460 22461 76718b0 WriteProcessMemory 22459->22461 22462 76718b8 WriteProcessMemory 22459->22462 22460->22283 22461->22459 22462->22459 22463->22459 22464->22459 22466 7671900 WriteProcessMemory 22465->22466 22468 7671957 22466->22468 22468->22353 22470 7671900 WriteProcessMemory 22469->22470 22472 7671957 22470->22472 22472->22353 22474 76719f3 ReadProcessMemory 22473->22474 22476 7671a37 22474->22476 22476->22357 22478 76719f3 ReadProcessMemory 22477->22478 22480 7671a37 22478->22480 22480->22357 22482 76716b0 ResumeThread 22481->22482 22484 76716e1 22482->22484 22484->22362 22486 7671670 ResumeThread 22485->22486 22488 76716e1 22486->22488 22488->22362 22490 7671bc9 CreateProcessA 22489->22490 22492 7671d8b 22490->22492 22494 7671bc9 CreateProcessA 22493->22494 22496 7671d8b 22494->22496 22498 7671765 Wow64SetThreadContext 22497->22498 22500 76717ad 22498->22500 22500->22392 22502 7671720 Wow64SetThreadContext 22501->22502 22504 76717ad 22502->22504 22504->22392 22506 76717f8 VirtualAllocEx 22505->22506 22508 7671875 22506->22508 22508->22423 22510 7671838 VirtualAllocEx 22509->22510 22512 7671875 22510->22512 22512->22423 22513 7672084 22515 7671f53 22513->22515 22514 767205b 22515->22514 22516 7674ed6 12 API calls 22515->22516 22517 7674e60 12 API calls 22515->22517 22518 7674e70 12 API calls 22515->22518 22516->22514 22517->22514 22518->22514 22519 2d6acb0 22523 2d6ad97 22519->22523 22528 2d6ada8 22519->22528 22520 2d6acbf 22524 2d6adb9 22523->22524 22525 2d6addc 22523->22525 22524->22525 22526 2d6afe0 GetModuleHandleW 22524->22526 22525->22520 22527 2d6b00d 22526->22527 22527->22520 22529 2d6adb9 22528->22529 22530 2d6addc 22528->22530 22529->22530 22531 2d6afe0 GetModuleHandleW 22529->22531 22530->22520 22532 2d6b00d 22531->22532 22532->22520 22537 2d6d040 22538 2d6d086 GetCurrentProcess 22537->22538 22540 2d6d0d1 22538->22540 22541 2d6d0d8 GetCurrentThread 22538->22541 22540->22541 22542 2d6d115 GetCurrentProcess 22541->22542 22543 2d6d10e 22541->22543 22544 2d6d14b 22542->22544 22543->22542 22545 2d6d173 GetCurrentThreadId 22544->22545 22546 2d6d1a4 22545->22546 22533 2d6d751 22534 2d6d714 DuplicateHandle 22533->22534 22536 2d6d75a 22533->22536 22535 2d6d726 22534->22535 22553 2d64668 22554 2d6467a 22553->22554 22556 2d64686 22554->22556 22557 2d64778 22554->22557 22558 2d6479d 22557->22558 22562 2d64888 22558->22562 22566 2d64878 22558->22566 22563 2d648af 22562->22563 22564 2d6498c 22563->22564 22570 2d644b0 22563->22570 22567 2d648af 22566->22567 22568 2d6498c 22567->22568 22569 2d644b0 CreateActCtxA 22567->22569 22569->22568 22571 2d65918 CreateActCtxA 22570->22571 22573 2d659db 22571->22573 22574 7676038 22575 76761c3 22574->22575 22577 767605e 22574->22577 22577->22575 22578 7672658 22577->22578 22579 76762b8 PostMessageW 22578->22579 22580 7676324 22579->22580 22580->22577

              Executed Functions

              Function 07675188 Relevance: .3, Instructions: 257COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f8aa6079439bb6d11f327370a0e24906b8f42961193af78d13f7a6ebef6a3f8
              • Instruction ID: 1bf7a11dc5aabae98a0b29f2d75c1165e9314d04fe83615fb803dc15b3e90b79
              • Opcode Fuzzy Hash: 6f8aa6079439bb6d11f327370a0e24906b8f42961193af78d13f7a6ebef6a3f8
              • Instruction Fuzzy Hash: 9FB115B4D05228CBDB24CF65C8447E9BBB6BF8A340F1491EAD40EA7251EB705AD6CF40
              Function 076756F4 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c7e910b132b6a0848ae65455d92724497a0d3b999980da5066311a5ffe6295f
              • Instruction ID: 88ab0bf8fef6313d9041d76d86e570e4331245ee898d9923d4e35b89cbed20c0
              • Opcode Fuzzy Hash: 9c7e910b132b6a0848ae65455d92724497a0d3b999980da5066311a5ffe6295f
              • Instruction Fuzzy Hash:
              Function 02D6D030 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 294 2d6d030-2d6d0cf GetCurrentProcess 298 2d6d0d1-2d6d0d7 294->298 299 2d6d0d8-2d6d10c GetCurrentThread 294->299 298->299 300 2d6d115-2d6d149 GetCurrentProcess 299->300 301 2d6d10e-2d6d114 299->301 302 2d6d152-2d6d16d call 2d6d619 300->302 303 2d6d14b-2d6d151 300->303 301->300 307 2d6d173-2d6d1a2 GetCurrentThreadId 302->307 303->302 308 2d6d1a4-2d6d1aa 307->308 309 2d6d1ab-2d6d20d 307->309 308->309
              APIs
              • GetCurrentProcess.KERNEL32 ref: 02D6D0BE
              • GetCurrentThread.KERNEL32 ref: 02D6D0FB
              • GetCurrentProcess.KERNEL32 ref: 02D6D138
              • GetCurrentThreadId.KERNEL32 ref: 02D6D191
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: f31a2efa8ce6567dd46a5ca206dde5af63f7d19da1422a96282236c095731cc8
              • Instruction ID: 7af93953fe2dbce51bf0813ca1fde2f06a6705b11da6ef8df49488bbe431ed4a
              • Opcode Fuzzy Hash: f31a2efa8ce6567dd46a5ca206dde5af63f7d19da1422a96282236c095731cc8
              • Instruction Fuzzy Hash: 9E5168B0A002498FDB14DFA9D948BEEBFF1EF88304F208459D419A7360DB749985CF65
              Function 02D6D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 316 2d6d040-2d6d0cf GetCurrentProcess 320 2d6d0d1-2d6d0d7 316->320 321 2d6d0d8-2d6d10c GetCurrentThread 316->321 320->321 322 2d6d115-2d6d149 GetCurrentProcess 321->322 323 2d6d10e-2d6d114 321->323 324 2d6d152-2d6d16d call 2d6d619 322->324 325 2d6d14b-2d6d151 322->325 323->322 329 2d6d173-2d6d1a2 GetCurrentThreadId 324->329 325->324 330 2d6d1a4-2d6d1aa 329->330 331 2d6d1ab-2d6d20d 329->331 330->331
              APIs
              • GetCurrentProcess.KERNEL32 ref: 02D6D0BE
              • GetCurrentThread.KERNEL32 ref: 02D6D0FB
              • GetCurrentProcess.KERNEL32 ref: 02D6D138
              • GetCurrentThreadId.KERNEL32 ref: 02D6D191
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 79be656d0defcb1cdc92155ca19ffb9ddab8b2d4bcb54b25110153941a273f94
              • Instruction ID: e29305107bc38ac6cbeab84e43b3c6fca731cab114fa783bc1fc85fcd1a2db88
              • Opcode Fuzzy Hash: 79be656d0defcb1cdc92155ca19ffb9ddab8b2d4bcb54b25110153941a273f94
              • Instruction Fuzzy Hash: FC5137B0A012498FDB14DFA9D948BEEBBF1EF88314F208459E419A7360DB749984CF65
              Function 07671B34 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 446 7671b34-7671bd5 448 7671bd7-7671be1 446->448 449 7671c0e-7671c2e 446->449 448->449 450 7671be3-7671be5 448->450 454 7671c67-7671c96 449->454 455 7671c30-7671c3a 449->455 451 7671be7-7671bf1 450->451 452 7671c08-7671c0b 450->452 456 7671bf5-7671c04 451->456 457 7671bf3 451->457 452->449 465 7671ccf-7671d89 CreateProcessA 454->465 466 7671c98-7671ca2 454->466 455->454 458 7671c3c-7671c3e 455->458 456->456 459 7671c06 456->459 457->456 460 7671c61-7671c64 458->460 461 7671c40-7671c4a 458->461 459->452 460->454 463 7671c4e-7671c5d 461->463 464 7671c4c 461->464 463->463 467 7671c5f 463->467 464->463 477 7671d92-7671e18 465->477 478 7671d8b-7671d91 465->478 466->465 468 7671ca4-7671ca6 466->468 467->460 470 7671cc9-7671ccc 468->470 471 7671ca8-7671cb2 468->471 470->465 472 7671cb6-7671cc5 471->472 473 7671cb4 471->473 472->472 475 7671cc7 472->475 473->472 475->470 488 7671e1a-7671e1e 477->488 489 7671e28-7671e2c 477->489 478->477 488->489 490 7671e20 488->490 491 7671e2e-7671e32 489->491 492 7671e3c-7671e40 489->492 490->489 491->492 495 7671e34 491->495 493 7671e42-7671e46 492->493 494 7671e50-7671e54 492->494 493->494 496 7671e48 493->496 497 7671e66-7671e6d 494->497 498 7671e56-7671e5c 494->498 495->492 496->494 499 7671e84 497->499 500 7671e6f-7671e7e 497->500 498->497 502 7671e85 499->502 500->499 502->502
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07671D76
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: d2e19821e41c4403fa665393acc780f16bbcda9464ca2c68c7df0d36606284cd
              • Instruction ID: ecd7b437d3ca293eac3a69fce1a5063643180c26af82eaf0746a7fd403c58b6b
              • Opcode Fuzzy Hash: d2e19821e41c4403fa665393acc780f16bbcda9464ca2c68c7df0d36606284cd
              • Instruction Fuzzy Hash: ACA14AB1D0021EDFDB14CFA8C8417EDBBB2BF89354F1485AAE849A7240DB749985CF91
              Function 07671B40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 503 7671b40-7671bd5 505 7671bd7-7671be1 503->505 506 7671c0e-7671c2e 503->506 505->506 507 7671be3-7671be5 505->507 511 7671c67-7671c96 506->511 512 7671c30-7671c3a 506->512 508 7671be7-7671bf1 507->508 509 7671c08-7671c0b 507->509 513 7671bf5-7671c04 508->513 514 7671bf3 508->514 509->506 522 7671ccf-7671d89 CreateProcessA 511->522 523 7671c98-7671ca2 511->523 512->511 515 7671c3c-7671c3e 512->515 513->513 516 7671c06 513->516 514->513 517 7671c61-7671c64 515->517 518 7671c40-7671c4a 515->518 516->509 517->511 520 7671c4e-7671c5d 518->520 521 7671c4c 518->521 520->520 524 7671c5f 520->524 521->520 534 7671d92-7671e18 522->534 535 7671d8b-7671d91 522->535 523->522 525 7671ca4-7671ca6 523->525 524->517 527 7671cc9-7671ccc 525->527 528 7671ca8-7671cb2 525->528 527->522 529 7671cb6-7671cc5 528->529 530 7671cb4 528->530 529->529 532 7671cc7 529->532 530->529 532->527 545 7671e1a-7671e1e 534->545 546 7671e28-7671e2c 534->546 535->534 545->546 547 7671e20 545->547 548 7671e2e-7671e32 546->548 549 7671e3c-7671e40 546->549 547->546 548->549 552 7671e34 548->552 550 7671e42-7671e46 549->550 551 7671e50-7671e54 549->551 550->551 553 7671e48 550->553 554 7671e66-7671e6d 551->554 555 7671e56-7671e5c 551->555 552->549 553->551 556 7671e84 554->556 557 7671e6f-7671e7e 554->557 555->554 559 7671e85 556->559 557->556 559->559
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07671D76
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 42285158ee479ed0790a55c0ef29f9e10a28371a7aeb32fd7a091da57db79a54
              • Instruction ID: 21ca67978d5d55720f24f671738d395b5dfe9b0b4bf241fdbd56db08b12a50f3
              • Opcode Fuzzy Hash: 42285158ee479ed0790a55c0ef29f9e10a28371a7aeb32fd7a091da57db79a54
              • Instruction Fuzzy Hash: F1914AB1D0021EDFDB14CFA8C8417EDBBB2BF89350F1485AAE809A7250DB749985CF91
              Function 02D6ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 560 2d6ada8-2d6adb7 561 2d6ade3-2d6ade7 560->561 562 2d6adb9-2d6adc6 call 2d6a0cc 560->562 563 2d6adfb-2d6ae3c 561->563 564 2d6ade9-2d6adf3 561->564 569 2d6addc 562->569 570 2d6adc8 562->570 571 2d6ae3e-2d6ae46 563->571 572 2d6ae49-2d6ae57 563->572 564->563 569->561 615 2d6adce call 2d6b040 570->615 616 2d6adce call 2d6b030 570->616 571->572 574 2d6ae7b-2d6ae7d 572->574 575 2d6ae59-2d6ae5e 572->575 573 2d6add4-2d6add6 573->569 576 2d6af18-2d6afd8 573->576 577 2d6ae80-2d6ae87 574->577 578 2d6ae60-2d6ae67 call 2d6a0d8 575->578 579 2d6ae69 575->579 610 2d6afe0-2d6b00b GetModuleHandleW 576->610 611 2d6afda-2d6afdd 576->611 580 2d6ae94-2d6ae9b 577->580 581 2d6ae89-2d6ae91 577->581 582 2d6ae6b-2d6ae79 578->582 579->582 585 2d6ae9d-2d6aea5 580->585 586 2d6aea8-2d6aeaa call 2d6a0e8 580->586 581->580 582->577 585->586 590 2d6aeaf-2d6aeb1 586->590 591 2d6aeb3-2d6aebb 590->591 592 2d6aebe-2d6aec3 590->592 591->592 594 2d6aec5-2d6aecc 592->594 595 2d6aee1-2d6aeee 592->595 594->595 596 2d6aece-2d6aede call 2d6a0f8 call 2d6a108 594->596 600 2d6aef0-2d6af0e 595->600 601 2d6af11-2d6af17 595->601 596->595 600->601 612 2d6b014-2d6b028 610->612 613 2d6b00d-2d6b013 610->613 611->610 613->612 615->573 616->573
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 02D6AFFE
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 203e81cc9df491c9db6aec40b020d195fa2629a2dedebc2f99eef230d5848f87
              • Instruction ID: d184d03aa39b56a6c8949b75a32c10612b980469c1b943ddc7d27c5b45b17079
              • Opcode Fuzzy Hash: 203e81cc9df491c9db6aec40b020d195fa2629a2dedebc2f99eef230d5848f87
              • Instruction Fuzzy Hash: E4711370A00B058FD724DF6AC4547AABBF1FF88204F108A2DD48AE7B50DB75E849CB90
              Function 02D644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 617 2d644b0-2d659d9 CreateActCtxA 620 2d659e2-2d65a3c 617->620 621 2d659db-2d659e1 617->621 628 2d65a3e-2d65a41 620->628 629 2d65a4b-2d65a4f 620->629 621->620 628->629 630 2d65a60-2d65a90 629->630 631 2d65a51-2d65a5d 629->631 635 2d65a42-2d65a47 630->635 636 2d65a92-2d65b14 630->636 631->630 635->629
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02D659C9
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 504eb9afb2e826fb16d6dc639071f0e5d01fb9d3fea0fbffdc2c8ccabec77418
              • Instruction ID: e6179ee89a42a4e55f3048c61a1cca1828bc0bc335d662d2aefb6b63596ab4a6
              • Opcode Fuzzy Hash: 504eb9afb2e826fb16d6dc639071f0e5d01fb9d3fea0fbffdc2c8ccabec77418
              • Instruction Fuzzy Hash: 4B41D2B0C00719CBDB24DFA9C8487DEBBB5BF49304F64805AD409AB255DB756989CF90
              Function 02D6590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 639 2d6590c-2d65912 640 2d6591c-2d659d9 CreateActCtxA 639->640 642 2d659e2-2d65a3c 640->642 643 2d659db-2d659e1 640->643 650 2d65a3e-2d65a41 642->650 651 2d65a4b-2d65a4f 642->651 643->642 650->651 652 2d65a60-2d65a90 651->652 653 2d65a51-2d65a5d 651->653 657 2d65a42-2d65a47 652->657 658 2d65a92-2d65b14 652->658 653->652 657->651
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 02D659C9
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 0939ebb7a27b0f166b39e77e40f0ff0f3881c9b8824af7b3bea536a4490bd948
              • Instruction ID: 7872cdde7cc8dbac64a6c11e40bf4236ef0a76c531c314bbb7c878db1f38e352
              • Opcode Fuzzy Hash: 0939ebb7a27b0f166b39e77e40f0ff0f3881c9b8824af7b3bea536a4490bd948
              • Instruction Fuzzy Hash: 1A4103B0C00719CFDB24CFA9C8847DDBBB5BF49304F24805AD419AB251DB75698ACF90
              Function 02D6D751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 661 2d6d751-2d6d758 662 2d6d714-2d6d724 DuplicateHandle 661->662 663 2d6d75a-2d6d87e 661->663 664 2d6d726-2d6d72c 662->664 665 2d6d72d-2d6d74a 662->665 664->665
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D6D717
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 0af9ed672497203e1a4b523576aac11fe18a384a51032e1da0a27098a5fb3205
              • Instruction ID: 5c69acf56bf83a12ab8e33b4f9093e28afb3789a6a4fdc5c5c205794faed3fc9
              • Opcode Fuzzy Hash: 0af9ed672497203e1a4b523576aac11fe18a384a51032e1da0a27098a5fb3205
              • Instruction Fuzzy Hash: 9731A874E8038CAFE314EF64E459B69BB75F788390F51893AD9218B3D8CAB45865CF10
              Function 076718B0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 679 76718b0-7671906 681 7671916-7671955 WriteProcessMemory 679->681 682 7671908-7671914 679->682 684 7671957-767195d 681->684 685 767195e-767198e 681->685 682->681 684->685
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07671948
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: e849b26732481ce8cd64ffdba82786d3f8d6a2463f72e023335c943bbc1e15a7
              • Instruction ID: ef572defedeb63ed625463d9ff040b582d0dc4eaaac8c1237aaaceab5e0c0bde
              • Opcode Fuzzy Hash: e849b26732481ce8cd64ffdba82786d3f8d6a2463f72e023335c943bbc1e15a7
              • Instruction Fuzzy Hash: CD2146B59003599FCB10DFA9C884BDEBBF1FF88324F10842AE959A7341C7789945CBA0
              Function 07671719 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 689 7671719-767176b 692 767176d-7671779 689->692 693 767177b-76717ab Wow64SetThreadContext 689->693 692->693 695 76717b4-76717e4 693->695 696 76717ad-76717b3 693->696 696->695
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767179E
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: b3b6eed8f90635f892394411987d270876a0803a5ccb34be228c429dc3ae63dc
              • Instruction ID: df90bca7640061d68c37b98aa3360a210c7a08190c060aa4634770d936edfea0
              • Opcode Fuzzy Hash: b3b6eed8f90635f892394411987d270876a0803a5ccb34be228c429dc3ae63dc
              • Instruction Fuzzy Hash: D6216AB19002098FCB14DFAAC4857EEFBF4EF89364F10842AD45AA7240C7789985CFA5
              Function 076718B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 700 76718b8-7671906 702 7671916-7671955 WriteProcessMemory 700->702 703 7671908-7671914 700->703 705 7671957-767195d 702->705 706 767195e-767198e 702->706 703->702 705->706
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07671948
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: f18874df1b31e5401710e700914b0f135bbec1c180da84032e976a00841fa56e
              • Instruction ID: 08692c92ba8ef10ed9349daf541503be1cef6d98280d76de4a4f8648722e9953
              • Opcode Fuzzy Hash: f18874df1b31e5401710e700914b0f135bbec1c180da84032e976a00841fa56e
              • Instruction Fuzzy Hash: CC2157B19003199FCB10CFA9C884BDEBBF5FF88320F10842AE959A7240C7789945CBA4
              Function 076719A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 710 76719a0-7671a35 ReadProcessMemory 713 7671a37-7671a3d 710->713 714 7671a3e-7671a6e 710->714 713->714
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07671A28
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: c949f510af5597f15d274f0be22b773dcafa1a3137581cd0d398385fb21e38a4
              • Instruction ID: 175036641395b8b12f8c673b16801c9e4489bef40bba433c1d1f496dd33c0424
              • Opcode Fuzzy Hash: c949f510af5597f15d274f0be22b773dcafa1a3137581cd0d398385fb21e38a4
              • Instruction Fuzzy Hash: 102148B1900259DFCB10DFAAD885BEEBBF5FF88320F10842AE559A7250C7349941CFA1
              Function 02D6D688 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D6D717
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: d8d31c4bef391e5a163f65d51b5d4162756d0b90dd23b52718dc99cf189e00be
              • Instruction ID: caa9d8b0fcd6e9a3ce3535d00c1fede358a2f6e891217d4e28e0e44b2d3d8523
              • Opcode Fuzzy Hash: d8d31c4bef391e5a163f65d51b5d4162756d0b90dd23b52718dc99cf189e00be
              • Instruction Fuzzy Hash: 882103B59002489FDB10CFAAD984AEEBFF5EB48314F14805AE958A7350D374A940CFA1
              Function 07671720 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0767179E
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 5e8945678fb442c6268541b234f6c0d326bb42792096344097683eae041ccc19
              • Instruction ID: fde2c97aafc550dbad51126f8dfa1b165aeb6c411bcc1d5dd2e3665ec437adb6
              • Opcode Fuzzy Hash: 5e8945678fb442c6268541b234f6c0d326bb42792096344097683eae041ccc19
              • Instruction Fuzzy Hash: D32149B1D003098FDB14DFAAC4857EEBBF4EF88364F10842AD459A7240D7789944CFA4
              Function 076719A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07671A28
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: d94eb1cf1a9d06d91acc251e8392c0b7c0ac9daa77e492c7ff4dd45cfa5f3e8f
              • Instruction ID: c47330b59f4ca74cd7be40ae4516b858d28a9d04c97ad991acb2a0c5388ae054
              • Opcode Fuzzy Hash: d94eb1cf1a9d06d91acc251e8392c0b7c0ac9daa77e492c7ff4dd45cfa5f3e8f
              • Instruction Fuzzy Hash: 982139B19003599FCB10DFAAC844BDEFBF5FF88320F10842AE559A7250D7349544CBA4
              Function 02D6D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D6D717
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 64b00739996185544b39702c3d2a3d5bf17a1e46f13330c286c50edfeb253ad5
              • Instruction ID: b40c17b85317c1cb7b3b70b38adf45817183210d2a77f7f8c7a212d0adc299cb
              • Opcode Fuzzy Hash: 64b00739996185544b39702c3d2a3d5bf17a1e46f13330c286c50edfeb253ad5
              • Instruction Fuzzy Hash: E321E4B59002589FDB10CFAAD984ADEBBF5EB48310F14801AE914A3350D374A950CFA5
              Function 076717F1 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07671866
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 3f5832424aa6c4edaa1a3c5426360b1eae0506018e087db53bcdb463c999acb7
              • Instruction ID: b7c18742cc8173f68e39dfa42651673a00e659c5e7b5651bd0a4fdf5e7efbcd9
              • Opcode Fuzzy Hash: 3f5832424aa6c4edaa1a3c5426360b1eae0506018e087db53bcdb463c999acb7
              • Instruction Fuzzy Hash: 281167B28002099BCB10DFAAC844ADEBFF5EB89320F20841AE519A7250C7359540CBA1
              Function 07671669 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 750fb79f2ce4aef23014a90e600d4c349b7b0cce2c7ed15749dd91cc7cf727f7
              • Instruction ID: 0633e25825749f215f4e96538b19cb35fac768e657d97e991322f67776d1ef1c
              • Opcode Fuzzy Hash: 750fb79f2ce4aef23014a90e600d4c349b7b0cce2c7ed15749dd91cc7cf727f7
              • Instruction Fuzzy Hash: E01158B59002498BCB24DFAAC4457DEFBF5EB89324F24842AD459A7250CB74A944CFA4
              Function 076717F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07671866
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 93f530bd4288812f77e9a5c822cbf428ef2e055cf9bc883ab69d0f994843568f
              • Instruction ID: ef65e839d95c1f3d56e24f721564839b7496d6f638afcef2848f7b289400f160
              • Opcode Fuzzy Hash: 93f530bd4288812f77e9a5c822cbf428ef2e055cf9bc883ab69d0f994843568f
              • Instruction Fuzzy Hash: 991167B19002499FCB10DFAAC844BDFBFF5EF88320F10841AE519A7250C735A540CFA1
              Function 076762B0 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07676315
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 33fe8933e108d57d1810cb6db0c3d915d7fbac83ce92cba24f66d99e40e4adff
              • Instruction ID: 25ee08bbd6e8ffca1f97fdff0c1a9e3738d805265f211b205dd7f17bb1467b21
              • Opcode Fuzzy Hash: 33fe8933e108d57d1810cb6db0c3d915d7fbac83ce92cba24f66d99e40e4adff
              • Instruction Fuzzy Hash: F81106B58003499FDB10DF9AD845BDEFFF8EB48324F20841AE555A7600C375A984CFA1
              Function 07671670 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 3f331db67b011cdf6043326e360e0408d91e7e09832a8928ce36e51cd308c4d2
              • Instruction ID: 7636cd06363ad69143f6a266aabe4a3c55a87deb9650391ccc5cbac8220d3052
              • Opcode Fuzzy Hash: 3f331db67b011cdf6043326e360e0408d91e7e09832a8928ce36e51cd308c4d2
              • Instruction Fuzzy Hash: D21136B19002598FCB24DFAAC4457DEFBF5EF88324F24842AD459A7250CB75A944CFA4
              Function 02D6AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 02D6AFFE
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 21c77665a461d71a34822d49c9dd426c837f55cc55ea3b75fa57ec626ef43d93
              • Instruction ID: 45a3fa66862d887f429603c6bf8edfa7d6804e07e13c414c6a4dad797de9f04e
              • Opcode Fuzzy Hash: 21c77665a461d71a34822d49c9dd426c837f55cc55ea3b75fa57ec626ef43d93
              • Instruction Fuzzy Hash: 9311E0B6D002498FCB10DF9AC448ADEFBF4EB88328F10846AD469B7350D375A945CFA5
              Function 07672658 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07676315
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 06bd51b19ccd437ffe4cf92cc3ead1e48e6559f5f304b6ef05f58fcc05153df6
              • Instruction ID: 82706ca5740ab4c85f3a4dc234ceb0cffabaa0d96ade3d5f88cdcbbf1424f4f3
              • Opcode Fuzzy Hash: 06bd51b19ccd437ffe4cf92cc3ead1e48e6559f5f304b6ef05f58fcc05153df6
              • Instruction Fuzzy Hash: 1611F2B5800749DFCB10DF9AC448BDEBBF8EB48324F108419E959A7210D375A944CFA1
              Function 0126D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f873be7c20bfeb84538c80585e886623f9871408a1abc54147391f3c8a5bcebf
              • Instruction ID: d9de5cd99896560466f29c595f844d743131420639f1bf9a029d6b25f276df97
              • Opcode Fuzzy Hash: f873be7c20bfeb84538c80585e886623f9871408a1abc54147391f3c8a5bcebf
              • Instruction Fuzzy Hash: F421457161024CDFCB01DF58E9C0B26BF69FB88318F20C169E9890B696C336D486CAA1
              Function 0126D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 082f6bb12e1a70bf9fdd4862f17a1a564d6d9f66c715b2b5e9689b511d212f3f
              • Instruction ID: 9ea2d1bc0c3191661b637c14df0502c360a942b5cb3110fcac6469b4cc60df47
              • Opcode Fuzzy Hash: 082f6bb12e1a70bf9fdd4862f17a1a564d6d9f66c715b2b5e9689b511d212f3f
              • Instruction Fuzzy Hash: E421487521024CDFDB01DF48C9C0B56BF69FB98314F20C169D9494B296C336E896CAA1
              Function 0127D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1766085002.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20b67454049fe5e8947586d7e18082e1f6d3fd106a9285d333b777430534e600
              • Instruction ID: f296fb4151034f5073130756e36c80d17fc658e7c0506be2f6e40ac7a316883b
              • Opcode Fuzzy Hash: 20b67454049fe5e8947586d7e18082e1f6d3fd106a9285d333b777430534e600
              • Instruction Fuzzy Hash: DF210071614208EFDB01DF98D980B27BBA5FF84324F20C6ADE9094B257C376D846CA61
              Function 0127D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1766085002.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cd5658ca64aef9b8038f0282f43353bc9b8de2a68ba166c22bb305acf96c7721
              • Instruction ID: 03c5ade4aab30b002c6ae7bd3762d40a711d459352f7c1ffaca4faa8f446766f
              • Opcode Fuzzy Hash: cd5658ca64aef9b8038f0282f43353bc9b8de2a68ba166c22bb305acf96c7721
              • Instruction Fuzzy Hash: 6A214F70214208DFCB12DF68D980B27BFA1EF88314F20C56DE90A4B296C37AD807CA61
              Function 0127D006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1766085002.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 470773100b110789c22d78173341bb4acd58ba6acc932c1cd998130aef0bc70a
              • Instruction ID: 5af02131c4394ddeb7ac7bec84989df65707b09a3fee94a0eaba80baf6d0d3d6
              • Opcode Fuzzy Hash: 470773100b110789c22d78173341bb4acd58ba6acc932c1cd998130aef0bc70a
              • Instruction Fuzzy Hash: 04217C755093848FDB03CF24D994716BF71EF46314F28C5EAD9498B6A7C33A980ACB62
              Function 0126D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 838ee2082a49a043795e66daca521c25c5cbb6db0de24e1f9d73af6c082ef56f
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 50110376504288CFCB12CF54D5C4B16BF71FB84318F24C6AAD9490B657C336D45ACBA1
              Function 0126D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 52e64e0b13a5654dbbc28c616965d1191688a5e0c52ef7f0376b7658c9cbb2f8
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: A4110376504288CFDB02CF44D5C4B56BF71FB94324F24C2A9D9490B297C33AE85ACBA1
              Function 0127D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1766085002.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 58663b90ab89b436923c89d1157ab05ae201bed0417777098ae36fe26d41c87b
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: A711BB75504284DFDB02CF54C5C4B16BFA1FF84224F28C6AADD494B297C33AD40ACB61
              Function 0126D745 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba7f4df6f89d79edcaf0dbdef57861b4b8f4b46116821a57273638c9f657460f
              • Instruction ID: 5140465c8ba6878fcda84af1424bd9dadb4b4686c0f1a8c84c50dd54aa79380b
              • Opcode Fuzzy Hash: ba7f4df6f89d79edcaf0dbdef57861b4b8f4b46116821a57273638c9f657460f
              • Instruction Fuzzy Hash: 5B012B3121838C9AE7165E69CD84B67BF9CDF45324F18C52AEE480E2C6D27DD880C672
              Function 0126D744 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1765962217.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d238f0c34fef18982834f891376d65e994a1f4c0d12bac53daa006c75549c23
              • Instruction ID: 552dd7c5370f80f3d8bf91ae43c5bc5d4c289850d79ba67ef6f68dc76342352d
              • Opcode Fuzzy Hash: 6d238f0c34fef18982834f891376d65e994a1f4c0d12bac53daa006c75549c23
              • Instruction Fuzzy Hash: 71F062715043889AE7159E1ADC88B62FFACEB45634F18C45AEE484A2C6C2799884CBB1

              Non-executed Functions

              Function 07677EE8 Relevance: .4, Instructions: 352COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8268ca7e46b18c7ea39fc223a95130dc85e9ad6f3dafdc89d35323eaa6e8ca0c
              • Instruction ID: 5cd5493e776cd2325ede43251fc5f9408821575c2c6947291ffcb6e9530580c7
              • Opcode Fuzzy Hash: 8268ca7e46b18c7ea39fc223a95130dc85e9ad6f3dafdc89d35323eaa6e8ca0c
              • Instruction Fuzzy Hash: 22D1BAB07006069FDB29DB75C8687AEB7F6AF89340F24446DD14A9B390DB35EC01CBA1
              Function 07670E48 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4f781a96227214a96f5c56be97b90d5840d2e92437067d3b0626f8e0b770b36
              • Instruction ID: 6772f5793ef81a404f94b07cb961e8ad350bda5f262011c9790b9d831a95e646
              • Opcode Fuzzy Hash: d4f781a96227214a96f5c56be97b90d5840d2e92437067d3b0626f8e0b770b36
              • Instruction Fuzzy Hash: 17E1EBB4E102198FCB14DFA9C5909AEFBF2BF89304F24C16AD415AB356DB31A941CF61
              Function 076705D8 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0c4250f95e04dc74a40d08b6a14a5a955300271b3b6c11f2710266fa269422e
              • Instruction ID: 5d20c3e8150fe053bcceb9c48cb4ca395eec0ed117da2f31b26dac11e8d46506
              • Opcode Fuzzy Hash: c0c4250f95e04dc74a40d08b6a14a5a955300271b3b6c11f2710266fa269422e
              • Instruction Fuzzy Hash: E2E1E7B4E102198FDB14DFA9C5909AEFBB2FF89304F248169E415AB356D731A941CFA0
              Function 07670A10 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 03ef1d70b80297f8d713a1471f693e6ce5819d56da1ebfcaef2378a7173f8813
              • Instruction ID: e8df55ae83ba2f8689e9d25cd29a90bb5f61410f4af1539e37c0f53cd24f0d74
              • Opcode Fuzzy Hash: 03ef1d70b80297f8d713a1471f693e6ce5819d56da1ebfcaef2378a7173f8813
              • Instruction Fuzzy Hash: 7FE1D7B4E102198FCB14DFA9C5909AEFBF2FF89304F248169E415AB356D731A942CF61
              Function 02D6D5BC Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1768309320.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2d60000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd1425e67f5836be19651718e0e7337ff8db073f2e7db9d417316d245952af9d
              • Instruction ID: 1d0b6026b5ffb751e176e800aef54137639227b2d1537d1e556b471cbe14ee6a
              • Opcode Fuzzy Hash: dd1425e67f5836be19651718e0e7337ff8db073f2e7db9d417316d245952af9d
              • Instruction Fuzzy Hash: D3A17C32E006098FCF05DFA4D8485AEB7B2FF85304B15856AE806AB765DB35ED15CF90
              Function 076705C8 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1784883240.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7670000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffdb6993c6e4f7265f980db2bb8d4e8be278f5ec64d53099f134fb814fe633d9
              • Instruction ID: d529428c826dfe1c9f8e86b0dfbf837fc2092c0880c8c640958de476438b80d9
              • Opcode Fuzzy Hash: ffdb6993c6e4f7265f980db2bb8d4e8be278f5ec64d53099f134fb814fe633d9
              • Instruction Fuzzy Hash: 92510DB4E102198FCB14DFA9C9905AEFBF2BF89304F24C16AD419AB355D7319941CFA1

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:5.3%
              Signature Coverage:9.8%
              Total number of Nodes:132
              Total number of Limit Nodes:13
              execution_graph 94529 42f543 94530 42f553 94529->94530 94531 42f559 94529->94531 94534 42e463 94531->94534 94533 42f57f 94537 42c5a3 94534->94537 94536 42e47e 94536->94533 94538 42c5bd 94537->94538 94539 42c5ce RtlAllocateHeap 94538->94539 94539->94536 94540 4249a3 94544 4249bc 94540->94544 94541 424a04 94548 42e383 94541->94548 94544->94541 94545 424a47 94544->94545 94547 424a4c 94544->94547 94546 42e383 RtlFreeHeap 94545->94546 94546->94547 94551 42c5f3 94548->94551 94550 424a14 94552 42c610 94551->94552 94553 42c621 RtlFreeHeap 94552->94553 94553->94550 94657 42f673 94658 42f5e3 94657->94658 94659 42f640 94658->94659 94660 42e463 RtlAllocateHeap 94658->94660 94661 42f61d 94660->94661 94662 42e383 RtlFreeHeap 94661->94662 94662->94659 94663 42b873 94664 42b88d 94663->94664 94667 1262df0 LdrInitializeThunk 94664->94667 94665 42b8b5 94667->94665 94668 424613 94669 42462f 94668->94669 94670 424657 94669->94670 94671 42466b 94669->94671 94673 42c283 NtClose 94670->94673 94672 42c283 NtClose 94671->94672 94674 424674 94672->94674 94675 424660 94673->94675 94678 42e4a3 RtlAllocateHeap 94674->94678 94677 42467f 94678->94677 94554 4173a3 94556 4173c7 94554->94556 94555 4173ce 94556->94555 94557 4173ed 94556->94557 94561 42f923 94556->94561 94559 417403 LdrLoadDll 94557->94559 94560 41741a 94557->94560 94559->94560 94563 42f949 94561->94563 94562 42f99b 94562->94557 94563->94562 94566 429783 94563->94566 94565 42f9f0 94565->94557 94567 4297e1 94566->94567 94569 4297f5 94567->94569 94570 417423 94567->94570 94569->94565 94571 4173f6 94570->94571 94572 417403 LdrLoadDll 94571->94572 94573 41741a 94571->94573 94572->94573 94573->94569 94679 413653 94682 42c503 94679->94682 94683 42c520 94682->94683 94686 1262c70 LdrInitializeThunk 94683->94686 94684 413675 94686->94684 94687 413833 94691 413853 94687->94691 94689 4138b2 94690 4138bc 94691->94690 94692 41b033 RtlFreeHeap LdrInitializeThunk 94691->94692 94692->94689 94574 1262b60 LdrInitializeThunk 94575 4241a4 94576 4241c5 94575->94576 94577 4241e3 94576->94577 94578 4241f8 94576->94578 94580 42c283 NtClose 94577->94580 94586 42c283 94578->94586 94581 4241ec 94580->94581 94582 424238 94583 424201 94583->94582 94584 42e383 RtlFreeHeap 94583->94584 94585 42422c 94584->94585 94587 42c2a0 94586->94587 94588 42c2b1 NtClose 94587->94588 94588->94583 94589 401aec 94590 401aed 94589->94590 94593 42fa13 94590->94593 94596 42df33 94593->94596 94597 42df59 94596->94597 94606 4072f3 94597->94606 94599 42df6f 94600 401b5c 94599->94600 94609 41ad23 94599->94609 94602 42df8e 94603 42dfa3 94602->94603 94604 42c643 ExitProcess 94602->94604 94620 42c643 94603->94620 94604->94603 94623 416053 94606->94623 94608 407300 94608->94599 94610 41ad4f 94609->94610 94641 41ac13 94610->94641 94613 41ad94 94616 41adb0 94613->94616 94617 42c283 NtClose 94613->94617 94614 41ad7c 94615 42c283 NtClose 94614->94615 94618 41ad87 94614->94618 94615->94618 94616->94602 94619 41ada6 94617->94619 94618->94602 94619->94602 94621 42c65d 94620->94621 94622 42c66e ExitProcess 94621->94622 94622->94600 94624 416070 94623->94624 94626 416089 94624->94626 94627 42cd03 94624->94627 94626->94608 94628 42cd1d 94627->94628 94629 42cd4c 94628->94629 94634 42b8c3 94628->94634 94629->94626 94632 42e383 RtlFreeHeap 94633 42cdc5 94632->94633 94633->94626 94635 42b8e0 94634->94635 94638 1262c0a 94635->94638 94636 42b90c 94636->94632 94639 1262c11 94638->94639 94640 1262c1f LdrInitializeThunk 94638->94640 94639->94636 94640->94636 94642 41ac2d 94641->94642 94646 41ad09 94641->94646 94647 42b963 94642->94647 94645 42c283 NtClose 94645->94646 94646->94613 94646->94614 94648 42b97d 94647->94648 94651 12635c0 LdrInitializeThunk 94648->94651 94649 41acfd 94649->94645 94651->94649 94652 42492c 94653 424932 94652->94653 94654 42c283 NtClose 94653->94654 94656 424937 94653->94656 94655 42495c 94654->94655

              Executed Functions

              Function 004173A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 41 4173a3-4173cc call 42f083 44 4173d2-4173e0 call 42f683 41->44 45 4173ce-4173d1 41->45 48 4173f0-417401 call 42da03 44->48 49 4173e2-4173e8 call 42f923 44->49 54 417403-417417 LdrLoadDll 48->54 55 41741a-41741d 48->55 52 4173ed 49->52 52->48 54->55
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417415
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: dede90169ca1db16459994232f99263c7f2dcb4bb26b17399f27a86b55b0f282
              • Instruction ID: 803bad41f6ba97ca028c5b6ebb90ab713b5e5efc40e90978f485b4949f8331b9
              • Opcode Fuzzy Hash: dede90169ca1db16459994232f99263c7f2dcb4bb26b17399f27a86b55b0f282
              • Instruction Fuzzy Hash: 7E015EB1E0420DBBDB10DAE5DC42FDEB7B89B54308F4081AAED0897241F634EB588B95
              Function 0042C283 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 61 42c283-42c2bf call 404673 call 42d4f3 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C2BA
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: a3b23e781c8297b53f8e4474b48c3a032b94d0ec253a5db592d64cd3afe2f326
              • Instruction ID: 3acc76f724e085259d6ac582d8d2a4bb54828ea73bc7891a87a57e5bec1fb20c
              • Opcode Fuzzy Hash: a3b23e781c8297b53f8e4474b48c3a032b94d0ec253a5db592d64cd3afe2f326
              • Instruction Fuzzy Hash: 85E04F726002147BD620BA5ADC41F97776CDBC6714F00441AFB0867241C6B5B91187F8
              Function 01262B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 75 1262b60-1262b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 71c06d5fdc06693205dfee10632c478894c1c2ed8e122b0f3f005f5384118b3d
              • Instruction ID: 914b4df0db6d2d2a6a3584f241687280005f1f3bb5a79ac3bae85ebe5017f70a
              • Opcode Fuzzy Hash: 71c06d5fdc06693205dfee10632c478894c1c2ed8e122b0f3f005f5384118b3d
              • Instruction Fuzzy Hash: DE90026121340003420571584418617400A97E0201B55C031E2014590DC53589916225
              Function 01262DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 77 1262df0-1262dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c6b3f6cb76886e96bd85362f62bb37b66d01a3a0e6e81c80049dd295470b208c
              • Instruction ID: 513b81ef8549db7fa22c6324a1659d4f4f34b1f60f6c3e382ebfc34830929f09
              • Opcode Fuzzy Hash: c6b3f6cb76886e96bd85362f62bb37b66d01a3a0e6e81c80049dd295470b208c
              • Instruction Fuzzy Hash: 5390023121240413D21171584508707000997D0241F95C422A1424558DD6668A52A221
              Function 01262C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 76 1262c70-1262c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8686d7838da3a0abc5e07d55d628478bf6ffdfbd3deab996f984fdd26f318264
              • Instruction ID: b03f212a8282067f67f5effc447fb6e51ccefee291f358b39ba9d54b8912653a
              • Opcode Fuzzy Hash: 8686d7838da3a0abc5e07d55d628478bf6ffdfbd3deab996f984fdd26f318264
              • Instruction Fuzzy Hash: 3890023121248802D2107158840874B000597D0301F59C421A5424658DC6A589917221
              Function 012635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 78 12635c0-12635cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: efe8894f59c6c46ce78cf668b23ba3ab764ab6da1ccff572fe3031c9d6f0cb41
              • Instruction ID: 7ec4c11d6313640972b1eebd8bae4a0779b9cd0e78d946eb8d8483aa20474d9a
              • Opcode Fuzzy Hash: efe8894f59c6c46ce78cf668b23ba3ab764ab6da1ccff572fe3031c9d6f0cb41
              • Instruction Fuzzy Hash: 2C90023161650402D20071584518707100597D0201F65C421A1424568DC7A58A5166A2
              Function 0042C5F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42c5f3-42c637 call 404673 call 42d4f3 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C632
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: `A
              • API String ID: 3298025750-2149027389
              • Opcode ID: acdd237a7a728e10ed32de03d3610bc6aa7b5a30a2fd813fd7ddd9c11810606e
              • Instruction ID: ef4f435ce52e82b347afb479fc27a960a2fd8fe731e4cd794d162683faa6edbf
              • Opcode Fuzzy Hash: acdd237a7a728e10ed32de03d3610bc6aa7b5a30a2fd813fd7ddd9c11810606e
              • Instruction Fuzzy Hash: A1E092B1204204BBC614EE99EC45FAB37ACEFC5714F00441AFA09A7241D7B9B91087B8
              Function 00417423 Relevance: 1.7, APIs: 1, Instructions: 158libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 12 417423-41743a 13 417440-41744a 12->13 14 4173f6-417401 13->14 15 41744c-41747f 13->15 17 417403-417417 LdrLoadDll 14->17 18 41741a-41741d 14->18 15->13 20 417481-4174ac 15->20 17->18 21 417512-417513 20->21 22 4174ae-4174c3 20->22 24 417501 22->24 25 4174c5-4174ce 22->25 26 4174d1-417500 25->26 27 41750e 25->27 26->24 29 417510 27->29 30 417514-41752b call 42f0e3 27->30 29->21 33 41752d-41755e call 42f0e3 call 42b263 30->33 34 41755f-41757f call 42b263 30->34
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417415
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 0e700db7e7ae3d175effefb3dd905522a701cb4ed781b9a175d105c238978748
              • Instruction ID: 2bdc795f987955a10cd13a1914c58911e0966c6eebcaf474662c92624490cd5e
              • Opcode Fuzzy Hash: 0e700db7e7ae3d175effefb3dd905522a701cb4ed781b9a175d105c238978748
              • Instruction Fuzzy Hash: 85419C31A08345ABDB11DBB8DC81BEABBB8DF06758F0406EFFD448B142E6369545CB91
              Function 0042C5A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 56 42c5a3-42c5e4 call 404673 call 42d4f3 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E1BE,?,?,00000000,?,0041E1BE,?,?,?), ref: 0042C5DF
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 6ae38073c7aa3304867fd0be910f8801875f33a6ff849def5cfbe6102455eb91
              • Instruction ID: 369c668a4cc3a630eb3a9f8dc206576169b1919bd89476b6c8e575149a96f991
              • Opcode Fuzzy Hash: 6ae38073c7aa3304867fd0be910f8801875f33a6ff849def5cfbe6102455eb91
              • Instruction Fuzzy Hash: 40E06DB2604214BBD614EF59EC85F9B73ACEFC9714F004419FA08A7241E675B91087B8
              Function 0042C643 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 66 42c643-42c67c call 404673 call 42d4f3 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1895689416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_400000_PURCHASE ORDER-6350.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: d07bb6d48f55c1af12db6d259e200f4b880b1beeb5d75b6632a6234d11049001
              • Instruction ID: 55c01a96584f11098ac7db8d9c475956f6f860f285eb3010744f92bad983cb5b
              • Opcode Fuzzy Hash: d07bb6d48f55c1af12db6d259e200f4b880b1beeb5d75b6632a6234d11049001
              • Instruction Fuzzy Hash: F5E086312002547BD610FA5AEC41FEB775CDFC6714F40441AFA08A7282D675BA0187F4
              Function 01262C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 71 1262c0a-1262c0f 72 1262c11-1262c18 71->72 73 1262c1f-1262c26 LdrInitializeThunk 71->73
              APIs
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: d1d4f069eaf281ec1f8cc1dbdefd98bdfa71bde7b77924748612ed09044954c7
              • Instruction ID: 1e0e582e885c7bd7d032adecd7f14aacf6bf57844348643ad714d9e57226e1c7
              • Opcode Fuzzy Hash: d1d4f069eaf281ec1f8cc1dbdefd98bdfa71bde7b77924748612ed09044954c7
              • Instruction Fuzzy Hash: B7B09B719125D5C9DB11F764460C717790477D0701F16C071D3030645F4738C1D1E375

              Non-executed Functions

              Function 012A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 91a5d018cad04a172ded70b7c3b1133a02f769cac236bd8bf240d1ffb0214938
              • Instruction ID: 1a9eee24742c2b8c8d94f8f3250361b216d5617801dceb38d83ba1d4e72f49a8
              • Opcode Fuzzy Hash: 91a5d018cad04a172ded70b7c3b1133a02f769cac236bd8bf240d1ffb0214938
              • Instruction Fuzzy Hash: EE928C71628342EFE725CF28C881B6ABBE8BB84754F44491DFB94D7291D770E844CB92
              Function 01258620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012954E2
              • corrupted critical section, xrefs: 012954C2
              • Critical section address., xrefs: 01295502
              • 8, xrefs: 012952E3
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0129540A, 01295496, 01295519
              • Critical section address, xrefs: 01295425, 012954BC, 01295534
              • double initialized or corrupted critical section, xrefs: 01295508
              • Thread is in a state in which it cannot own a critical section, xrefs: 01295543
              • Critical section debug info address, xrefs: 0129541F, 0129552E
              • Invalid debug info address of this critical section, xrefs: 012954B6
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012954CE
              • Thread identifier, xrefs: 0129553A
              • undeleted critical section in freed memory, xrefs: 0129542B
              • Address of the debug info found in the active list., xrefs: 012954AE, 012954FA
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: b713a632fb181e8f55ed38a2c43e3cfacb06594297d1d3c2f6ff751bb8daba74
              • Instruction ID: 7e157a067ecf868d6bcb8c64b5109dac31e6c36f60120676e1b7d618cfc4a712
              • Opcode Fuzzy Hash: b713a632fb181e8f55ed38a2c43e3cfacb06594297d1d3c2f6ff751bb8daba74
              • Instruction Fuzzy Hash: 20817CB0E60359AFDF21CF99C845BAEBBB5FB48714F10411AE608B7291D3B5A941CB60
              Function 012529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0129261F
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01292412
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012924C0
              • @, xrefs: 0129259B
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01292409
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01292602
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01292624
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012925EB
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012922E4
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01292498
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01292506
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: 6bb7ea030826f6338ae157e60efd00c3f96d8660b827896013834b08de646ecd
              • Instruction ID: 55f4952f33b6a0507a586a2c2bc3bf220a660ad104b038ab4de6adebb7cf62bd
              • Opcode Fuzzy Hash: 6bb7ea030826f6338ae157e60efd00c3f96d8660b827896013834b08de646ecd
              • Instruction Fuzzy Hash: 390291B1D20229DFDF61DB58CC81BE9B7B8AB54304F0141D9AB49A7282D770AE84CF59
              Function 012C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: e07bea032c4a44ac711578f889e1d29ab21aae5863253a0a75210ed040483560
              • Instruction ID: 6167c8774da86d11207023425c518b1ec3bd12205b71a15ba7413cdbdcac0365
              • Opcode Fuzzy Hash: e07bea032c4a44ac711578f889e1d29ab21aae5863253a0a75210ed040483560
              • Instruction Fuzzy Hash: 5551C3711243129BC329DF188944BABBBECFF98B50F148A1DEB59C3280E770D644C792
              Function 012D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 41f0607186dc39eef9600a5a31f718fec971d23cec904204547d3568a1f2c10f
              • Instruction ID: 4f17571219808a6f8d822d9f988c3c82f51a2b32f15e0e4c0f1798d55c7423a0
              • Opcode Fuzzy Hash: 41f0607186dc39eef9600a5a31f718fec971d23cec904204547d3568a1f2c10f
              • Instruction Fuzzy Hash: 8BD10E35620686DFDB22DFA8C441AAEBBF2FF59710F088059FA459B662C734D841CF58
              Function 012A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • HandleTraces, xrefs: 012A8C8F
              • VerifierDebug, xrefs: 012A8CA5
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 012A8A3D
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 012A8A67
              • VerifierFlags, xrefs: 012A8C50
              • VerifierDlls, xrefs: 012A8CBD
              • AVRF: -*- final list of providers -*- , xrefs: 012A8B8F
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: ccb187c69092aca36860268ce7b959a548d2dc526bb8a98a192827228c18c0a0
              • Instruction ID: c37bdc8dc687dfc7e2e3dfeabc293dcac14e21a2d0e5a42e85f89c66281bd559
              • Opcode Fuzzy Hash: ccb187c69092aca36860268ce7b959a548d2dc526bb8a98a192827228c18c0a0
              • Instruction Fuzzy Hash: 81918972661702EFD726EF68C881B6B7BE8EB99715F800918FB41AB241D770DC01CB91
              Function 0122EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: 539ea149e0494d3c64f9810a0a3daca524813b1dee9ff05af64759dabd3dde73
              • Instruction ID: 7b123f43ed95be591143143baf3ebbedb5767435e68d53ff0e9c7c852e1cb974
              • Opcode Fuzzy Hash: 539ea149e0494d3c64f9810a0a3daca524813b1dee9ff05af64759dabd3dde73
              • Instruction Fuzzy Hash: ECA25C70A2566A8FDB64EF18CD987ADBBB5EF45304F2442D9D90DA7291DB709E80CF00
              Function 012563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 901ebc5e662723e71f5bbf87069f7b6338cbce8adca76222f5b69ec9f83be74a
              • Instruction ID: 8a46e85a32c3362c38ea62f21403451417976e39a3cfc7ed2475ad33e99edee3
              • Opcode Fuzzy Hash: 901ebc5e662723e71f5bbf87069f7b6338cbce8adca76222f5b69ec9f83be74a
              • Instruction Fuzzy Hash: 60913A70B30356DBEF39EF5CD985BBA7BA5FB41B28F400169EA0067285D7B09842C790
              Function 0121645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • LdrpInitShimEngine, xrefs: 012799F4, 01279A07, 01279A30
              • apphelp.dll, xrefs: 01216496
              • minkernel\ntdll\ldrinit.c, xrefs: 01279A11, 01279A3A
              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01279A2A
              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01279A01
              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 012799ED
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: c8dfca2c203b044b3c4e29eb3f66373b7e05650036176c897daf760530a678ec
              • Instruction ID: dd04b03b268c092fdb25574097373ca4a1ce0350f721244251efcd0061dcb8f9
              • Opcode Fuzzy Hash: c8dfca2c203b044b3c4e29eb3f66373b7e05650036176c897daf760530a678ec
              • Instruction Fuzzy Hash: CF511271268301DFEB21EF24D841BAB77E8FB84758F00091EF685971A4DB70E984CB92
              Function 01252674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012921BF
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01292178
              • RtlGetAssemblyStorageRoot, xrefs: 01292160, 0129219A, 012921BA
              • SXS: %s() passed the empty activation context, xrefs: 01292165
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01292180
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0129219F
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 5a40417155551ed9f2b66c150014be588a000f4533f311fa396cd0c6da89b079
              • Instruction ID: 5f2930282983d672d2eb3d2dacab41f59e756d4c449c5f688abcb0ea37c2c581
              • Opcode Fuzzy Hash: 5a40417155551ed9f2b66c150014be588a000f4533f311fa396cd0c6da89b079
              • Instruction Fuzzy Hash: BF31E776B70216F7EB22CA9D8C85F6A7A78DB65A50F054159BF0477182D370AA00C7A1
              Function 0125C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 012981E5
              • minkernel\ntdll\ldrinit.c, xrefs: 0125C6C3
              • LdrpInitializeProcess, xrefs: 0125C6C4
              • Loading import redirection DLL: '%wZ', xrefs: 01298170
              • minkernel\ntdll\ldrredirect.c, xrefs: 01298181, 012981F5
              • LdrpInitializeImportRedirection, xrefs: 01298177, 012981EB
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 41e885fab9562d0b60b480e5c59530253a1c1ddccbeb01c145c143d17bdd1b80
              • Instruction ID: bc557bc56518c23162eb9c390fdbbb9a7fff41131c7021cd0031ad1cf8a85675
              • Opcode Fuzzy Hash: 41e885fab9562d0b60b480e5c59530253a1c1ddccbeb01c145c143d17bdd1b80
              • Instruction Fuzzy Hash: 253113716643469FD324EF29D886E2A7BD8FF95B10F040558F940AB2D1E660ED04C7A2
              Function 0126096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01262DF0: LdrInitializeThunk.NTDLL ref: 01262DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01260D74
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 1d4f5bdb39b3835c50a116aed196ed2ca4f9e293f73fea92380b383580553b4e
              • Instruction ID: 839c8c364dac27eb31a51ade89cb7b2f8cf13195b3b19408dc610e4d177a6650
              • Opcode Fuzzy Hash: 1d4f5bdb39b3835c50a116aed196ed2ca4f9e293f73fea92380b383580553b4e
              • Instruction Fuzzy Hash: C3424C71910716DFDB21CF68C881BAAB7F9FF44314F1445AAE989DB281E770A984CF60
              Function 0122A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: ec038d80f8b6967f83c5651e99db88b9a6ff84c0e92c5225e34a32c8ada0e9a3
              • Instruction ID: cd99e08ae960f02697961d6ec5343feb073f4d4afe15dce742c89e978238a933
              • Opcode Fuzzy Hash: ec038d80f8b6967f83c5651e99db88b9a6ff84c0e92c5225e34a32c8ada0e9a3
              • Instruction Fuzzy Hash: E5C1BB70528392EFD721DF58C144B6EB7E4FF84304F04896AFA868BA91E374C949CB52
              Function 01258402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 01258591
              • minkernel\ntdll\ldrinit.c, xrefs: 01258421
              • LdrpInitializeProcess, xrefs: 01258422
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0125855E
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 2a0366931b7b1b7adb0ed88ca2be02558b55315c45672a7668197ff96aba2112
              • Instruction ID: b393b5b22a228b537768c2f7d16e1d2dd0640e3dd2baefa550083cac1739d854
              • Opcode Fuzzy Hash: 2a0366931b7b1b7adb0ed88ca2be02558b55315c45672a7668197ff96aba2112
              • Instruction Fuzzy Hash: 6E919D71668346AFD722DF26C881F7BBAECFB84744F40092EFA8492151E374D9448B62
              Function 0125273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • .Local, xrefs: 012528D8
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012921D9, 012922B1
              • SXS: %s() passed the empty activation context, xrefs: 012921DE
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012922B6
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 46b0d7be8dbe1f4d03fd39e9817eb038f061b3e4421607127226cd26086b1424
              • Instruction ID: 7f30971919b1ba0f80bc47e2263ccdafc6fc7082a4290038d7b2bb5bbcc1b644
              • Opcode Fuzzy Hash: 46b0d7be8dbe1f4d03fd39e9817eb038f061b3e4421607127226cd26086b1424
              • Instruction Fuzzy Hash: 87A1A03592022ADBDB65CF58D884BA9B7B4BF58314F2441E9DE08AB391D7709E80CF90
              Function 012264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0128106B
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012810AE
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01280FE5
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01281028
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: 63476aa45bfc2a89631160c16200d5d86602df3ab798ee09bcdcd8a8555e984b
              • Instruction ID: 8b7a642c543337042e0e86eb0e1b0c62b26385376fd6330cea7dcd68f931dd69
              • Opcode Fuzzy Hash: 63476aa45bfc2a89631160c16200d5d86602df3ab798ee09bcdcd8a8555e984b
              • Instruction Fuzzy Hash: E27104B2524316AFCB21EF14C885BAB7FA8EFA4754F400468FD488B186D774D598CBD1
              Function 0124245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • apphelp.dll, xrefs: 01242462
              • minkernel\ntdll\ldrinit.c, xrefs: 0128A9A2
              • LdrpDynamicShimModule, xrefs: 0128A998
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0128A992
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: 05c317b61f0f153942cc914a75a169d953692787ac4068b4806a89a053e0cafe
              • Instruction ID: 0cb0a38cde5aaa4d2a7828712b3b203feebe797ac224646436d2feb20adc7ef8
              • Opcode Fuzzy Hash: 05c317b61f0f153942cc914a75a169d953692787ac4068b4806a89a053e0cafe
              • Instruction Fuzzy Hash: 9E316D75631202EBDB35EF9DD845E7ABBB8FB84714F16005AF90067285CBF09841C740
              Function 012329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 01233255
              • HEAP: , xrefs: 01233264
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0123327D
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 7644f1f40cc3c9cc3ca36bafe1622b335c13c9f0797b7cbcb655d2b3f1b81dcb
              • Instruction ID: 0989a1636e0d69091c02daf25baf0602d525e894ec41dacf3169f94c76e33e58
              • Opcode Fuzzy Hash: 7644f1f40cc3c9cc3ca36bafe1622b335c13c9f0797b7cbcb655d2b3f1b81dcb
              • Instruction Fuzzy Hash: 4E92CDB1A2424ADFDB29CF68C4447AEBBF1FF88300F188459E949AB391D775A941CF50
              Function 01230770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: f60d64203cb880fb9e920536bc61c5ddacc469d6cebe21b7a8fd7b2138dc325d
              • Instruction ID: e00d65d6a228cad16003a4cf4d82b8d3f73fe0adb1eceb485c273f97393b146c
              • Opcode Fuzzy Hash: f60d64203cb880fb9e920536bc61c5ddacc469d6cebe21b7a8fd7b2138dc325d
              • Instruction Fuzzy Hash: 0DF1DEB0621606DFEB25DF68C884B7AB7F5FF84704F148168E6069B385D770E981CBA4
              Function 01246962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: e1989dbc6fb5481f115db16f1648ed2a15cb524efb8e0f4356b5f66c5b673e5c
              • Instruction ID: 67dd1530a4954ff36ce929da2e252390696d7d56a596c5990a95325dd2188271
              • Opcode Fuzzy Hash: e1989dbc6fb5481f115db16f1648ed2a15cb524efb8e0f4356b5f66c5b673e5c
              • Instruction Fuzzy Hash: 73C292716293429FE729CF28C441BABBBE5AFC8714F04892DFA99C7241D774D844CB62
              Function 0121A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: edfa926d77f41159079f8b781c15300a61fc7204c9be4616a9efbbf79d4a41bb
              • Instruction ID: e8fbdab1960d652de489501871470e75922ace5335aa4cf5fd29b1e10f3d29fb
              • Opcode Fuzzy Hash: edfa926d77f41159079f8b781c15300a61fc7204c9be4616a9efbbf79d4a41bb
              • Instruction Fuzzy Hash: 31A1407192162A9BDB31DF64CC88BEAB7B8EF44710F1041EAEA09A7250D7359EC4CF50
              Function 01240BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 0128A121
              • LdrpCheckModule, xrefs: 0128A117
              • Failed to allocated memory for shimmed module list, xrefs: 0128A10F
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: a8b2e6137aa3a975671455701e6b7c0641b496840ff8dec9df901bd35d151ded
              • Instruction ID: d401a99db7138856bc3e833c2f20c65c4f39493967a83e1f047ef333e75360c3
              • Opcode Fuzzy Hash: a8b2e6137aa3a975671455701e6b7c0641b496840ff8dec9df901bd35d151ded
              • Instruction Fuzzy Hash: 1C71B470A20206DFDB29EF68C941BBEB7F8FB44704F15406DEA02D7255E774A981CB58
              Function 01230A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: a6d3b6bf9b01173cdafbbec4723a957a99312253d87185e1e4eaa4afd7d7d9db
              • Instruction ID: 87ed14608b0fb2119ce174efc1f06cc02794919f9344a2183752d7f800ac6b74
              • Opcode Fuzzy Hash: a6d3b6bf9b01173cdafbbec4723a957a99312253d87185e1e4eaa4afd7d7d9db
              • Instruction Fuzzy Hash: E061C0B0620302DFDB29DF28C441B6ABBF2FF85304F148559E5498F296D7B0E881CBA5
              Function 0125C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012982E8
              • LdrpInitializePerUserWindowsDirectory, xrefs: 012982DE
              • Failed to reallocate the system dirs string !, xrefs: 012982D7
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 908844c40c62c9d8836dedf4f3e1b6651a7301d655ee5e19d32a72c572e874f0
              • Instruction ID: 7717c38fd2a34d11f6c4a494d4fd45e7aec2197c352a09e025da4b3e6bf6afae
              • Opcode Fuzzy Hash: 908844c40c62c9d8836dedf4f3e1b6651a7301d655ee5e19d32a72c572e874f0
              • Instruction Fuzzy Hash: E54107B1574306ABC725EB68D885B6B77ECEF44760F04492AFA48D7294E7B0D810CB91
              Function 012DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 012DC212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 012DC1C5
              • @, xrefs: 012DC1F1
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: cf45578982aa3999563da702d32cb6541a0dc8dc051cb40f6180032aaa6a0d77
              • Instruction ID: d33e83c85cefd521dfb9e5bd93759d42b9768ca0795fe4af382246c981b53666
              • Opcode Fuzzy Hash: cf45578982aa3999563da702d32cb6541a0dc8dc051cb40f6180032aaa6a0d77
              • Instruction Fuzzy Hash: 69417371E2020AEBDF11DBE8C885FEEBBBDAB54710F14416EE609B7284D7749A44CB50
              Function 012B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: b28e63d7e5b562eae505cf82984474ae64a5f051bcbae831600fa53bfe5edf84
              • Instruction ID: 4f4dfe81d1082f226e211cf0ac0a63e71067ebe2deed7c0765b6e7ab60cc7e44
              • Opcode Fuzzy Hash: b28e63d7e5b562eae505cf82984474ae64a5f051bcbae831600fa53bfe5edf84
              • Instruction Fuzzy Hash: 2F41F6719306998BEB25EB98C8C4BFDBBB8FF55380F140469DA02EB792D7749901CB50
              Function 012A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • LdrpCheckRedirection, xrefs: 012A488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 012A4888
              • minkernel\ntdll\ldrredirect.c, xrefs: 012A4899
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 1340750e698e33f3fa9dca32cfb3adcb6c5324513adc18bf3bcb3c2baf07fbd4
              • Instruction ID: ea7f6dfe87aad010ebceb1c8280b7eb6fc693f916616e601581ac5b8aa3d3d40
              • Opcode Fuzzy Hash: 1340750e698e33f3fa9dca32cfb3adcb6c5324513adc18bf3bcb3c2baf07fbd4
              • Instruction Fuzzy Hash: DB41D332A243D29FCB26EE5CEC41A267BE5EF49B50F89016DEE4597251D3B0D800CB81
              Function 01230BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 378f5192224de59d97b08856329506aa3ab8d24273b0f2f7d6df736e741e3d5f
              • Instruction ID: 38c45d09ef578cea27f98809729ac44512cc2c3f3936c0bae2d940cf9a086511
              • Opcode Fuzzy Hash: 378f5192224de59d97b08856329506aa3ab8d24273b0f2f7d6df736e741e3d5f
              • Instruction Fuzzy Hash: 9F11D271336142DFDB1DEE1CC442B79B3A6EF90615F188119F506CB695EB70D841CB64
              Function 012A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012A2104
              • Process initialization failed with status 0x%08lx, xrefs: 012A20F3
              • LdrpInitializationFailure, xrefs: 012A20FA
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: e3f71e304e23fe92852349a3ac08bb5c975ae51aaaaee477f737f13ff11ce3b5
              • Instruction ID: ed1f1e0d71877274cc2414f35689e407f7c957478e5c180506b9efecc35c9e6f
              • Opcode Fuzzy Hash: e3f71e304e23fe92852349a3ac08bb5c975ae51aaaaee477f737f13ff11ce3b5
              • Instruction Fuzzy Hash: A1F02235660309EBE725EA0CCC46FA9376CFB41B18F900059F700772C2D2B0AA40C690
              Function 012303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 97034bf6ed5ea8c5b5b667b358991866f8542e6225ef88717a757c24c34d5e6a
              • Instruction ID: 50edcd5ebcc56f361f201cd6b295bf9328708a87c8a9973cdfc6b0ed88f0ef04
              • Opcode Fuzzy Hash: 97034bf6ed5ea8c5b5b667b358991866f8542e6225ef88717a757c24c34d5e6a
              • Instruction Fuzzy Hash: A9715DB1A2014A9FDB01EF98C985FAEB7F8FF58304F144065EA05E7291E634EE41CB64
              Function 0122A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 0122AA13
              • LdrResSearchResource Exit, xrefs: 0122AA25
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: e6160313b73a68d0ad15489b27d5ccfb0515d3a93e250ed3fd691f0228590dcf
              • Instruction ID: 9f2678aa30eff5ded6b5e698968f036b166a46d66b01256e34e2d6b4bb67336a
              • Opcode Fuzzy Hash: e6160313b73a68d0ad15489b27d5ccfb0515d3a93e250ed3fd691f0228590dcf
              • Instruction Fuzzy Hash: 00E17571E2122AEFEB21DE98C980BADBBB9FF14710F144425EA01E7A91E774D941CB50
              Function 012EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 48c1355241b12dc3a9f16c736cc080f059ba226203420688eb56846b7702f894
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 59C1CF312243429FEB24CF28C849B6BBBE5EFD4318F484A2DF6968B290D7B4D545CB51
              Function 0129E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: e7dc8456f9e7550c91d73370b8a1f7bf175bfce69c1b606271f95e753bafb202
              • Instruction ID: f973dd0cbef68a970fab3dd89daa3466f2167e060a5d07a8849a27815a2f4a27
              • Opcode Fuzzy Hash: e7dc8456f9e7550c91d73370b8a1f7bf175bfce69c1b606271f95e753bafb202
              • Instruction Fuzzy Hash: 2C6149B1E20619AFDB15DFA8C940BBEBBB9FF58700F15402DE649EB291D731A940CB50
              Function 012C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: fde63eb9855788b05034213dc7650b15884a6aca029f4d4fb8a77cdc456a5ba2
              • Instruction ID: 156f8e58c53aedf4cc330d5ea1a9a7966f8af6913e10e94dab388d4938d952d6
              • Opcode Fuzzy Hash: fde63eb9855788b05034213dc7650b15884a6aca029f4d4fb8a77cdc456a5ba2
              • Instruction Fuzzy Hash: FE513BB1D1025EAFDB11DFA9CC90AEFBBBCEB54B54F100629E611B7290D6309E45CB60
              Function 012204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 01220540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0122063D
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: 61a7fff7f3790328ee816a24546d00f5c799d2102e3c4928db1407c952dd5cd6
              • Instruction ID: 2fd1c147d5be67b47c0a4587d6feecdc997453aa769ab4dd3fd727d7df17b266
              • Opcode Fuzzy Hash: 61a7fff7f3790328ee816a24546d00f5c799d2102e3c4928db1407c952dd5cd6
              • Instruction Fuzzy Hash: 1651ACB1524753AFD734DF68C4446ABBBE4AF84304F10483EFAAA87241E770D545CB9A
              Function 0122A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0122A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0122A2FB
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 3acbc6bc5237dc98d7ed5820dcbe043d31bb6779ce124970a04e4ebabb8da192
              • Instruction ID: 4f60e16715470a166127b5c31fdb559a860a0e1d34355ee36619b87a00ada853
              • Opcode Fuzzy Hash: 3acbc6bc5237dc98d7ed5820dcbe043d31bb6779ce124970a04e4ebabb8da192
              • Instruction Fuzzy Hash: 5D41C170A2566AEBDB25DF5DC440B6DBBB4FF84700F244069EA01DBA91E3B9D900CB50
              Function 0125A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 44a7f575af520143cb593a58f5de28a34d320ff281f5cb5d6ac44027000f2053
              • Instruction ID: 0d3fc58b417523bca2d698a349e9c88274f9c4ac1905ce41e58375c5bcf47e17
              • Opcode Fuzzy Hash: 44a7f575af520143cb593a58f5de28a34d320ff281f5cb5d6ac44027000f2053
              • Instruction Fuzzy Hash: 4801FFB2260700AFD361DF24CD86F267BE8F794B25F018A3DAA48C7190E374E804CB56
              Function 0122C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 4f1f32cb9cb1d46bb8a3810954f3956d426243b90bdfb4f936fe43ac65f9f5b3
              • Instruction ID: f775e298259fae1c5e90b74349b3fd6948e915a42eaea45310e26c43d4ce5175
              • Opcode Fuzzy Hash: 4f1f32cb9cb1d46bb8a3810954f3956d426243b90bdfb4f936fe43ac65f9f5b3
              • Instruction Fuzzy Hash: C8827F75E20229AFEB25CFA9C8407EDBBB1FF48310F148169DA19AB351DB749941CF50
              Function 012A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 24892ac0520827c3dadfd1e6085f6cdf4c499f1dce23cf915f3b6aa9d55ef212
              • Instruction ID: 927fc3d82ef381f4d32f490297d5023d99d2557411d98872ebcad388874dd115
              • Opcode Fuzzy Hash: 24892ac0520827c3dadfd1e6085f6cdf4c499f1dce23cf915f3b6aa9d55ef212
              • Instruction Fuzzy Hash: 8991827196021AAFEB25DF95DD85FAEBBB8EF14B50F540015F700AB190D774AD00CBA0
              Function 012CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 2eb4eea8289816b6cccfc2db6e7678a5d5613e56a47c9413e4229ee514a4a2c0
              • Instruction ID: c063f61f42e626baba29d2a4812fa76f0cdd3a9ddc36c48a23b95afffa96182c
              • Opcode Fuzzy Hash: 2eb4eea8289816b6cccfc2db6e7678a5d5613e56a47c9413e4229ee514a4a2c0
              • Instruction Fuzzy Hash: 4191B172920646AFDB22ABA5DC44FBFBF7AEF95B40F110119F700A7250DB74A901CB51
              Function 0125A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: b5ede26128fa8298ec67a04ea9ac6a378d3a40572f15369f540af35238690ef9
              • Instruction ID: d7fd3627d032a9a8a06e6ad1c06dc114b4bc1aec3b0cfdb267a029ca49cbcd67
              • Opcode Fuzzy Hash: b5ede26128fa8298ec67a04ea9ac6a378d3a40572f15369f540af35238690ef9
              • Instruction Fuzzy Hash: 8E716DB5E2020A9FDF29CF9CD591AEDBBF1FF48700F14812AEA05AB241E7748945CB50
              Function 012C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: 0ab6a32e9446589cba4faac0835b722546f6a4055dafe2301c47cc6cf21c11e5
              • Instruction ID: 316051aa217065a83fdea20a36e8a13ecb2f2600adbb29f28422da644e0f4012
              • Opcode Fuzzy Hash: 0ab6a32e9446589cba4faac0835b722546f6a4055dafe2301c47cc6cf21c11e5
              • Instruction Fuzzy Hash: 2F518272D2026ADBDB14EF99D960AAFBAB4AF14A10F05422DEB11B7240D3749901CBE4
              Function 0123E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: c7758d497d9c3884770ba395ea12781656f96a3198b64eed1c7645754b35073a
              • Instruction ID: e215fdedbb8c11b52e33365f531f03e5364b57d8a46dd16eb69d8eb0be97e4fd
              • Opcode Fuzzy Hash: c7758d497d9c3884770ba395ea12781656f96a3198b64eed1c7645754b35073a
              • Instruction Fuzzy Hash: 9B41C0B2528302ABD725DA75C841B7BB7E8AFD8714F05092DFA84E7180E774D908C796
              Function 0129C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 8151ffc070f2a3480fe926aac654e28ae0664aaf8deab8aebc9682c6b8428cfc
              • Instruction ID: 6e46b9a4988113add844bed7e710de57fa4ce0628f2450da78c556243cb9ed67
              • Opcode Fuzzy Hash: 8151ffc070f2a3480fe926aac654e28ae0664aaf8deab8aebc9682c6b8428cfc
              • Instruction Fuzzy Hash: E74143B1D1012DABDF21DA54CC84FEEB77CAB44714F0045A5EB08AB180EB709E998FA4
              Function 012B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: c44a31935fd8c94dc9a45864ffeb5b87887595b04202c579f12912119e5f1a63
              • Instruction ID: 14a4c67300a7e3ba1f2fe9edb0694274fa2a9d02eadb4f389e2c3c86cf177423
              • Opcode Fuzzy Hash: c44a31935fd8c94dc9a45864ffeb5b87887595b04202c579f12912119e5f1a63
              • Instruction Fuzzy Hash: CD316B31A2035A9BEB22DF68C884BEEBBB8DF45744F144028EA40AB282D775DC05CB50
              Function 0129CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: e6f61a2ea069a934a5cf2cef9065630d4dde029cfa4331d6fc596b15534196cf
              • Instruction ID: afbb5e954a1a76393b3ddb24bb125f9500515c16eba0376c21e40fe1d43fe2b7
              • Opcode Fuzzy Hash: e6f61a2ea069a934a5cf2cef9065630d4dde029cfa4331d6fc596b15534196cf
              • Instruction Fuzzy Hash: 1C310376920516AFEF16DA5CC861E7FBB74EB90760F014129EA05A7290E7309E10DBE0
              Function 012A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 012A895E
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: 24ffa820fd993ac093ed2054ca28bce9bc01556a3eef8c44b6b7a9742da76c68
              • Instruction ID: a200508be550167c6b902cb2537b1adf7cebe62ab19453721e003038a1ed1a7a
              • Opcode Fuzzy Hash: 24ffa820fd993ac093ed2054ca28bce9bc01556a3eef8c44b6b7a9742da76c68
              • Instruction Fuzzy Hash: 6101F732230217ABE7256B5AC884BAA7F75EFCA755F84002CF74106655CB606882C792
              Function 012C2000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d9ed60db75ab038b5ce284907a8c76c755edda8a934c8a230ead8a2b0b54a4e
              • Instruction ID: 55a01a1d194a8badf66900bf4f2b2531df3e9aaac0e0ba5d3ffef5c5218a433b
              • Opcode Fuzzy Hash: 5d9ed60db75ab038b5ce284907a8c76c755edda8a934c8a230ead8a2b0b54a4e
              • Instruction Fuzzy Hash: 2342B475628342CBD725CF68C890A6BBBE5FF98B40F040A2DFB8697250DB70D945CB52
              Function 012B8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16755b8fcd6f918c52ea24157edd386a7912fd8353326d5eb90f25995ff7b723
              • Instruction ID: f9ffae62497382592261635dc284fdd862b4fc9a9268783a0a199c06b5e72e43
              • Opcode Fuzzy Hash: 16755b8fcd6f918c52ea24157edd386a7912fd8353326d5eb90f25995ff7b723
              • Instruction Fuzzy Hash: 07424D75A202198FEB25CF69C881BEDBBF9BF48340F148099EA4DEB241D7349985CF50
              Function 01232840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 710214ccdda147cf571e4eb4a415ea3284c18550d8ee3639d201eb72ab85da38
              • Instruction ID: 3f623d01b40b3ab4dfa4e8f1e8c338ccc8fcacff3c7d132fca4cc3ede08abad0
              • Opcode Fuzzy Hash: 710214ccdda147cf571e4eb4a415ea3284c18550d8ee3639d201eb72ab85da38
              • Instruction Fuzzy Hash: 7132F0B0A217568FEB25EF69C8447BEBBF2FF84304F24411DD64A9B284D775A806CB50
              Function 012CA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90f33ff041caece9e988b7c159333ecba8645e19006aebab81df9046a0be09ec
              • Instruction ID: c42c6e057c9c53a6a89f96fefe518a474b7005b9db31577b7e9b1cb2dc1ed25a
              • Opcode Fuzzy Hash: 90f33ff041caece9e988b7c159333ecba8645e19006aebab81df9046a0be09ec
              • Instruction Fuzzy Hash: 2B22CD7063466A8EEB25CF29C055376BBF1BF44B40F18865DDB868B286F3B5D442CB60
              Function 01226A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4465e90a187eb28ed8be0b4e0583d6a08fad203b1e58f4b2a75bdf2462bb15a0
              • Instruction ID: cb56fcc4355f35b89491cded0060cef9139efc298f4986dd3d9e753d28625ca0
              • Opcode Fuzzy Hash: 4465e90a187eb28ed8be0b4e0583d6a08fad203b1e58f4b2a75bdf2462bb15a0
              • Instruction Fuzzy Hash: 8632F171A21216DFDB25DF68C480BAEBBF1FF48300F148569EA55AB391D770E852CB50
              Function 01244A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: d8aa18ba45e0f9916574ec069dd2e9d5ec786c50353268a097fa00eb3888bbe1
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: 5CF19171E2125A9BDF19EF99C580BBEBBF5BF48714F088129EA41AB340E774D841CB50
              Function 012B892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be6bde7c5b22d96f352cd57eaf0d7a0edd34ba348b2ffd268a93416622dfeca5
              • Instruction ID: 5ccb66ca612b5d41c82f053e1e0f9567798ded2ffe9da5b15d041f72ea7469c2
              • Opcode Fuzzy Hash: be6bde7c5b22d96f352cd57eaf0d7a0edd34ba348b2ffd268a93416622dfeca5
              • Instruction Fuzzy Hash: F6D1F571A2060A8BDF09CF69C881BFEB7F9BF84344F188169D959E7241E735E905CB50
              Function 012265D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01cf5ce4bb3c2281c6cd5d655653344f456b4afccfcdc095683ea47a3ec5ff35
              • Instruction ID: b472c2822463e786f862263e396237384e1a910d2814bb3b8f183af775cac9ae
              • Opcode Fuzzy Hash: 01cf5ce4bb3c2281c6cd5d655653344f456b4afccfcdc095683ea47a3ec5ff35
              • Instruction Fuzzy Hash: A5E19E72619352DFC715CF28C090A6EBBE0FF89304F04896DEA9987391DB71E905CB92
              Function 01218397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d84f602928d50621436b3a435fa4d8b8aa00ce70266acf8bea94d8d46ffb1e5
              • Instruction ID: 9f4160215077722db3985485915d470c32d52539f0b1fcf3a007f33f3a80611c
              • Opcode Fuzzy Hash: 6d84f602928d50621436b3a435fa4d8b8aa00ce70266acf8bea94d8d46ffb1e5
              • Instruction Fuzzy Hash: 8BD1D071A2020B9FDB18CF68C8C1ABBB7E5FF64314F054629EA16DB284EB70D951CB50
              Function 012A8243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 39af4105cd2611680b8000b08c5aa11797943be6f9777c1c5ae8ad542b222ed5
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: C7B18474A106069FEB24DF99C940EBBBBB9FF84305F90445EAE4297790EA34E945CB10
              Function 01230535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: a290460cfc8e68ed5b22e4bb61caa7a8b2cab0f32abf919fd6512a5b1a5c0c04
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: A3B106716246479FDB16EB68C850BBEBBF6BF88300F140199E652D72C1D770E941CBA4
              Function 012283C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8556c010d251b030864eae3b35ae19862f3c7595cdc96aec992c77b0285a67b0
              • Instruction ID: a6e64ab3f3173cb4e8ec0fd8f4a00e6757e23cc5f21185c0abf8e8af72301735
              • Opcode Fuzzy Hash: 8556c010d251b030864eae3b35ae19862f3c7595cdc96aec992c77b0285a67b0
              • Instruction Fuzzy Hash: E2C178741283419FE764DF18C484BABB7E4FF88304F44496DEA8987291D774E919CF92
              Function 0121C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4bc4a3cd5e5c51810ea492a9aadf66c665b5acef5ed4de470235f528a8ee4113
              • Instruction ID: f1e7850d592047c8a28c2d602b3ff01da429595f478d827914f46e1de76ee0c2
              • Opcode Fuzzy Hash: 4bc4a3cd5e5c51810ea492a9aadf66c665b5acef5ed4de470235f528a8ee4113
              • Instruction Fuzzy Hash: E2B18174A602668BDB34DF68D880BBEB3F5EF54710F0485E9D50AE7285EB709D85CB20
              Function 0124E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fffd7cd594c1b9aaabad0103d9625e5a96e7be4315bb55ae5102e9ccec765e3e
              • Instruction ID: efdec3d3c202a5f7aa948bcd8312fc6e7930ac2f6831ebe4eaefebaa01bc25f4
              • Opcode Fuzzy Hash: fffd7cd594c1b9aaabad0103d9625e5a96e7be4315bb55ae5102e9ccec765e3e
              • Instruction Fuzzy Hash: 1CA13771E2125A9FEB25EB5CC948BADBBA4BF04724F060115EB00AB2C0D7B89D40CBD1
              Function 01260185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7d77d82100664d7907df6f680fdc68cd42bf89374b5ec263ea8a0bc12dd50e8
              • Instruction ID: 188a670aa96f656b4ea612493c570a453b1a4051877c5d105a8cb1b51d9add94
              • Opcode Fuzzy Hash: d7d77d82100664d7907df6f680fdc68cd42bf89374b5ec263ea8a0bc12dd50e8
              • Instruction Fuzzy Hash: BAA1E070A216069FEF25CF69C990BBAB7B8FF44314F004029EB0597281EB74A891DB94
              Function 012F4500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2887f0a44c70209febdd9f18fedbd1818df3d84a74e5a19c725f3f057a8ade33
              • Instruction ID: 24f63c2b9be650d91204135c5951abb2afacb5efa843939f5b3da036ef42f21e
              • Opcode Fuzzy Hash: 2887f0a44c70209febdd9f18fedbd1818df3d84a74e5a19c725f3f057a8ade33
              • Instruction Fuzzy Hash: A1A1CEB2624292DFC715EF18C980B6ABBE9FF58714F05093CE6459B651D3B4ED00CB91
              Function 012F2B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: 44f1d1ab5d7af9c655206571b16a80788a58727aced491ebdb73ba02b8247f0d
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: 2AB11771E1061ADFDB19CFA9C880AADFBB5FF49310F148169EA15A7354D730E941CB90
              Function 012A60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 086e6073f73b5e307d23e102eb98bbdd6818e592955a327c37764fda3148ab8f
              • Instruction ID: c84bba550eb4f75aef0087e2a880eb1a2db5a611b73c55a23c197c9740ca5137
              • Opcode Fuzzy Hash: 086e6073f73b5e307d23e102eb98bbdd6818e592955a327c37764fda3148ab8f
              • Instruction Fuzzy Hash: 8C91B371D20216AFDB15CFA8D894BBEBFB5AF48710F594169EA10EB341D734E9018BA0
              Function 0123E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8d8e7f3639f98d36b5b96ef1c576bfb9ed415efad5b3073df0bbacf6ae3bf83
              • Instruction ID: 91b038d77b17d6deaa303789cfe5a9bed638f1280e3bb10682729a9317cb6a2d
              • Opcode Fuzzy Hash: c8d8e7f3639f98d36b5b96ef1c576bfb9ed415efad5b3073df0bbacf6ae3bf83
              • Instruction Fuzzy Hash: BE9176B1A31213CBEB24EB58D440B7DBBA2EFD8714F064065EB059B3C0E674D945CB50
              Function 012EAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: 97eff7129d9c84e0688550b4256361c26813aaaa2f2f7084dd92801edc7dc92e
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 0381AF31A2020A9FDF18CF98C899AAEBBF6BF94310F58856DD9169B344D774E911CB40
              Function 0125E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed7e7d1be88a809811ca3f73d9f1b0e39f1b9ff449deadef7bd8a0ac1e805f19
              • Instruction ID: 5cdb3241fe8b46562cb784d1ba6e5ab715f5f0287634876bfa9abd599b36f59a
              • Opcode Fuzzy Hash: ed7e7d1be88a809811ca3f73d9f1b0e39f1b9ff449deadef7bd8a0ac1e805f19
              • Instruction Fuzzy Hash: 7C81AF71A1060AEFDB21CFA9C880AEEFBBAFF48354F11442DE655A7250D730AD45CB60
              Function 0123C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13efb11bf992f33ca87cd0a293397cb0b887cdd5594b181f9da69b9263d252f2
              • Instruction ID: 10d1ea0d6a1094850f6f2f33aeeb2e120d54ee2063101e5b66e9cd13ad033a41
              • Opcode Fuzzy Hash: 13efb11bf992f33ca87cd0a293397cb0b887cdd5594b181f9da69b9263d252f2
              • Instruction Fuzzy Hash: A471D2B5D25226DFCB2ADF68C4517BDBBB9FF98710F14411AE942AB390D3709810CB90
              Function 012D47A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f7870a532736528114aefa6166211bc6a67eaa6921ea78652a28ccdfd34a91e
              • Instruction ID: 490fa1f376fe2e47bd4281cb822a745fa1168be82db7445b15141def029229e2
              • Opcode Fuzzy Hash: 9f7870a532736528114aefa6166211bc6a67eaa6921ea78652a28ccdfd34a91e
              • Instruction Fuzzy Hash: 2971B2B0920286EFDB20EF99D952AAABBFCEF91300F11415EE700A7658C7B18940CF14
              Function 0123260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba35963e95bdfeac4b7b06a9cd24d34dd7209ab720318c87892fbb9fb6af51bf
              • Instruction ID: b7490dfa3d85a680632af58d3e1d9f4f3ebbf216c1500071c8d8b92aa28e42bf
              • Opcode Fuzzy Hash: ba35963e95bdfeac4b7b06a9cd24d34dd7209ab720318c87892fbb9fb6af51bf
              • Instruction Fuzzy Hash: 6D71DEB1624242CFD316DF28C480B2AB7E5FFC8710F0485AAE999CB356DB74D846CB91
              Function 012A035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 633524432c798941b7ce7479a292f0de9ed71756cb4916987c4f90bc658cc9c8
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: A7717E71E2060AAFDB10DFA9C984EEEBBB9FF88300F504569E505E7250DB34EA05CB54
              Function 012B62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e7f828b7400b488afe47e2534c52af307784871905c6680a9f41b72a54170d1
              • Instruction ID: 808672dd9707b9041e4687ab8ba78fe2b9021338e1e65b16af751523cf89ddbc
              • Opcode Fuzzy Hash: 7e7f828b7400b488afe47e2534c52af307784871905c6680a9f41b72a54170d1
              • Instruction Fuzzy Hash: 8D71D372260B02AFE732DF18C885FA6BBB6EB407A0F144818E755872E0D779E944CB50
              Function 01228AA0 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3268c8420848ac89adb1904ae2dfff5adb0520d21b20270c4c0b7a2e74824382
              • Instruction ID: 910409580c47bd9b9e675208222c29987b5c2aac1428ab006308f498b086f235
              • Opcode Fuzzy Hash: 3268c8420848ac89adb1904ae2dfff5adb0520d21b20270c4c0b7a2e74824382
              • Instruction Fuzzy Hash: 3B819C72A25326DFDB24DF98D584BADB7F5BB48310F15412DDA00AB285E774DD40CB90
              Function 012F8324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e5746ded26bdf7cc0486f4755e5e8246c5ec6a406db1cb726976ff7a713b4e4
              • Instruction ID: 47e67cb64be1ab523cf7a1e23315f76adb978742fa97cb892ef9f52700141b0f
              • Opcode Fuzzy Hash: 2e5746ded26bdf7cc0486f4755e5e8246c5ec6a406db1cb726976ff7a713b4e4
              • Instruction Fuzzy Hash: 91711A71E6020AAFDF16DF94C841FEEFBB9FB04350F104129E615A7290E774AA45CB90
              Function 012DA250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: feabf2d7159d2ed363a8b979c53dbb84916e399b8d31d823cc862e7d06cef722
              • Instruction ID: cc1aed88a1ab939b5a936d1700d1fd4cd141df112554774a89c6f9013d056003
              • Opcode Fuzzy Hash: feabf2d7159d2ed363a8b979c53dbb84916e399b8d31d823cc862e7d06cef722
              • Instruction Fuzzy Hash: DA51C172524752AFD712DE68C844E6BBBECEBC5750F014929BA80DB250D774ED04CBA2
              Function 012C8350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d25fa8c34471d1a8126c57745503400023f2303964b9bd57c1849e52ae4f86ec
              • Instruction ID: 1df1b1e6b417958e07d22472f390833a08e75e6910971f926b18f0d65f5f798e
              • Opcode Fuzzy Hash: d25fa8c34471d1a8126c57745503400023f2303964b9bd57c1849e52ae4f86ec
              • Instruction Fuzzy Hash: 87517B70920B059BD731DF5AC884AAAFBF8FF54B10F10871ED396576A0D7B0A545CB90
              Function 0125E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b6fed219c5188b917c53abe4bb9c92561eefb83143186d915b322a0d253a3f9
              • Instruction ID: 16a7ade61d7dea91d7c0aa0c989ee58319d7cadb978bc1e49add49d28c3bbfc4
              • Opcode Fuzzy Hash: 2b6fed219c5188b917c53abe4bb9c92561eefb83143186d915b322a0d253a3f9
              • Instruction Fuzzy Hash: 43514CB1220A06DFCB22EF69C9C0EAAB7FDFF54754F410869EA5197260D734EA40CB50
              Function 012C4180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91921ed87792e1afb843effa62f4cb08fc2b34ba3a7829fa711f4af9cd4cc4ed
              • Instruction ID: a28f613647fb3e2c6c464f730b9462b41f71ac85286b4029dbeb4188f8b48ef2
              • Opcode Fuzzy Hash: 91921ed87792e1afb843effa62f4cb08fc2b34ba3a7829fa711f4af9cd4cc4ed
              • Instruction Fuzzy Hash: 7E51AD716283828FD750EF29C891A6BBBE5FFC8608F544A2DF689C7250D730D905CB52
              Function 012445B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: b4b22f9349af7984778d39d04c39b06d2c27e0bdd2035a5d224135b772a2eaad
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: EF519F71E1025AAFDF19EF98C440BFEBBB9AF45754F044069EA01AB240D774EE45CBA0
              Function 012AE9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: 3ba6e0a7cbbbd9b29eb1f06bbb711f5005441b52f1411367c78dc0bddb44d823
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: B251DA31D2021BEFDF21DF94C899BAEBB78BF10314F524A55D61267190E7709D42CBA0
              Function 012E8B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9172c952e5bcad8e33dd6441db1fff0e1400914c494742bcdfc551e503e5fb9
              • Instruction ID: 5ecd59976666df1a1285b13cd8ebb5cc792df0baf6fb47f3cad3f9c7eb794029
              • Opcode Fuzzy Hash: b9172c952e5bcad8e33dd6441db1fff0e1400914c494742bcdfc551e503e5fb9
              • Instruction Fuzzy Hash: 6A4129707216029BDB29DB2DC99CB7FBBDAEF81220F84461CEA95C7280E770D811C791
              Function 012ACBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38380eb24b8210abbb18180c8c9a16afc3706420eb11ef8c96d729ee5d824f23
              • Instruction ID: ac48e70b6e6b40d1f815448bde7ae008be3268cb885ddbefcb2e20e0da98c79e
              • Opcode Fuzzy Hash: 38380eb24b8210abbb18180c8c9a16afc3706420eb11ef8c96d729ee5d824f23
              • Instruction Fuzzy Hash: 13519DB192061ADFCB20DFA9C8809AEBBF9FF48324B904519E605A7304D774AD11CBD0
              Function 0125A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 495e9832d03f6675b1f6ae9434720780e6a4507b502fa61430059d2505b2544d
              • Instruction ID: 9adab19fd5c425c5e1c257cc11be9f417082954281fbcb278241d6b76c76b09b
              • Opcode Fuzzy Hash: 495e9832d03f6675b1f6ae9434720780e6a4507b502fa61430059d2505b2544d
              • Instruction Fuzzy Hash: 1341FA71A603069FDF65EF6DA8D2FB93BA8EB58708F01012DEE029B245D7B59811C790
              Function 012EA9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: ec8dfbec4038323a0c751e01392fa3e111916ec53323bb68b42e8368f49d3da3
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: 5341E8716247179FDB25CF58C988A7AB7E9FF94210B45462EEA528B340EB30ED18C7D0
              Function 012501F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81d9b9eacc77b57855af20bf202f09fa01786f2b1471521485eda1a7aef624ba
              • Instruction ID: fddda7b42c5ae777e31439b43fe8dece80f78e9977c5b9c2c5c0f5dcd24e8597
              • Opcode Fuzzy Hash: 81d9b9eacc77b57855af20bf202f09fa01786f2b1471521485eda1a7aef624ba
              • Instruction Fuzzy Hash: A741893692021AABDB54DF98C880AFEBBB4BF48710F14816AFD15E7340D7759D41CBA8
              Function 0124EBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b458dd40585d1c050c03a239ee3c909a7d5083a3a833e7b1b59f964cf43698dd
              • Instruction ID: 4f4c1df24786be9240cc568df4e2c156a794a85973564a79770c94fe8aad3638
              • Opcode Fuzzy Hash: b458dd40585d1c050c03a239ee3c909a7d5083a3a833e7b1b59f964cf43698dd
              • Instruction Fuzzy Hash: 7B41B6B1624302DFE729EF28C884A2BB7E9FF88324F014829E657C7751DB75E8448B55
              Function 01262750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: fc6fb5bb67327ae2db972e3ac200fa4968eca59b8b5a8f6299caa9e91a1caea5
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 40515C75A10616CFCB15CF5DC580AADF7B2FF84710F2481A9D915AB351D770AE42CB90
              Function 01226154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45d8a90ed8b0debe6f2fe6700e067c435f1b2a8dceadf9b79164f65e4ffdb731
              • Instruction ID: d989d8639be7faaee0ac0f0b7548653a6bcb2a5fb972d8685c0398fd5bb0a92b
              • Opcode Fuzzy Hash: 45d8a90ed8b0debe6f2fe6700e067c435f1b2a8dceadf9b79164f65e4ffdb731
              • Instruction Fuzzy Hash: 7C513BB1921227EBDB25DB68CC01BBCBBB5FF11314F1442A5DA29972C5D774A981CF80
              Function 01220BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2a4df0eb768f3ba1933f2f6264dd42f8479b19923375afc5645d14c778afaaa
              • Instruction ID: 85c7b88975e6128c62ea5bdace0cabab69575ff736329ec349bd5eae7ce24b6b
              • Opcode Fuzzy Hash: c2a4df0eb768f3ba1933f2f6264dd42f8479b19923375afc5645d14c778afaaa
              • Instruction Fuzzy Hash: 2E419171A20229EFDB21DF69C944BEE77B8EF55740F0100A5EA08AB241D774DE80CFA5
              Function 012E866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 117d9cdad3e7cca69c8d9c60335ccdcbcd2aa8891b08c535d913e1881e03dab3
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: A941A675B20106AFDF15DF99CC98ABFBBFAAF84600F544069EA84A7341D670DD41CB60
              Function 01220887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e360aa7d2d7c97d41a0eb83c2feef0b351e5fb1379830a5427d5fc9f2ff84c2d
              • Instruction ID: 0e6802b5f559cb314f826abe7e62a15c9b054992016d2a658d6a72cd69a1ec5b
              • Opcode Fuzzy Hash: e360aa7d2d7c97d41a0eb83c2feef0b351e5fb1379830a5427d5fc9f2ff84c2d
              • Instruction Fuzzy Hash: E541B3B1620712AFE325CF29C480A2AB7F9FF49714B104A6DE64787A50E770E845CB98
              Function 0124A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b761243fa5939485830b47e5b3bd321f4b1bb8a95c0ad2d3e32d1cabdb202007
              • Instruction ID: 700e5f120cab2f23acabe3d6395d9f13bac2296e8318e6613c83268edc3fb4f3
              • Opcode Fuzzy Hash: b761243fa5939485830b47e5b3bd321f4b1bb8a95c0ad2d3e32d1cabdb202007
              • Instruction Fuzzy Hash: B0411172AA5206CFDB29DF68E9847ED7BB4FB18310F090169D512AB3C0DB749904CBA0
              Function 01228BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65051a646fb63c87c6d462f995fd3fcaba8fa7cccc1290d84862e33dcc18f6d0
              • Instruction ID: fa6d7b53af9644090c83e00825cd2a63ebd481c3bc9eba6c23adbb48e736b847
              • Opcode Fuzzy Hash: 65051a646fb63c87c6d462f995fd3fcaba8fa7cccc1290d84862e33dcc18f6d0
              • Instruction Fuzzy Hash: A1411571921212EBD728DF58C880A6EBBF9FB98714F14802ADA019B355D775D846CB90
              Function 01218918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20cbeab7ece2a4f90334ed15ae5bd331aa2ec8611173e3e9adfcb02a22a95140
              • Instruction ID: d5cfae38544acaffe083b48383cff400fcec08d5629c7fe89a1ca50154685dc1
              • Opcode Fuzzy Hash: 20cbeab7ece2a4f90334ed15ae5bd331aa2ec8611173e3e9adfcb02a22a95140
              • Instruction Fuzzy Hash: 92416E325287469FD312DF69C881A6BF7E9EF84B54F40092AFA84D7250E770DE048B93
              Function 0121A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: dfd30a7b5baad2d652d67856ba5e2ae81800410d837aa867b2fd008fb9d1f7c3
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: C0418E31A31257DBDB21DE2D84407BBBBF1EB60B50F15806AFB458B248D6338D40CB91
              Function 012209AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 63ced7fd5d37918018a3796a7f7b0b2f255a19760a021e05e80a3ae577e97a78
              • Instruction ID: 9eea726fedfc62edd55ee0c8a23fbe2bd8ceee5a85a0290bd9e35cf0a12066f6
              • Opcode Fuzzy Hash: 63ced7fd5d37918018a3796a7f7b0b2f255a19760a021e05e80a3ae577e97a78
              • Instruction Fuzzy Hash: D2417CB1621612EFD721CF18C840B6ABBF4FF54714F60866AF649CB251E770E942CB94
              Function 01250710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 894bf4a2ee44943b9c6cdbec7aa331692984e49d0c19db2fc1e26449561bbe1a
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 8F411871A10605EFDB64CF98C9C0AAABBF8FF18700B10496DEA56D7691D370EA44CF54
              Function 0122262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da6f4f5cdc58b63026068457743337e348575a7ccebeb5b34a863e927357a0ac
              • Instruction ID: 32d04f98e6f5bcea542c521fe72d3a0d301444345b5b344b9ee5541fff050892
              • Opcode Fuzzy Hash: da6f4f5cdc58b63026068457743337e348575a7ccebeb5b34a863e927357a0ac
              • Instruction Fuzzy Hash: 954101B1525311EFC725EF68C901B79B7B5FF44310F1082A9C6169B2A1DB719941CF40
              Function 0125C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b89024e4e2302532744fd6a14a94923b5ba198d3a2f3f385bd39e4d29c094678
              • Instruction ID: 7778ab96cfeaf9c28683a8146b9c8f1d078190bc1080a6c9552055265fc5c42a
              • Opcode Fuzzy Hash: b89024e4e2302532744fd6a14a94923b5ba198d3a2f3f385bd39e4d29c094678
              • Instruction Fuzzy Hash: 6E317CB1920346DFDB51CF68C4407A9BBF4FF09714F2085AED619DB251D3729902CB90
              Function 012A07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 697f827291b2c712d5135e08fa94f7991c4191cbfaca5b9d870d2010c3cac67b
              • Instruction ID: 24f910e4bb00b106364b731ca957ca37f52f035e2efcb9403bc16ce84ae985af
              • Opcode Fuzzy Hash: 697f827291b2c712d5135e08fa94f7991c4191cbfaca5b9d870d2010c3cac67b
              • Instruction Fuzzy Hash: 8641AE715143419FD360DF28C845BABBBE8FF88714F004A2EF998C7291D7709844CB96
              Function 012180A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24cd3d273aa48983f7b1aa0e4f0e60d18230e4fdee1aaa4466f447a9295c5c0d
              • Instruction ID: 2a6662ac074b73732710a51b4b8cfe7ab3189aab24f08e99bfa63926688e370a
              • Opcode Fuzzy Hash: 24cd3d273aa48983f7b1aa0e4f0e60d18230e4fdee1aaa4466f447a9295c5c0d
              • Instruction Fuzzy Hash: 1A41EF72E24616AFCB11DF18C8C0AA9B7F1FF64760F248229D915A7284DB74ED418B90
              Function 012A05A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e1127750eb604d5fd1a9a0d1f378aff0ccad93e365830868df7e4df06804b71
              • Instruction ID: 539a8daf5d3e65fa2a9237170c757bdd643b4e8b95ec0a9c651acaf74ef0b189
              • Opcode Fuzzy Hash: 2e1127750eb604d5fd1a9a0d1f378aff0ccad93e365830868df7e4df06804b71
              • Instruction Fuzzy Hash: DC41C4725147429FC320DF68D840A7AB7E9FFC8700F540619FA95D7680E730D914C7AA
              Function 01224859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e7cb52dd8a069c8e9d282e287c9a25cd2e8580fdd41faba8a9e3db68436bd55
              • Instruction ID: 484b89b8ab98d38a63ca757fa30cf543d29fd5aeb78e3af0255d63f94b191458
              • Opcode Fuzzy Hash: 2e7cb52dd8a069c8e9d282e287c9a25cd2e8580fdd41faba8a9e3db68436bd55
              • Instruction Fuzzy Hash: 8441D370320362ABD725EF28D894B3EBBE9EF80364F14482DE6458B2A1DB70D951CB51
              Function 01218B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff489dffe72d2d2fb298088ab2de7cda0c036fd21d7068e2542c794c75614f2d
              • Instruction ID: 8592dc1eedd09e1be75b9e60ad2f671282c6dc19212576fc53ae50bbcd0dad07
              • Opcode Fuzzy Hash: ff489dffe72d2d2fb298088ab2de7cda0c036fd21d7068e2542c794c75614f2d
              • Instruction Fuzzy Hash: 9341C171E21216CFCB18CF69C9809ADBBF1FFA8320F20862ED566E7290D7349901CB40
              Function 012302E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 32505dc988c3db94b94fc16f4b66c05fc989c2ea98009a51d8296ade9d406e14
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 0E312671A25285AFDB129B68CC80BAFBFE8AF54750F0441A5F855D7392C2B4D884CBA4
              Function 012CE3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f45644dd224d42cc6157c4574a1b64ad4d40c4241ecbbcc8a80aa112fcd646e
              • Instruction ID: 78f9d3757035537915474f0c9209bbf2498ae255626b278b37d28e4a8874a0de
              • Opcode Fuzzy Hash: 7f45644dd224d42cc6157c4574a1b64ad4d40c4241ecbbcc8a80aa112fcd646e
              • Instruction Fuzzy Hash: 1E31A875760756ABD736EF558C41F7BBAB9EB58F50F110028F700AB291DAA4DD00C7A0
              Function 012D4B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 062f49e35b6091b917b0ac5ee1e4c92bc9509504ec1c88d51c4e1a5a4767d332
              • Instruction ID: 6fb0f1b4dc2efbf03998346600336fdb69a31e6d6e8c90ab6e1c1ed5a174bca9
              • Opcode Fuzzy Hash: 062f49e35b6091b917b0ac5ee1e4c92bc9509504ec1c88d51c4e1a5a4767d332
              • Instruction Fuzzy Hash: 0331E4B2625241CFC721EF1DD881E26B7E9FB81360F0A446EEA958BA51D771E801CF91
              Function 01224260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9dad586378976cba3d88f4e898c6a07a5fed04a6a9557fd6d379d0cb6edbc63
              • Instruction ID: 457dfdc2f78efa52d5fda818487808ceb8a7be4b6aa28a8b99758e528e0f7b4e
              • Opcode Fuzzy Hash: f9dad586378976cba3d88f4e898c6a07a5fed04a6a9557fd6d379d0cb6edbc63
              • Instruction Fuzzy Hash: B341C271221B46EFD726EF28C491FEA7BE9BF45314F10882DE6598B290C7B4E804CB54
              Function 012D4BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07633a2e41b396f92f54db73ff6126787992aa81d077c9a4007f37086fd5d42d
              • Instruction ID: ffaa9336c1ce2a750e6511166fe8d9ab2d1820f57a5596e6fd361c8cc6e5489b
              • Opcode Fuzzy Hash: 07633a2e41b396f92f54db73ff6126787992aa81d077c9a4007f37086fd5d42d
              • Instruction Fuzzy Hash: 1C31AD716242428FD724EF28D881A2AB7E9FB84720F05456DFA559BA90E770ED04CB91
              Function 0129EB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1281637915b5a65c17fb7bebcdde6b840baecc4b0c5e7d75347148df1bf5c153
              • Instruction ID: 4f5dd1deb0dd71f940b0182ee54ba2209d9bc50c634b1039676198357306be7e
              • Opcode Fuzzy Hash: 1281637915b5a65c17fb7bebcdde6b840baecc4b0c5e7d75347148df1bf5c153
              • Instruction Fuzzy Hash: 9331E4712316C79BFB22D75DCD58B297BD8BF40744F1E04B0AB859B6D1EB68D840C225
              Function 012E61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 117d889a2d41c2ac59a9d9c892fd6bdcd8ab1360440f462b5833d77cf6977229
              • Instruction ID: 1209c0df43a5fb975e939b3c5ac32ed51b54a7fc29f618b2338101f3de86b683
              • Opcode Fuzzy Hash: 117d889a2d41c2ac59a9d9c892fd6bdcd8ab1360440f462b5833d77cf6977229
              • Instruction Fuzzy Hash: 8231B275A10156EBDB15DF98C844BAEB7F9EB48740F454168EA00AB284D770ED40CBA4
              Function 012C483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 251a0b18f012995c247dcdc9436c170e982bb1efc0af2c77411e60cd43800323
              • Instruction ID: aacfc6bac1557bde5d45441dab57f6deb3b55d934ec9bf4de026a4319a5758e7
              • Opcode Fuzzy Hash: 251a0b18f012995c247dcdc9436c170e982bb1efc0af2c77411e60cd43800323
              • Instruction Fuzzy Hash: F6316776A5016DABCF31EF54DC94BDEBBF9AB98710F1001A5E608A7250CA30DE91CF90
              Function 0124EB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d524270408b26ebf9caae6aef77719402f6ea60ee08d7cec360db6f646ae828
              • Instruction ID: d3f023210c76e169db8db6e78c3ca248ceb6f1fb1e55d678c108c0aad31b47d0
              • Opcode Fuzzy Hash: 4d524270408b26ebf9caae6aef77719402f6ea60ee08d7cec360db6f646ae828
              • Instruction Fuzzy Hash: 0B31D872E21215EFEB21DFA9CD40AAFBBF8FF54750F114425E615D7250E2749E008BA0
              Function 012E60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd00a89003778bcf8ff5f588755d09d0c58aecbb34f2822f6ea2937e6e04bbe3
              • Instruction ID: 332e32aa2165cbe3ee00fb6ec0d69f87354a0d9c43ac80d7986460563ca80c57
              • Opcode Fuzzy Hash: fd00a89003778bcf8ff5f588755d09d0c58aecbb34f2822f6ea2937e6e04bbe3
              • Instruction Fuzzy Hash: A331D472A60616EBDB179FA9C850B7ABBF9EF94354F440069E505EB342DA70DD008B90
              Function 012207AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 077dea746470aaab571f51a703bafecc57ee229596c0aab9e6b53770f4581e0f
              • Instruction ID: 1fdd424e919231dbb07849713e536d1157bff217d260b55e83c84c0ed4c3d832
              • Opcode Fuzzy Hash: 077dea746470aaab571f51a703bafecc57ee229596c0aab9e6b53770f4581e0f
              • Instruction Fuzzy Hash: C7310572A24222EBC722DE288880E7FBBE5AFD4650F02452CFD5597310DA70DC0187E6
              Function 01228550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a90728042e9ec16a5ad8e1a0227b7438ee1c0c43b572218263492cca549c313
              • Instruction ID: b73b4c0ee7d9624f52bee9b6a8ef85f34da9a918db685019e0aa66c0f41a1470
              • Opcode Fuzzy Hash: 0a90728042e9ec16a5ad8e1a0227b7438ee1c0c43b572218263492cca549c313
              • Instruction Fuzzy Hash: B931ACB2629312DFE721DF19C840B2ABBE5FB98700F05496DEA8497391D774E848CB91
              Function 0125A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: fb7ab239edaf501a5d87268342ad73a88b2923bb73896c87111647c6bcaa7082
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: ED312FB2B10701AFD765CF6DDD81B57BBF8BF08650F04052DAA5AC3650E630E900CB60
              Function 012CEBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a98cc6fe2eca93e183154bc5fc05f50e818a011771b65efc0cb48eefe2d4c50
              • Instruction ID: 8bb9e80838aef3c7a0302cf3442e9e91f72114cdde1e1838253e02d82e6c12a6
              • Opcode Fuzzy Hash: 2a98cc6fe2eca93e183154bc5fc05f50e818a011771b65efc0cb48eefe2d4c50
              • Instruction Fuzzy Hash: 3031EDB1519302CFC715DF19C44182ABFF1FF89A18F454AAEE6889B351D331DA44CB82
              Function 0124438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c551d05463dc875f8a286598f06761656e34913d3c12d87cb07d09dd43ac03c7
              • Instruction ID: 4aa83c7b759fb1fa4b0625bd15c49d2e9f02d82c3fc299c87592f9b8796ac7a2
              • Opcode Fuzzy Hash: c551d05463dc875f8a286598f06761656e34913d3c12d87cb07d09dd43ac03c7
              • Instruction Fuzzy Hash: CE31F471B202869FD728FFB9C881B6EBBF9EB84704F008429D605D7295D770D941CB90
              Function 0121CB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: 7635222a810375ffd10c29b4cb8ab47d221ad73b5124de9f2ee9408855a61669
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: 1121E636E6125BAADB11DFB98841BBFBBB5AF64750F0980359E55E7340E270DD0087A0
              Function 0121C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c68f3036e9550414af53740bf3471cd13e551c44e249a33cc8e2dea6b06ec3ef
              • Instruction ID: c63a1493a7fb322fc6b5270206d54680fb3d7798a6a03df1e4ccdbe315178f40
              • Opcode Fuzzy Hash: c68f3036e9550414af53740bf3471cd13e551c44e249a33cc8e2dea6b06ec3ef
              • Instruction Fuzzy Hash: 7F3190F15102058BD734AF58CC41B7AB7B4EF90314F44C5A8DA459B386DA74E981CB90
              Function 012DC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: d439300ce43c3c0548ee136cc73629e0fa0ff3f366d63a0c0b36dc8564b17330
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 47214F3E620653B7CB15ABA5CC00EBBFBB5EF50710F40841EFA9587691E634D960C360
              Function 0121E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18f638e5088f53d2fbf44b8dfae9e90925d6da890d61957aa7df478bbdc3d03d
              • Instruction ID: 774902ee33dc71899868d20c7817174f45c25e70c199f42859f4ec77030bb58e
              • Opcode Fuzzy Hash: 18f638e5088f53d2fbf44b8dfae9e90925d6da890d61957aa7df478bbdc3d03d
              • Instruction Fuzzy Hash: BE31FE3196011D9BDB32DF14DC41FEEB7F9EB25750F0100A1EB45A7194D6749E808FA0
              Function 01254588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 18af263b2336bd2afc4f14f57c79e379d4cb6f39d006487452a0a22b093702e2
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: B021B135A10649EFCB50DF58C9C0A9EFBF9FF48314F508065EE159B241E670EE818BA0
              Function 012544B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 87a2c64af5e5fa0720ebf26a9eb3b02c3a42575dae9c2c98654458a985b8efcd
              • Instruction ID: c6ab1de968de8df36265c08c50d4b58956f044fd6641fe56ef8fadd07af91803
              • Opcode Fuzzy Hash: 87a2c64af5e5fa0720ebf26a9eb3b02c3a42575dae9c2c98654458a985b8efcd
              • Instruction Fuzzy Hash: 4A21E5725247869BCB22DF18D480F6BB7E4FB98764F004519FD449B240D730DD40CB91
              Function 0121E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 140c9804dbd8e046ecfb097d127171ada9a55a1846c29c7df6f27f5fd262eaba
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 80318D31620609EFD721CB68C984F6AB7F9FF85354F1545A9EA12CB284E770EE41CB50
              Function 0129E609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9af3241c7461dd459da2db521ed7aeb3ea774e18075c3079016bf29bc8dd03ac
              • Instruction ID: bea301c659a6e776a47db4810bbff7ac3bb786a2405d8e0e2844343f37f327b3
              • Opcode Fuzzy Hash: 9af3241c7461dd459da2db521ed7aeb3ea774e18075c3079016bf29bc8dd03ac
              • Instruction Fuzzy Hash: ED31BC75A20206DFCF18DF1CC8849AEB7B9FF84300B168459E9099B391E771EA50CBD0
              Function 012A06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0620d4da83e4193220aa396ec2e23ce6dde7e8873313a264ac9d9743760dc63c
              • Instruction ID: 57f5d76185cd7a81e7b650b886cde0824e5f5ade674ceb831fdbe86da7bce33d
              • Opcode Fuzzy Hash: 0620d4da83e4193220aa396ec2e23ce6dde7e8873313a264ac9d9743760dc63c
              • Instruction Fuzzy Hash: 0121BF7191022ADBCF25DF59C881ABEBBF8FF48740F400069F941AB240D738AD41CBA5
              Function 012A019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51550c0bcf0dfe00d46327c0d2bc0fc0c795865163f933ffb859800b74e5c676
              • Instruction ID: dacb3b11dfd3588a771c72235fc39b04c813504750618e36f51c8e15d708831c
              • Opcode Fuzzy Hash: 51550c0bcf0dfe00d46327c0d2bc0fc0c795865163f933ffb859800b74e5c676
              • Instruction Fuzzy Hash: DB219AB1620645EFD715DB6CD844F6AB7B8FF88740F140069FA04DB6A0D638ED40CBA8
              Function 012A0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9538ccc219a5a76551b17796c19e10668c0c9b5191398aace61136212124e440
              • Instruction ID: 5c3e84b4b83ba43ab80be44992dd0f35ccbdbc76f18f9cc4232adfba64bb761e
              • Opcode Fuzzy Hash: 9538ccc219a5a76551b17796c19e10668c0c9b5191398aace61136212124e440
              • Instruction Fuzzy Hash: 3A21F2B29243469FD711EF69D848F6BBBDCAF90340F084456BE84C7251D734DA08C7A6
              Function 01242835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c38258ccd755bd4c3cef12e54f4a8ba9c7d072411485b46852728d3844d46e3
              • Instruction ID: 8a89dbb022b07a14330b8c69456b1139947fbfe42cee5254ac457c0d9de191dd
              • Opcode Fuzzy Hash: 7c38258ccd755bd4c3cef12e54f4a8ba9c7d072411485b46852728d3844d46e3
              • Instruction Fuzzy Hash: 0B21DA31635686DBF326AB6D9D48B287BD5BF41774F180361FB20DB6D2DB68C841C250
              Function 0125A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2787b4a2136670d6ee623b0ce84be3a7b5ea926e32096d5fe613223fa72817c7
              • Instruction ID: 951177e31d3fa9934019ad69f44020a1dec90a4f6d9a66de2fbdc3c55faac2c9
              • Opcode Fuzzy Hash: 2787b4a2136670d6ee623b0ce84be3a7b5ea926e32096d5fe613223fa72817c7
              • Instruction Fuzzy Hash: 2F21ACB5221601AFCB25DF29C842B5677F5BF48708F148468E909CB762E775E842CB94
              Function 012DA49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3c4b0f7e38319ad9bcfe3f32e10d63f7cc9f46bcf62aaa56a3bf06425dcf6e0
              • Instruction ID: 5041d0e02072a90ac18198d66f7fde86631cdd8e779b61b753efadc03d53b984
              • Opcode Fuzzy Hash: a3c4b0f7e38319ad9bcfe3f32e10d63f7cc9f46bcf62aaa56a3bf06425dcf6e0
              • Instruction Fuzzy Hash: 441129727A0B12BFE7225659EC01F3BB699DBD5B60F910028F758CB290EBB0DC018795
              Function 012A0946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2cb6b9b9404c5a2799ac138f56a5aed69f73b2766e20c18cc1ee86545e21cd0
              • Instruction ID: 4f46649dc0445e6bf43bfb77302cdad7f6bc2ed0457b0f7036790b5f361f96ce
              • Opcode Fuzzy Hash: b2cb6b9b9404c5a2799ac138f56a5aed69f73b2766e20c18cc1ee86545e21cd0
              • Instruction Fuzzy Hash: CF21E4B1E10219ABCB24DFAAD8819AEFBF8FF98B10F10012FE505A7254D6749941CB64
              Function 012B80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 4c2c47d57ec103a648e03b2f9d987cd92d0da99509de3b06d744d2e2450a13ed
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 18218E72A2020AEFDF129F98CC80BEEBBB9EF98350F244855F904A7251D774D9508F50
              Function 01250124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 0c93281886dd19e49a3a603837385a21bae96456c245f0b5720f4251e6c35647
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 28110173611606BFE7229F48CC81FAABBB8EB80754F108029FF048B180E671ED44DB65
              Function 01228770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5951bbac842c08ce9bc219c7a9ecbf268a227d2ad9eb3184bcacf592e16482a
              • Instruction ID: 843f977e6b78652610e1f06463643469dac636ec5a5bdae362b265c5070303ac
              • Opcode Fuzzy Hash: e5951bbac842c08ce9bc219c7a9ecbf268a227d2ad9eb3184bcacf592e16482a
              • Instruction Fuzzy Hash: 6A11C876721636ABDB19CF4DC4C096EBBE5EF5A710B14806DEE089F305D6B1D901C790
              Function 012280E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c554a93d8c5664a8791a34ca7dd4f6d867a75e4ff9867249a36b2f4e15594d2
              • Instruction ID: ce29e0f3345d14026aa937feb11bd81395e56070a704ce50e8896c9d77289cfa
              • Opcode Fuzzy Hash: 1c554a93d8c5664a8791a34ca7dd4f6d867a75e4ff9867249a36b2f4e15594d2
              • Instruction Fuzzy Hash: D8213875A10216EFCB14CF98C581AAEBBF5FB88318F244169D205AB391CB71ED16CB90
              Function 0125674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 057363119a8b6463757418249387f680a11a74d5fb0f842183eacd395c58ae55
              • Instruction ID: 6a810086f2f3f3836587b9b1f15bc195be29fb0cd88badf9d0cb5a64bde3172c
              • Opcode Fuzzy Hash: 057363119a8b6463757418249387f680a11a74d5fb0f842183eacd395c58ae55
              • Instruction Fuzzy Hash: B5218CB5620A01EFD7648F68C881B66B7F8FF84350F84882DE99AC7650DA71A840CB60
              Function 012B6870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32ae2ada0353c2dd89ebefbbe683e1fe89bf81fcb856766c6f68913649e4f5d0
              • Instruction ID: 7e3b4da88a3985b112528dee445e2e8e823b646d21d0e115838cc751528bdd81
              • Opcode Fuzzy Hash: 32ae2ada0353c2dd89ebefbbe683e1fe89bf81fcb856766c6f68913649e4f5d0
              • Instruction Fuzzy Hash: F011A372260915EFD722DF9DC980FDA77A8EF95790F114029F305DB251DA70E905C7A0
              Function 0124E8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80e5a677a43babda4cbdd96875f5038efb43e6572a449b29d10ee892a729b3bf
              • Instruction ID: 05c0622b4e482fea5244f1d04d7a7bf35a68f95b95d7f7671545ad45c406ce5d
              • Opcode Fuzzy Hash: 80e5a677a43babda4cbdd96875f5038efb43e6572a449b29d10ee892a729b3bf
              • Instruction Fuzzy Hash: 0A116B773211119FCB1DDB29CD82A7B7356EFD5374B254529DA22CB2C1E9709802C790
              Function 012566B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a700a866bd2ae603f33edad035d6e1bc6cb67b52c9ea7469e17dc6612ae4e435
              • Instruction ID: 5870dbb7036a8f8f725cecacf739d1406ccfee0d41f45076bc25de2e900c6b0c
              • Opcode Fuzzy Hash: a700a866bd2ae603f33edad035d6e1bc6cb67b52c9ea7469e17dc6612ae4e435
              • Instruction Fuzzy Hash: C711CEB6A21206DFCB69CF99C5C0A6ABBF8EF84710F454079DE059B314E674DD00CBA0
              Function 012EA8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 0eeb433e41b015e3de76a200c8e0bd962ca63102d96dfa38ac32e8a306019524
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: ED110436A2090AAFDB19CB58C805BADBBF5FF84210F058269E84597340E671AE51CB80
              Function 012AE7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 1abfb0f9ebb5a3efafe22abf4d42c2a7ac38dd8a885772fbbc4f7ac2d0bf0e8b
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: AB11C671620602EFEB219F48CC40B6A7BE6EF55754F468428EA099B170D771DD42DBA0
              Function 012427ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2b56772a133c1e4bdd024fde99650db632bf577d5f644ad4a70000fe72bfebe
              • Instruction ID: 3ab6f9d5780295abba5fa8d0d2dab7f8d7c2a877ec88476d6a4186e94683871e
              • Opcode Fuzzy Hash: b2b56772a133c1e4bdd024fde99650db632bf577d5f644ad4a70000fe72bfebe
              • Instruction Fuzzy Hash: 9201D671636646ABF31AA66EE889F3B7B9CFF80394F050065FA00CB291D964DC00C271
              Function 01224690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52c60d72e141e1c0349da38ec323b33c3d554599a090b1e210423c09a2e6d6a2
              • Instruction ID: b8e4cedf29112613ea89bf2309433b79eb8b5af8070353eb15fc2815bd577aba
              • Opcode Fuzzy Hash: 52c60d72e141e1c0349da38ec323b33c3d554599a090b1e210423c09a2e6d6a2
              • Instruction Fuzzy Hash: 7111E5763606A6FFDB29EF59D840F5A7BA8EB85764F004519FA288B250C770F840CF60
              Function 012F4B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 587a0720be054e13957276eeb1b4bcaab236cd31806e819d3ad9eb669e00ed98
              • Instruction ID: 969a44243639693e681b42ad8fb40198ed9aff5eb4046be2919e69c8ff4f7dfe
              • Opcode Fuzzy Hash: 587a0720be054e13957276eeb1b4bcaab236cd31806e819d3ad9eb669e00ed98
              • Instruction Fuzzy Hash: 4111293262064A9FD722EA29D844F27F7A5FFC4710F14443DEB46C7251EAB0E802CB90
              Function 01256620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 381ae8bb5a23204c0fa769c4d3262cf7fe40202ab10bac3be9b017337e7e5aaa
              • Instruction ID: 68c22260e7645b6576b65b0f3ba6ab7a7ff9617818e42e45f06875479b7fe99d
              • Opcode Fuzzy Hash: 381ae8bb5a23204c0fa769c4d3262cf7fe40202ab10bac3be9b017337e7e5aaa
              • Instruction Fuzzy Hash: CD11C272A10616AFDB21DF59C9C0B6EFBB8EF88740F900458EE01A7200D738AD41CB60
              Function 0124EA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb4570e76d6b8c48dd2d97341ed180fc752a3e19085092e420dca749d289b818
              • Instruction ID: 84cc91d5d0aac8d3e6a486e80450e0eb2dc7d7c6faf34a716fb3c14ff655519e
              • Opcode Fuzzy Hash: cb4570e76d6b8c48dd2d97341ed180fc752a3e19085092e420dca749d289b818
              • Instruction Fuzzy Hash: D801247151010AAFD729DF18D404F26BBFDFBC6318F22816AE1058B264D7B4EC42CB90
              Function 0124E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 999d191851d42a5e5c885db9c06cfc8e3edb8bc2654fba37a4bbf61c04de6ffe
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 3F1182722326C79BF726A72CEA58B257B94FB41754F1A00A0DF41C7692F76CD942C290
              Function 012AE75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: cdfd02d19f7c801de07143020c4d79ed80d40848321bedd41f6b6af2a9937200
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 1C01D232620206AFFB299F58CC41F6A7EA9EB80750F468424EB059B260E771DD42CB90
              Function 0121A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: ac014fdc2fe0dccb1084e1befcac5981899a20a2b0461c4f7dc759fce00436b7
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: E60126714267669BCB31CF19DC40AB27BE4FF65760B00852DFE958B285C331D400CB60
              Function 012F4940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bdb2d47211e8122fd21036b022222299bc1a50c668e693852451c98ef81b1b9
              • Instruction ID: 744f98451abea9a0a5714acd3f97ae9e73609aeddd41f64ba4d222a7a806d860
              • Opcode Fuzzy Hash: 1bdb2d47211e8122fd21036b022222299bc1a50c668e693852451c98ef81b1b9
              • Instruction Fuzzy Hash: EF0104726611429BC322EF1CD800E23F7A8EB81370F154229EB689B292E670D801CB80
              Function 0129E1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e32972b683059a8b14e2ded8bd2e1595b75c1e86fa4c234d74969cd1fb9371d8
              • Instruction ID: 36f0a4bc255d7301405b8b017cfabd625fbe157eba0e13936ac9de2e18603181
              • Opcode Fuzzy Hash: e32972b683059a8b14e2ded8bd2e1595b75c1e86fa4c234d74969cd1fb9371d8
              • Instruction Fuzzy Hash: 7411ED32261241EFCB15EF19CD80F26BBB8FF58B44F2000A5EA058B6A1C275ED00CA90
              Function 01226259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0862cd53e782b57db5b78b8a519824cadd7e456f21f78d938719ff75a1102a61
              • Instruction ID: e292ed09ef616895af373086106b1c0589064e395d3e1b809421cb2aa0633a8e
              • Opcode Fuzzy Hash: 0862cd53e782b57db5b78b8a519824cadd7e456f21f78d938719ff75a1102a61
              • Instruction Fuzzy Hash: 00115A71551229ABEB25EB64CD42FE9B278EB14710F504194A718A61E0EA709E85CF84
              Function 012A6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0a67ee5269500de50dc4323e1bbc66023b58365c06072cbdf778eb25f2d5553
              • Instruction ID: 7d41c03a02f9a90baeb46ecc615b39dc0fb1235add43036699b801968d8aff9a
              • Opcode Fuzzy Hash: b0a67ee5269500de50dc4323e1bbc66023b58365c06072cbdf778eb25f2d5553
              • Instruction Fuzzy Hash: 141117B2900119ABCB11DB94CC84DEFBB7CEF48358F044166AA06A7211EA34EA55CBA0
              Function 0122208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 2427d04efc3808dd13a2f6b8c8728ca1f6486bce8a6a66eee752a6613fc7b3a1
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 22014532220122DBEF118A58D880B6B7766FFE4600F1540A9EE008F246DAB68C80C390
              Function 012B6500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26eb6089a363fb867ec1c2ff2323d7b2880140cd25d4c9dffda177dae09c9591
              • Instruction ID: d7690d4b4cf584d634a3d81190ae63704c822aef6f23c46d0eeff8527e34b8c0
              • Opcode Fuzzy Hash: 26eb6089a363fb867ec1c2ff2323d7b2880140cd25d4c9dffda177dae09c9591
              • Instruction Fuzzy Hash: 6D11C4726541469FD711CF58E840BE6BBB9FB9A354F088159E948CB315D732EC81CBA0
              Function 012AC810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6e424f70f5a54db2c7f84568589363232cf3df3c98c73b19e938f592092606c
              • Instruction ID: 5a2d5c0893eed1225797d5e25559b5156a9f758a4dee8796bf15a770fd23a37c
              • Opcode Fuzzy Hash: d6e424f70f5a54db2c7f84568589363232cf3df3c98c73b19e938f592092606c
              • Instruction Fuzzy Hash: AA1118B1E10209DFCB00DFA9D541AAEBBF8FF58350F10406AA905E7351D674EA018BA4
              Function 012CEA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 611f85fe292b0024ef6586edf0d75ab9ac546580dbf830cad441ea2ba89d8597
              • Instruction ID: 34695221338d57f731d591d78bb58d784b286d412150c2f7b354518f42ce8a32
              • Opcode Fuzzy Hash: 611f85fe292b0024ef6586edf0d75ab9ac546580dbf830cad441ea2ba89d8597
              • Instruction Fuzzy Hash: AB01B1B21602129FC736AE1D844193ABFA9FF91A60B06452EE3555B251CB219D41CB91
              Function 0121C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 4ee7a8ce89957a51f8558a55f477f077f954e455314013cf5fa432165f7358c8
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: D501283222074A9FEB22D6AAD840FB777E9FFD6610F044819EA468B540DAB0E401CB50
              Function 012620F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2e00e5a6e09ca59d7dd389027eaed0233456c90b85cdb0044c669489e992fe7
              • Instruction ID: 4eb552d07f1e440d3508caa6caf21ff7cb945c9ddf845165a93852bc3e7e56ff
              • Opcode Fuzzy Hash: b2e00e5a6e09ca59d7dd389027eaed0233456c90b85cdb0044c669489e992fe7
              • Instruction Fuzzy Hash: E6116D75A2024DEBCF05EF68C851FAE7BB9FB44380F004099EA0197290D635AE51CB90
              Function 0125E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 539d95608ac2bbc1861bf0c1ea3a20d8be1e29e2c3eb21752ed3a23a7c58b79b
              • Instruction ID: 19c6c7854bd27b7d99eeb96190f4d83105fe6d12e1d8a3a00509f4095bc70857
              • Opcode Fuzzy Hash: 539d95608ac2bbc1861bf0c1ea3a20d8be1e29e2c3eb21752ed3a23a7c58b79b
              • Instruction Fuzzy Hash: 0201D4F2621502BBD715AB6DCD80E63BBACFB986647000529B60583550DB64EC01C6A0
              Function 012B69C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cb5b6a63944b3feae79bd4fad3c451058277a0a52f553c424a46f99ee25704a
              • Instruction ID: f944d01ef061ff07d9eec52f983fcbc899f6a30e3d79ecb766a457de300fe3e7
              • Opcode Fuzzy Hash: 2cb5b6a63944b3feae79bd4fad3c451058277a0a52f553c424a46f99ee25704a
              • Instruction Fuzzy Hash: 86014C322342069BC720DF69C8C89B7FBACFF88760F204129EA58872C0E7309941C7D1
              Function 012AC460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c38ac2eca905c59def5fcc971c56d036bf9f1fd5eb4e5d7532f8e80e9d21f918
              • Instruction ID: 22a733977bd7c39e889c5ced8b6d3c7e109ce2f6f8977030ae5142e1e88e07f7
              • Opcode Fuzzy Hash: c38ac2eca905c59def5fcc971c56d036bf9f1fd5eb4e5d7532f8e80e9d21f918
              • Instruction Fuzzy Hash: E4115B75A1024DABDF15EF68C844EAEBBB9FB48340F004059B90197380DA35EA61CB94
              Function 012AC97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5db640eb86fe6eba98388c8ab4f6f23269f69ccf93ed5388b4d099abe042e19
              • Instruction ID: e05893037ac01f731d7e6c84d568bcabdad2f39a46429fa5762f9054a69dbf53
              • Opcode Fuzzy Hash: e5db640eb86fe6eba98388c8ab4f6f23269f69ccf93ed5388b4d099abe042e19
              • Instruction Fuzzy Hash: 151179B16283099FC700DF69D44296BBBF8FF98310F00491ABA98D7390E630E910CB92
              Function 012ACA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: debac42a7c9c1b52449c6aebb2349ace857c2a68c0c0a6fcef4d380a968cb5db
              • Instruction ID: 1f1701a73c84c64ab1582386ba6d6f4dc967316de49ec0407ab040abf6e6a795
              • Opcode Fuzzy Hash: debac42a7c9c1b52449c6aebb2349ace857c2a68c0c0a6fcef4d380a968cb5db
              • Instruction Fuzzy Hash: 601179B16283099FC300DF69D44195BBBF8FF99350F00892AB998D73A5E630E910CB92
              Function 0123E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 898cc82162491a80cbcc3395f1b08472bef7472e1ab42fadcf0e6a073a7343fe
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: FE0184713246859FE722871DD948F37BBD8EF84754F0A04A1FA05DB691D678DC40CA25
              Function 0121826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5288c4915d0a776b3006ac5adac9062af8527246f5deaf390b6bf224ee6296a0
              • Instruction ID: 62866267ef224852607ad0ab87772e0b2139920e5ba6b5ff0affa5af144498b6
              • Opcode Fuzzy Hash: 5288c4915d0a776b3006ac5adac9062af8527246f5deaf390b6bf224ee6296a0
              • Instruction Fuzzy Hash: 6001DF317206499BD715EF69D8419BABBE9EF90320F4944299A01A7688DE30D801C790
              Function 012CEB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f6d76f42c8be5f5020c75405cbf12473d556877927ac695e47c39241a0409616
              • Instruction ID: b5405a724d59b1296238e2cf3bbaa00e04505188eeb429bfd1232ee77fe2b67e
              • Opcode Fuzzy Hash: f6d76f42c8be5f5020c75405cbf12473d556877927ac695e47c39241a0409616
              • Instruction Fuzzy Hash: 4001A2B1290702AFD3355B19D841F22BEA8EF55F64F05442EB3069F390D6B1E8418B64
              Function 01222582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c570be90388fe5cfb21100b793b4c3b5a7682531c77e1f1c9de7ca635667ec0
              • Instruction ID: 1686663c0a4e5e37d79aa652cc7f0d10caf24004e0fd64fa96b1fe18b14372f9
              • Opcode Fuzzy Hash: 1c570be90388fe5cfb21100b793b4c3b5a7682531c77e1f1c9de7ca635667ec0
              • Instruction Fuzzy Hash: 5AF0F432661A21B7C735DB5A9D40F1BBAA9EBC4A90F048029F60597600DA30ED01CBA0
              Function 0124C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 6992a967b5157305a51ebc0f8190f63a1a6150f39dd9b0def2378add378c4893
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: A3F062B2601615ABD328CF4DDC40E67FBEEDBD5A90F058129A659D7220EA31DD05CB90
              Function 0121C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: f3775989d18ba6ad43fdb6c4a99bf8ee5157b44337d08b82a3081e9cc6d75684
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 9BF04C372A46339BD732D7594840B3BA9D58FF1A60F190035E3059B608C9B08D1253D0
              Function 012F634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4434f99ca3a17b2b490b3e39a9247da9a41f641adb92ba14d7d8eb04ec7bb6f0
              • Instruction ID: c67c3394ad5ddaf9ffb3666a06ec082a4afb3d766908807c1772bf2f5da12c86
              • Opcode Fuzzy Hash: 4434f99ca3a17b2b490b3e39a9247da9a41f641adb92ba14d7d8eb04ec7bb6f0
              • Instruction Fuzzy Hash: F4014475A2024DEFDB04DFA9D5519AEF7F8FF58704F10406AFA04E7390D6749A018BA4
              Function 012F625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e979d6ed2026de8f98aca1d95ad119515c3ea62b25bacf7896f51087c6f20964
              • Instruction ID: c8eeb8e5842a0e342126cd2760d181873bc33798e9d2afacf8d56aa883c545c9
              • Opcode Fuzzy Hash: e979d6ed2026de8f98aca1d95ad119515c3ea62b25bacf7896f51087c6f20964
              • Instruction Fuzzy Hash: 27012175A2024AABDB04DFA9D4519AEB7F8FF58304F10406AFA04E7391D6749A018BA4
              Function 012F62D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 862d355de6eb433644f5ecb5ae1a7da7a751647c0c878c0155733d47f2d4bf22
              • Instruction ID: 33a66048d359537be3c2e942dec618701a1fa9bb43b3e64c6ee1b81bc0caf3e0
              • Opcode Fuzzy Hash: 862d355de6eb433644f5ecb5ae1a7da7a751647c0c878c0155733d47f2d4bf22
              • Instruction Fuzzy Hash: 30012171A10249ABDB04DFA9D4459AEB7F8FF58704F50406AEA14E7390D6749A018BA4
              Function 0125CA6F Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction ID: 4b075a6489eb7371dfdb6f9d4180a5e1144cf780b5db0f2b929818f3d7ff8d7e
              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction Fuzzy Hash: C401D63122068A9BD7269A1DD849B59BF9CFF42750F0C4065FF048B691E679C910C250
              Function 012F61E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48245ced66c8a9b4f5cab25100b8a70971882f06f01474562eb2a8ea859b4bd1
              • Instruction ID: a4599e7d93413c2c96704f0a484677c4fb62391cdb4771035ffa3f7f88b22b5b
              • Opcode Fuzzy Hash: 48245ced66c8a9b4f5cab25100b8a70971882f06f01474562eb2a8ea859b4bd1
              • Instruction Fuzzy Hash: 86014F71A202499BDB04DFA9D445AEEFBF8FF58314F14406AE505E7380D774EA01CB94
              Function 012A63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 66eacec3a6aafb44b4787a77531ff70990bfcb202eab58fd3c4126e85841e3cc
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 6EF0F97221001DBFEF019F94DD80DBF7B7EEB59698B144125FA11A2160D635DE21ABA0
              Function 012AA4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae019640a6349f25fddcefac52a57c7757b646d041d0fb3766683bc9c6b806c5
              • Instruction ID: 6fe7d83c3ee6433887d0b2c1cbe60fdf3a8193f4b8e0619b2d16ce13a6a15c60
              • Opcode Fuzzy Hash: ae019640a6349f25fddcefac52a57c7757b646d041d0fb3766683bc9c6b806c5
              • Instruction Fuzzy Hash: A5014536520259ABCF229F84D840EDA7F6AFF4C764F068115FE1966220C736D971EB81
              Function 0121C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84cc7f0f486489ab18318667d04f76d190f484f7ac6d160796c1b0df873600ce
              • Instruction ID: 5993e1216baabae12c8900dc8e34d294f7ed6880d01214e7a3473ca232549d6e
              • Opcode Fuzzy Hash: 84cc7f0f486489ab18318667d04f76d190f484f7ac6d160796c1b0df873600ce
              • Instruction Fuzzy Hash: 7FF024752E42425BF714D6298D02F3332D6E7E0660F65802AEB058F2D9EA71DC1183A4
              Function 0125656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e6229c33d5e48ff9da87413422fbfc596315feb850510c6fa7d04862b201542
              • Instruction ID: 0ac2764f458300f5226b3faa62e62ec9e9ed4d5a1ec54fa6010bfe1c9266c26b
              • Opcode Fuzzy Hash: 5e6229c33d5e48ff9da87413422fbfc596315feb850510c6fa7d04862b201542
              • Instruction Fuzzy Hash: A401A4706706C69BE772AB3CDD98B3537A8BB81B48F980190BF01CB6D6D778D402C214
              Function 012C437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: db479e8c85e9ebdf1b64cfb19ff89a97c553ecf132d29ae8f6418c08cd7767be
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: DAF0B431371D9347E776BB2E8830B3BAA559FD0D00B26072C97458B680DF60DC408790
              Function 012AE872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: 019b10185463538e33a6409ca5c61677040fc98d3d51e423ead5ac3b88fa0ec7
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: C8F05E727316129FE3219A4ECC80F16B7A8AFD5B60F9B0465A7049B270C764EC0287D0
              Function 012AC89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9dd3c991dcc51ec0f14381b3d3200b81d44810e780d19276e05baa676bfcd07d
              • Instruction ID: 0a060d0c19883653524b372de3e8396d4f0f3a48a35dbf5ade79c789b49148da
              • Opcode Fuzzy Hash: 9dd3c991dcc51ec0f14381b3d3200b81d44810e780d19276e05baa676bfcd07d
              • Instruction Fuzzy Hash: 6AF0C8706253449FC310EF28C445A2BB7E4FF98710F40465AB898DB3D4E634E910CB56
              Function 01250854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: fc01329c145273776d27fa5a9f36a57a36d7e7d2392ea523720cd05b1fc0d5e4
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: 94F0E972620205AFE714DF26CC45F56B7E9EFA8350F148078AA45D7164FAB0ED41C658
              Function 012AC912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa257ccae3b5df3b646ee731cc2c92317247761b795ac203a1c7b85320de046b
              • Instruction ID: 08f607a86c4bdd58b1d8c7f11dae3fcfc38fc77c86d1bacdadc58b5a9c1ee9d7
              • Opcode Fuzzy Hash: aa257ccae3b5df3b646ee731cc2c92317247761b795ac203a1c7b85320de046b
              • Instruction Fuzzy Hash: D6F0C270A2024EDFCB04EF69C515AAEB7B8FF18300F008055B945EB385DA38EA01CB50
              Function 012247FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3915409eba13ad43f505e39bcae3fe04063480bce7cabe564a4b50289845e1e1
              • Instruction ID: 132e732412838bc369862e2d3199b7be5119809314cdf15097316a56eb2386eb
              • Opcode Fuzzy Hash: 3915409eba13ad43f505e39bcae3fe04063480bce7cabe564a4b50289845e1e1
              • Instruction Fuzzy Hash: F4F0BB319356F2BFD732FB5CC844B697FD49B00628F05496ADB458B542C7E4D840C653
              Function 012E0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b310402c34a4b58be0eab58ba081d4159eecce42ab94306240145aaead4a516
              • Instruction ID: afeac2e0546a72782cc40b10222c98dd12028dcecb052dc516a62534c69e69e2
              • Opcode Fuzzy Hash: 6b310402c34a4b58be0eab58ba081d4159eecce42ab94306240145aaead4a516
              • Instruction Fuzzy Hash: E3F027A65396820BCF325B6CB4593E13BA9A742220F4A1489E5A15F209C5F4D483C328
              Function 0125C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e7e3a6e7e38c48743c9bcba95b503a3e5dbfd5070c19ea8b97ef57393b2a912
              • Instruction ID: c1f40ce8eb528912bb7cfbb55c2dc3c1e5f094a0ad4a23cdf595c8c1971d41fe
              • Opcode Fuzzy Hash: 8e7e3a6e7e38c48743c9bcba95b503a3e5dbfd5070c19ea8b97ef57393b2a912
              • Instruction Fuzzy Hash: 34F059758313429FD3A2971CC1C4B2177DC9BC0B60F089425CE1183202E3B0E960C670
              Function 01262619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 063c0800fc4abca9ef6fa3fe27620026e2b6409a3ec76ed81b2480187d391717
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 0CE0D8723106016FE7119E598CC0F67776EDFD2B10F040079B6045F291C9E2DC4983A4
              Function 012B6030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: ffb372e40ea75583a70faf900b16546c1e0db881a5a26d5a509f750c6cb04d9a
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 40F030721242049FE3218F0AD984FA2B7F8FB453A4F45C425E7099B561D379EC40CBA4
              Function 01220710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 23cd607f496f864db7e3cc76f970b87642b9836048ea17e02602c695cd6971dc
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 68F0E57A224355ABDB1ACF19D040AA97BA4FB51350F010094F9428B301E771E981CB55
              Function 012549D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: 08ee43f365cb7599f3c3bb95c072f6008c535c504d31239884d4976afa5044d8
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: 77E09B322741C59BD3A179598851B76B6A597D47A0F150425EA0887150FB70EC80C798
              Function 012F4164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 621bdac3b813be7f1ee4da92dae071a82c43b2ff8c4b218adb24e739f0173bc0
              • Instruction ID: 6743233c52eb28642b1c3bec18e093514fe625f91b091b56f439fb3fa2d1af1b
              • Opcode Fuzzy Hash: 621bdac3b813be7f1ee4da92dae071a82c43b2ff8c4b218adb24e739f0173bc0
              • Instruction Fuzzy Hash: 58F0E531A355D28FE772E72CD650B53B7E0AB10630F0A057CD70087A12C3A0DC40C650
              Function 012C678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: 335494755889dc0e45ff20be6f5cf46ca3daa7ef79e2914d8da06afd8346a59e
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: F5E0DF72A50510BBEB21A7998D01FAABEADDF90EA0F050058BB00E7190E530DE04C690
              Function 012F08C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: 23424d6784fc949cdd005cfd0bd4808c1de26285ecbe08ec652e32d79986be86
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: D1E09B316503518BCB258A1DC141A63F7EDDF95661F15807DEF0547613C271F852C6D4
              Function 012225E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: f62f78dcc716b2451de4a46a05521a2281b6592cdb10c2480c1b5edd9121096c
              • Instruction ID: 81f14b773e1e66ad8b0b889fe0146c1adfc81c5e5a3248f9c6440a72c1e71649
              • Opcode Fuzzy Hash: f62f78dcc716b2451de4a46a05521a2281b6592cdb10c2480c1b5edd9121096c
              • Instruction Fuzzy Hash: E2E09272110594ABC321FB29DD01FAA779AEBA0360F114615F11557190CA74A950C784
              Function 012DA456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: 289327c4573db2b4d3d3fe3b50418cb5c086a9a1fd99fd0e6dd27e636cf91939
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: DCE01231030652DFE7366F2AD948F627BE5FF50711F158C2DE196124B0D77598D1DA40
              Function 012A4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 871c90c4b275af10c8c2cb8221f3ea5ed28f33eb5317f9c9cc72f1bdf39dda79
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 62E0C2343503468FE719DF19C040B627BB6BFD5B10F68C068AA488F205EB72E842DB40
              Function 0125CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65adf58673091b11454fe8a00a30a050b6358fb839ae22aeefa7e9db6246a1b4
              • Instruction ID: 30f6b138b3099299e6b4d96cb465ab0778adaebf3e209d7c95e01906e5b2498f
              • Opcode Fuzzy Hash: 65adf58673091b11454fe8a00a30a050b6358fb839ae22aeefa7e9db6246a1b4
              • Instruction Fuzzy Hash: 23D0C2328A11216ACBA6E9187C44FE33E5D9B50220F014860FA0892010E574CC9182D4
              Function 0121823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: ed29535b9b47d73796e1edddbf82bcf8adb5a9a06eaeca5ef3a1df0b0bff7ecd
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: EDE0C231030A52EFDB33AF15DC40FA276E9FFA4B10F204829E181164A887B4ACC1CB44
              Function 01222050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4391e153f425ed2c14bec4ea825b3df1214a266c8c1b91fd51456ca29f48bc07
              • Instruction ID: ec8445ba21c4be2199eead8c7f5ad1840b47b0f3c6dd2d7c3a3ef00cd1567083
              • Opcode Fuzzy Hash: 4391e153f425ed2c14bec4ea825b3df1214a266c8c1b91fd51456ca29f48bc07
              • Instruction Fuzzy Hash: 27E0C2732104A0ABC321FB5DDD01F6E739EEFA4370F010221F15187290CA64AD00C794
              Function 01276AA4 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction ID: af9553076d7d6d1656f4dab154a4c0b658a4a66ce3e139e50006ce6351bf2e51
              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction Fuzzy Hash: C2D05E36521A50AFD3329F1BEA00C13BBF9FBC4A107050A2EE54583920C670AC06CBA0
              Function 0125E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 96cfd10869aa956620245f871bf2b60cb73ecbb4c5df8206e05a4d48e1d46567
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: A7D0A932624620ABDB32AA1CFC00FD333E8BB88720F060899F008C7050C364AC81CA84
              Function 0129E908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 3eb970513e1994c348da4b6c4458e1b0b74619df6ba6ba9564b74925fcae81d7
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 5CE0EC75960685ABDF12DF5DC640F5EBBB5BB94B40F160454E1485B660C664AD00CB40
              Function 0121A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 50f304a8eddb0f94239814568eac928361a353f7b9182b4395787dc9720a89f2
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 0DD022322330B193CB28D6556900F636945ABD0A90F0A002C750AA3804C0088C42C2E0
              Function 0125A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: 1eba3e0dbba1cf18d6c45347b3c8082ce359d79ca88b7523dfbfcc5e46c74609
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: F3D012771E054DBBCB11DF66DC01FA57BA9E7A4BA0F444420F504875A0C63AE950D684
              Function 0125CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 06251c867e8f187b01a9710cab417e404f1e705a06c97f6a01add3c5d9f4c6ee
              • Instruction ID: e8034a5b679267e43074aee97e97b05d418beb7fcbd126fea643cc6226932aef
              • Opcode Fuzzy Hash: 06251c867e8f187b01a9710cab417e404f1e705a06c97f6a01add3c5d9f4c6ee
              • Instruction Fuzzy Hash: 40D052316722068BDF2ACF48CA51A3A3AB8EF20A41B440068EB00A2020E328E8118A00
              Function 012302A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: e8b1c09d1660b76bca89eeb3b9aeaab0014fe7d131ed9a626c718b78500f6768
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 4AD0C975222E81CFD61BCB1DC5A4F1533A8BB84B44F810490F501CBB62D66CD940CB14
              Function 0125C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 0889fae44eb1d344a825947ad9d9860128118490462164fa7ef224684ece9b92
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: B5C012322A0648AFC712EA99CD01F127BA9EBA8B40F000421F2048B670C635E920EA84
              Function 01240310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: c01a5b7332b2c9573478b231d916aed94b05ecbecb963dba8e323c00739cdbb5
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: A8D01236110248EFCB05DF41C890DAA7B2AFBD8710F108019FD19076108A71ED62DA50
              Function 01220750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: f099d67f9a27a2efbe62d1ef045de3ed443eaa4d3b435dd76bb2dd324d9c9022
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 14C04C797215468FCF15DB19D294F5677E4F744750F1508D0E905CB721E624E901CA10
              Function 01264340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 376b17c3499ef1b99f30c5ea251bf7635a5155134d0da489473c4b1d8712d83f
              • Instruction ID: 03d65e55d4b72c474161b7b0d422ed404d806ded4e41e2aa99fc1b97cb8cfd91
              • Opcode Fuzzy Hash: 376b17c3499ef1b99f30c5ea251bf7635a5155134d0da489473c4b1d8712d83f
              • Instruction Fuzzy Hash: B8900231616800129240715848885474005A7E0301B55C021E1424554CCA248A565361
              Function 01264650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12738f8df6d84e02f496f2f8e1317938d2b903e2109719cbcbdef6199c1034f3
              • Instruction ID: f4029e59fccbb3544bcc4013e520144fd6a7bf647ed2ff1fe142b326d89eb09d
              • Opcode Fuzzy Hash: 12738f8df6d84e02f496f2f8e1317938d2b903e2109719cbcbdef6199c1034f3
              • Instruction Fuzzy Hash: 1D900261612500424240715848084076005A7E1301395C125A1554560CC62889559369
              Function 01262BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 352767a28905c9e379ec1acef23ac90e2248d216ba973191e5d250c4bfa296fa
              • Instruction ID: 5a4e8fb47f39797281f112706b6ef14719b814631a8232ddcb45caee3b718550
              • Opcode Fuzzy Hash: 352767a28905c9e379ec1acef23ac90e2248d216ba973191e5d250c4bfa296fa
              • Instruction Fuzzy Hash: F690023161640802D25071584418747000597D0301F55C021A1024654DC7658B5577A1
              Function 01262B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55dda763c70c8e039ee361c13d682f33babcee819f0aef40662511160c5b0384
              • Instruction ID: c150dbc45cddb36c214a13ddf63fe485d5e107338b5da83bc5dc2048182f1724
              • Opcode Fuzzy Hash: 55dda763c70c8e039ee361c13d682f33babcee819f0aef40662511160c5b0384
              • Instruction Fuzzy Hash: BC90023121240802D20471584808687000597D0301F55C021A7024655ED67589917231
              Function 01262BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1982983e3cbadba8e4303c3c6119e5e338831e860e9938593049a9c65cee0b00
              • Instruction ID: 696d4b37193e30e33ebc69b7ac0daaa4824da8917ca3391d3d92603547505602
              • Opcode Fuzzy Hash: 1982983e3cbadba8e4303c3c6119e5e338831e860e9938593049a9c65cee0b00
              • Instruction Fuzzy Hash: 6E90023121644842D24071584408A47001597D0305F55C021A1064694DD6358E55B761
              Function 01262BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec6d7007ddeef07c5e3c1c8bdb1f5fda18a9d00e41c215db98b10420eb0bb0dc
              • Instruction ID: eb306b89aada229da58d6d6718de0a80c0cf5986c884302315a22df636c33b2d
              • Opcode Fuzzy Hash: ec6d7007ddeef07c5e3c1c8bdb1f5fda18a9d00e41c215db98b10420eb0bb0dc
              • Instruction Fuzzy Hash: 3790023121240802D2807158440864B000597D1301F95C025A1025654DCA258B5977A1
              Function 01262AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a931cb8926801b853cc0915c7c9c39ed942837e40b45139a9a2174fc97760ad
              • Instruction ID: 67d1ae6e2ca5e0aade1cc87c0c5d55edbe31fc77245e1cf70642ac7f2ba16582
              • Opcode Fuzzy Hash: 4a931cb8926801b853cc0915c7c9c39ed942837e40b45139a9a2174fc97760ad
              • Instruction Fuzzy Hash: BB9002A1212540924600B2588408B0B450597E0201B55C026E2054560CC53589519235
              Function 01262AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 706ec87bb68d8a59f6952733cd84cf8b604d75e298ccf390fd39c54900112cbf
              • Instruction ID: b9f3b03001f47b807475e1548f8ae1d25a25149531930aa2b445ab7281f3c8e9
              • Opcode Fuzzy Hash: 706ec87bb68d8a59f6952733cd84cf8b604d75e298ccf390fd39c54900112cbf
              • Instruction Fuzzy Hash: 81900225232400020245B558060850B0445A7D6351395C025F2416590CC63189655321
              Function 01262AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3861fd79130a8767a33f3ee6e4a60117704f0ae4b749f4c3fad3def4efb881d0
              • Instruction ID: 08aa7991bd517d16b6ea3c6243f8884bf0f5fe5fe67559278925964e73ede826
              • Opcode Fuzzy Hash: 3861fd79130a8767a33f3ee6e4a60117704f0ae4b749f4c3fad3def4efb881d0
              • Instruction Fuzzy Hash: 51900435333400030305F55C070C5070047D7D5351355C031F3015550CD731CD715331
              Function 01262D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10c189a7e4bafd2ca4f720ba90778e44e3c6f42947e141a220a0c914b90f6f75
              • Instruction ID: 612b82226336d346b10522c58ff56f6a94a37261134e6e1054b72b3c43997862
              • Opcode Fuzzy Hash: 10c189a7e4bafd2ca4f720ba90778e44e3c6f42947e141a220a0c914b90f6f75
              • Instruction Fuzzy Hash: 7990022131240003D2407158541C6074005E7E1301F55D021E1414554CD92589565322
              Function 01262D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0584455118de26b6766d7387327287b82731fc568b356e8e6a9ff7a4175bed76
              • Instruction ID: cef821ac5ad9e23426a111bcfe9c6074f03dc228628b38a09f93b12ab97afce5
              • Opcode Fuzzy Hash: 0584455118de26b6766d7387327287b82731fc568b356e8e6a9ff7a4175bed76
              • Instruction Fuzzy Hash: 4190022121644442D2007558540CA07000597D0205F55D021A2064595DC6358951A231
              Function 01262D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3f6030fe9ce9d35ba2452bf73a7442267fc73f09157b6ef640f9d6b05dabec9
              • Instruction ID: cacefd3da9236fb71126cdfd66aba57dec6db2d770ecf36bb5dd698618ab061e
              • Opcode Fuzzy Hash: f3f6030fe9ce9d35ba2452bf73a7442267fc73f09157b6ef640f9d6b05dabec9
              • Instruction Fuzzy Hash: 2090022922340002D2807158540C60B000597D1202F95D425A1015558CC92589695321
              Function 01262DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 869935db56b523ea38470ada6443de2cf492b4abd87656bc82e3005967c7fef5
              • Instruction ID: 63ca2c5529cd6073f3340bbb378f043b887db23fac7f518756aa28244787ca7c
              • Opcode Fuzzy Hash: 869935db56b523ea38470ada6443de2cf492b4abd87656bc82e3005967c7fef5
              • Instruction Fuzzy Hash: CB90023125240402D241715844086070009A7D0241F95C022A1424554EC6658B56AB61
              Function 01262DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c53c720cacdf61d5fe305f7067d2602cd2d1cd699bb1113cae23287d9be3c1e1
              • Instruction ID: f0c4d62a3403aa6b71387e89f98bce6d50aa01ca6e804b4f758017e4fae7d9df
              • Opcode Fuzzy Hash: c53c720cacdf61d5fe305f7067d2602cd2d1cd699bb1113cae23287d9be3c1e1
              • Instruction Fuzzy Hash: 75900221253441525645B15844085074006A7E0241795C022A2414950CC5369956D721
              Function 01262C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c85de712638272d7d9a00d71fe6f80b0cee30f070b38495f9a1918427af6577
              • Instruction ID: f54017568b9ec0d1e423e946a816386d7b8d4155f91660e25530014b80e9f8f9
              • Opcode Fuzzy Hash: 0c85de712638272d7d9a00d71fe6f80b0cee30f070b38495f9a1918427af6577
              • Instruction Fuzzy Hash: CB90023121240842D20071584408B47000597E0301F55C026A1124654DC625C9517621
              Function 01262CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 983fa80c70789a4fd640a91c6be4bd9d0f6aa4f99212b5aa40f25b325191bcfb
              • Instruction ID: ee30160c4f4fc312190dcdfc8cbdcc041dac57f427bf99cb743ecf8f36dd67a5
              • Opcode Fuzzy Hash: 983fa80c70789a4fd640a91c6be4bd9d0f6aa4f99212b5aa40f25b325191bcfb
              • Instruction Fuzzy Hash: AD90023121240402D2007598540C647000597E0301F55D021A6024555EC67589916231
              Function 01262CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a6a6c73ec0fb148c372541f6aa2804fa35dd4acb9be5a3282ba6a16d28d67c8
              • Instruction ID: 051647e80d58425d08a2898a7804616e661738d08ac87a004f969063569c697e
              • Opcode Fuzzy Hash: 0a6a6c73ec0fb148c372541f6aa2804fa35dd4acb9be5a3282ba6a16d28d67c8
              • Instruction Fuzzy Hash: 7190023121240403D2007158550C707000597D0201F55D421A1424558DD66689516221
              Function 01262CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8477e579ca05daf645cd0035d548bac19433c4a86ee667db8287cbabfd7cb44
              • Instruction ID: e3e04f00708f440dac10ecd6fd3d5c0d3cf8dbe2bb1b7f75047ae513a4031e32
              • Opcode Fuzzy Hash: b8477e579ca05daf645cd0035d548bac19433c4a86ee667db8287cbabfd7cb44
              • Instruction Fuzzy Hash: 4090022161640402D2407158541C707001597D0201F55D021A1024554DC6698B5567A1
              Function 01262F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c51c32b4d5fb7de625c21f0ba434c3c3443981cb761c2be186431d6adc4cd7c
              • Instruction ID: 57fa554c684bad070fd3cb5e3f431f485c68da0d9e1c8d471949792036c81c0e
              • Opcode Fuzzy Hash: 7c51c32b4d5fb7de625c21f0ba434c3c3443981cb761c2be186431d6adc4cd7c
              • Instruction Fuzzy Hash: 8590026135240442D20071584418B070005D7E1301F55C025E2064554DC629CD526226
              Function 01262F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f4e25673e10234b13e5d87f1096e3da6fdea64e3ad72e7f1e358d0d9f8d16ed
              • Instruction ID: 27685442a436e56f494d7763662336807084f565a666342746672a206b58c4d9
              • Opcode Fuzzy Hash: 1f4e25673e10234b13e5d87f1096e3da6fdea64e3ad72e7f1e358d0d9f8d16ed
              • Instruction Fuzzy Hash: 5790026122240042D20471584408707004597E1201F55C022A3154554CC5398D615225
              Function 01262FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca4803e7cbedc7c064c7bd770729716118a75164c6c9478082aaa27a66376e35
              • Instruction ID: c4821b49e8cdfcebfbd06e180f48b97f90e11492f51c6f6b7e618607e548c5fd
              • Opcode Fuzzy Hash: ca4803e7cbedc7c064c7bd770729716118a75164c6c9478082aaa27a66376e35
              • Instruction Fuzzy Hash: B190023121280402D2007158480C747000597D0302F55C021A6164555EC675C9916631
              Function 01262FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: faae5bebe6ec7a2ccbeffdaa77c4f8d18fe658a0470719e12f5a173546ac8811
              • Instruction ID: ca19492bb7aea3c5d2df5fac2913e846b8d47cdf878004572c305ee7df4faa71
              • Opcode Fuzzy Hash: faae5bebe6ec7a2ccbeffdaa77c4f8d18fe658a0470719e12f5a173546ac8811
              • Instruction Fuzzy Hash: BC900221612400424240716888489074005BBE1211755C131A1998550DC56989655765
              Function 01262F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74d2bc718134019030ed2e7465132950bcd0530c16682c17d021412319b3988f
              • Instruction ID: 61c82cf9a875d0dc586fee70ddd59f47ade0446bafa107cb4ba011047b60371e
              • Opcode Fuzzy Hash: 74d2bc718134019030ed2e7465132950bcd0530c16682c17d021412319b3988f
              • Instruction Fuzzy Hash: A490023121280402D2007158481870B000597D0302F55C021A2164555DC63589516671
              Function 01262FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdb30fb5a8eb42e8dd6d8d7e41e7b9cafb82b39782b823de165b51d269e68297
              • Instruction ID: 0c51f8b85acf6b8c869b2d64e7593c98e2683c874435735c1db25eaea3e4a5b4
              • Opcode Fuzzy Hash: fdb30fb5a8eb42e8dd6d8d7e41e7b9cafb82b39782b823de165b51d269e68297
              • Instruction Fuzzy Hash: 16900221222C0042D30075684C18B07000597D0303F55C125A1154554CC92589615621
              Function 01262E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1578a0ba1f483e5c60187b1807229bca2bac062ad6ec0ce487d14677386d3d32
              • Instruction ID: 3efab65860cb5692501fdf09eab301c7caee3a17077eca346f6235331b3b8421
              • Opcode Fuzzy Hash: 1578a0ba1f483e5c60187b1807229bca2bac062ad6ec0ce487d14677386d3d32
              • Instruction Fuzzy Hash: 8690022131240402D202715844186070009D7D1345F95C022E2424555DC6358A53A232
              Function 01262EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c4c774e62030c9e6a129b7f77d9146c554be48e0de21f538e786d9cc9b6dbe0
              • Instruction ID: a3cb098a4f11e79c7a914473fa7e6eddf69b54e73e10e0b1ffee1e6c3de503af
              • Opcode Fuzzy Hash: 8c4c774e62030c9e6a129b7f77d9146c554be48e0de21f538e786d9cc9b6dbe0
              • Instruction Fuzzy Hash: A590027121240402D24071584408747000597D0301F55C021A6064554EC6698ED56765
              Function 01262E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57bb8ba8e57250b04f203d08ebdaf8277c77c43805a005c948d02add560ac6a9
              • Instruction ID: 9f2d2963b916bdba37f4dad438e7e6077452b43a4c19a7374d9e013990c1e1cd
              • Opcode Fuzzy Hash: 57bb8ba8e57250b04f203d08ebdaf8277c77c43805a005c948d02add560ac6a9
              • Instruction Fuzzy Hash: 8C90022161240502D20171584408617000A97D0241F95C032A2024555ECA358A92A231
              Function 01262EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21cff4de713777de7b12ff36b6502f46acd8ab6587b69b738ad5d6f96fb8fbd7
              • Instruction ID: b15a1f3819f03d5b1504adcb5ceda68ebfda8665f4c64e6240076214b8d76950
              • Opcode Fuzzy Hash: 21cff4de713777de7b12ff36b6502f46acd8ab6587b69b738ad5d6f96fb8fbd7
              • Instruction Fuzzy Hash: EA90026121280403D24075584808607000597D0302F55C021A3064555ECA398D516235
              Function 01263010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 736e6426a1b44f6e81bac825edc1a7ab51b4a76600b93f7d29fa4a4ba0c05cca
              • Instruction ID: b598fcdf33aa129e53af85cfa0acc44a21235f149dd32e2a87228e5a65fcf028
              • Opcode Fuzzy Hash: 736e6426a1b44f6e81bac825edc1a7ab51b4a76600b93f7d29fa4a4ba0c05cca
              • Instruction Fuzzy Hash: F290022121284442D24072584808B0F410597E1202F95C029A5156554CC92589555721
              Function 01263090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dacb00b6660553f1f821c9d40892bc5c4b4526349f4abf25b7c749c260227c08
              • Instruction ID: 378d4656de4b25525b73ed998136491f1cbf561f8fdea84bb8713797eed05769
              • Opcode Fuzzy Hash: dacb00b6660553f1f821c9d40892bc5c4b4526349f4abf25b7c749c260227c08
              • Instruction Fuzzy Hash: 7090022125240802D240715884187070006D7D0601F55C021A1024554DC6268A6567B1
              Function 012639B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c962f18aa2d5196c189af0292b51081b0b403efd62bf05ecd42b74f71cb84d7
              • Instruction ID: 3f6a2e3cd9b32884e6ce1a014cd374d6422778c8cb61c33927361183f2c6a9d4
              • Opcode Fuzzy Hash: 8c962f18aa2d5196c189af0292b51081b0b403efd62bf05ecd42b74f71cb84d7
              • Instruction Fuzzy Hash: 7D90022125645102D250715C44086174005B7E0201F55C031A1814594DC56589556321
              Function 01263D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eeeba30df3dcdfe15ea5f1918d2a6b6aaf9fad4c75a61ceaf853cd0d23f096e5
              • Instruction ID: 10c87c07a0f5f78247010cb2b74a1dbecb732dadec22b3385d9adb722add6862
              • Opcode Fuzzy Hash: eeeba30df3dcdfe15ea5f1918d2a6b6aaf9fad4c75a61ceaf853cd0d23f096e5
              • Instruction Fuzzy Hash: 1090023121340142964072585808A4F410597E1302B95D425A1015554CC92489615321
              Function 01263D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26f4811db2918316aea995e989d2aabacc023329837283bf78c4bdb74593e992
              • Instruction ID: 20c9bba84fd7a65be5abdba463055513476b505dbddb2ec062167c782e109a7c
              • Opcode Fuzzy Hash: 26f4811db2918316aea995e989d2aabacc023329837283bf78c4bdb74593e992
              • Instruction Fuzzy Hash: CC90023521240402D61071585808647004697D0301F55D421A1424558DC66489A1A221
              Function 01262C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 086408ec3c2432fe1f68a9e814731704395c99cb7cbf41fcf06ddafc4159e156
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 01262890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 3839e6f9a53d400b6492ca219d8d60759679ef39e1eeb598b3a9b0a131ead74b
              • Instruction ID: 7428d133ed13f03d022b412eda207d2f5fd347460d0f2223fb672ebb0116fd31
              • Opcode Fuzzy Hash: 3839e6f9a53d400b6492ca219d8d60759679ef39e1eeb598b3a9b0a131ead74b
              • Instruction Fuzzy Hash: F451E5B2A20217AFDB15DF9C888097EFBBCBB58240714C129E569D7681D374DE848BA0
              Function 012D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 8f8a73c36f925ec56629ee566039527623c2535a0f9023dca7041c3978de89ba
              • Instruction ID: 48393d5c351b361181a9acd3c4a2a64fae27f23c238ec61222970423fa472a12
              • Opcode Fuzzy Hash: 8f8a73c36f925ec56629ee566039527623c2535a0f9023dca7041c3978de89ba
              • Instruction Fuzzy Hash: 89513671A20646EFCB34DF9CD99097FBBF9EF44200B448459EA96D3641E6B4EE00C760
              Function 01257630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01294787
              • Execute=1, xrefs: 01294713
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01294742
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01294725
              • ExecuteOptions, xrefs: 012946A0
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01294655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012946FC
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 3cfc84124ce5c9c5d1cde2476ff52fff848ba64adf7abd432dff349f60b34935
              • Instruction ID: 76d961e37a84f8475009ef97592489877df60170b7c5f2bd6b71784faebafd8b
              • Opcode Fuzzy Hash: 3cfc84124ce5c9c5d1cde2476ff52fff848ba64adf7abd432dff349f60b34935
              • Instruction Fuzzy Hash: FD51193166021ABFEF25AAA8ECC5FFD77ACAF14304F440199DA05A71D1D770DA418F61
              Function 012F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction ID: a3529e4bfeb19d0dfefbd6cfd5f89743f76fe8ab9286513ba0ebbace98e3a04f
              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
              • Instruction Fuzzy Hash: 1D021471528342AFD305CF18C494A6BFBE5EFC8700F048A2DFA999B264DB31E945CB42
              Function 0126B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction ID: 376fbd8883c503ddef54b3517b8973442574e169b1ccf90b290d1d0b0b0dabbe
              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
              • Instruction Fuzzy Hash: F181C231F2524A8EEF298E6CC8917FEBBB9AF45320F184119DA51E72D1C73488C0CB51
              Function 012D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 38dab1bbf86b3e200033036a8838d4ff6aabb2e3fa97cd67c2265c57f9b6da12
              • Instruction ID: cdb9dc188ce07c511217631bead11f66773c1ad2c7cf091d75e70c0c64996e07
              • Opcode Fuzzy Hash: 38dab1bbf86b3e200033036a8838d4ff6aabb2e3fa97cd67c2265c57f9b6da12
              • Instruction Fuzzy Hash: E921927AA2011AEBDB11DF79CC40AFEBBFCEF54650F044116EA15E3241E730DA018BA0
              Function 0124F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012902E7
              • RTL: Re-Waiting, xrefs: 0129031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012902BD
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 847ab19252313410435e5e55f4cfd46ea5e741716b5f807695f3f0b72f8bec34
              • Instruction ID: 28c849d14b925c7a674d257e6cf08f1f92f3318a03bf2b1e2184431871d60d13
              • Opcode Fuzzy Hash: 847ab19252313410435e5e55f4cfd46ea5e741716b5f807695f3f0b72f8bec34
              • Instruction Fuzzy Hash: 2EE1AE706247429FEB29CF2CC985B2ABBE4BF84314F140A5DF6A58B2D1D774D844CB46
              Function 0125BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 01297BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01297B7F
              • RTL: Resource at %p, xrefs: 01297B8E
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: c3c737273c4628ff0423658b72c20939d50ea6d9929fd9eeb95e7cd48ba43e0c
              • Instruction ID: b5bbf7f948a754798aa6117a74604355a7c09486091de49ade91892ab8bf4897
              • Opcode Fuzzy Hash: c3c737273c4628ff0423658b72c20939d50ea6d9929fd9eeb95e7cd48ba43e0c
              • Instruction Fuzzy Hash: 2641E3317207039FDB25CE29C891B6AB7E6EF98710F100A1DFE5A97280DB71E8058B91
              Function 0125B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0129728C
              Strings
              • RTL: Re-Waiting, xrefs: 012972C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01297294
              • RTL: Resource at %p, xrefs: 012972A3
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 3210dff805f92ee8ad3e503b66914da50a097756cb4e903531b1941a936f21dc
              • Instruction ID: 53640f62c498ccb8618ad95ffe44a003ba724559a595f41c9ebb1f66c8594622
              • Opcode Fuzzy Hash: 3210dff805f92ee8ad3e503b66914da50a097756cb4e903531b1941a936f21dc
              • Instruction Fuzzy Hash: 00410531B70603ABDB21CE29CC81B6ABBA5FF54710F100619FE5597280DB31E8518BD1
              Function 012D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 5550d8cf68afc5ef11f586a295772f604675c340b9d9edc0ea8f64c26b001b29
              • Instruction ID: 09a5e9c366279e267d30b110e64c65cf747791530b80de2260cd3ad1e94d3d66
              • Opcode Fuzzy Hash: 5550d8cf68afc5ef11f586a295772f604675c340b9d9edc0ea8f64c26b001b29
              • Instruction Fuzzy Hash: DF314372A20219DFDB60DF29DC40BAEB7F8EB54610F544555ED49E3244EF309A448BA0
              Function 01267D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction ID: 5bf33b978ce3a227ad70af083d1dcc32650266b09832bbf73441c8a142182149
              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
              • Instruction Fuzzy Hash: 6D91D470E202079BEB24DF6DE881ABEBBADFF44728F14451AEA55E72C0D77489C08751
              Function 01229126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.1896435751.00000000011F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011F0000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_11f0000_PURCHASE ORDER-6350.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 2bababc836590b36ccd5fd6951a13c324412a471f820fb47c2e9d215be95b938
              • Instruction ID: c0cef3585181f71a7888bf11d2aa997eec5b0951db07b824c0194a45bf634234
              • Opcode Fuzzy Hash: 2bababc836590b36ccd5fd6951a13c324412a471f820fb47c2e9d215be95b938
              • Instruction Fuzzy Hash: 85812971D1127ADBDB259B54CC45BEEB6B8AF48714F0041EAEA09B7280D7709E84CFA0

              Execution Graph

              Execution Coverage:8.2%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:41
              Total number of Limit Nodes:4
              execution_graph 17047 17c4668 17048 17c4669 17047->17048 17049 17c4686 17048->17049 17051 17c4778 17048->17051 17052 17c477c 17051->17052 17056 17c4878 17052->17056 17060 17c4888 17052->17060 17058 17c487c 17056->17058 17057 17c498c 17058->17057 17064 17c44b0 17058->17064 17061 17c4889 17060->17061 17062 17c498c 17061->17062 17063 17c44b0 CreateActCtxA 17061->17063 17062->17062 17063->17062 17065 17c5918 CreateActCtxA 17064->17065 17067 17c59db 17065->17067 17068 17cd040 17069 17cd045 GetCurrentProcess 17068->17069 17071 17cd0d8 GetCurrentThread 17069->17071 17072 17cd0d1 17069->17072 17073 17cd10e 17071->17073 17074 17cd115 GetCurrentProcess 17071->17074 17072->17071 17073->17074 17075 17cd14b 17074->17075 17076 17cd173 GetCurrentThreadId 17075->17076 17077 17cd1a4 17076->17077 17078 17cacb0 17079 17cacb1 17078->17079 17083 17cada8 17079->17083 17088 17cad97 17079->17088 17080 17cacbf 17085 17cada9 17083->17085 17084 17caddc 17084->17080 17085->17084 17086 17cafe0 GetModuleHandleW 17085->17086 17087 17cb00d 17086->17087 17087->17080 17089 17cad9c 17088->17089 17090 17caddc 17089->17090 17091 17cafe0 GetModuleHandleW 17089->17091 17090->17080 17092 17cb00d 17091->17092 17092->17080 17093 17cd751 17094 17cd714 DuplicateHandle 17093->17094 17096 17cd75a 17093->17096 17095 17cd726 17094->17095

              Executed Functions

              Function 017CD030 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 298 17cd030-17cd032 299 17cd039-17cd03e 298->299 300 17cd034-17cd038 298->300 301 17cd045-17cd0cf GetCurrentProcess 299->301 302 17cd040-17cd044 299->302 300->299 306 17cd0d8-17cd10c GetCurrentThread 301->306 307 17cd0d1-17cd0d7 301->307 302->301 308 17cd10e-17cd114 306->308 309 17cd115-17cd149 GetCurrentProcess 306->309 307->306 308->309 311 17cd14b-17cd151 309->311 312 17cd152-17cd16d call 17cd619 309->312 311->312 315 17cd173-17cd1a2 GetCurrentThreadId 312->315 316 17cd1ab-17cd20d 315->316 317 17cd1a4-17cd1aa 315->317 317->316
              APIs
              • GetCurrentProcess.KERNEL32 ref: 017CD0BE
              • GetCurrentThread.KERNEL32 ref: 017CD0FB
              • GetCurrentProcess.KERNEL32 ref: 017CD138
              • GetCurrentThreadId.KERNEL32 ref: 017CD191
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 8bda36535e31162ca22879ac8cb625143d1fcba2263842c18ced38bd2982e949
              • Instruction ID: 07f6399ccd2d2341b2cc34a00513e6e007011034df30ee6b642436f857d98599
              • Opcode Fuzzy Hash: 8bda36535e31162ca22879ac8cb625143d1fcba2263842c18ced38bd2982e949
              • Instruction Fuzzy Hash: F15123B09002498FDB54DFA9D548B9EFFF1AB88314F20C46DE119A7360DB74A984CFA5
              Function 017CD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 324 17cd040-17cd0cf GetCurrentProcess 329 17cd0d8-17cd10c GetCurrentThread 324->329 330 17cd0d1-17cd0d7 324->330 331 17cd10e-17cd114 329->331 332 17cd115-17cd149 GetCurrentProcess 329->332 330->329 331->332 334 17cd14b-17cd151 332->334 335 17cd152-17cd16d call 17cd619 332->335 334->335 338 17cd173-17cd1a2 GetCurrentThreadId 335->338 339 17cd1ab-17cd20d 338->339 340 17cd1a4-17cd1aa 338->340 340->339
              APIs
              • GetCurrentProcess.KERNEL32 ref: 017CD0BE
              • GetCurrentThread.KERNEL32 ref: 017CD0FB
              • GetCurrentProcess.KERNEL32 ref: 017CD138
              • GetCurrentThreadId.KERNEL32 ref: 017CD191
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 8bde0b4ba1df536c4bb3c43dc2b93955275fc284da5dbcc12f581fac73182bc6
              • Instruction ID: 5a61782b90169a6146a51a36097238a0800ef7d04fd63f95c2d6ea560537ba2c
              • Opcode Fuzzy Hash: 8bde0b4ba1df536c4bb3c43dc2b93955275fc284da5dbcc12f581fac73182bc6
              • Instruction Fuzzy Hash: 715122B09002498FDB14DFA9D548B9EBBF1AB88314F20C46DE519A7360DB34A984CFA5
              Function 017CADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 395 17cada8-17cadb7 398 17cadb9-17cadc6 call 17ca0cc 395->398 399 17cade3-17cade7 395->399 405 17caddc 398->405 406 17cadc8 398->406 401 17cade9-17cadf3 399->401 402 17cadfb-17cae3c 399->402 401->402 408 17cae3e-17cae46 402->408 409 17cae49-17cae57 402->409 405->399 458 17cadce call 17cb040 406->458 459 17cadce call 17cb030 406->459 408->409 410 17cae59-17cae5e 409->410 411 17cae7b-17cae7d 409->411 413 17cae69 410->413 414 17cae60-17cae67 call 17ca0d8 410->414 416 17cae80-17cae87 411->416 412 17cadd4-17cadd6 412->405 415 17caf18-17caf92 412->415 418 17cae6b-17cae79 413->418 414->418 447 17caf99-17caf9c 415->447 448 17caf94 415->448 419 17cae89-17cae91 416->419 420 17cae94-17cae9b 416->420 418->416 419->420 421 17cae9d-17caea5 420->421 422 17caea8-17caeaa call 17ca0e8 420->422 421->422 426 17caeaf-17caeb1 422->426 428 17caebe-17caec3 426->428 429 17caeb3-17caebb 426->429 430 17caec5-17caecc 428->430 431 17caee1-17caeee 428->431 429->428 430->431 433 17caece-17caede call 17ca0f8 call 17ca108 430->433 438 17caef0-17caf0e 431->438 439 17caf11-17caf17 431->439 433->431 438->439 451 17caf9d-17cafbe 447->451 449 17caf96 448->449 450 17cafc0-17cafd8 448->450 449->451 452 17caf98 449->452 453 17cafda-17cafdd 450->453 454 17cafe0-17cb00b GetModuleHandleW 450->454 451->450 452->447 453->454 455 17cb00d-17cb013 454->455 456 17cb014-17cb028 454->456 455->456 458->412 459->412
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 017CAFFE
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 9fd542566b820c21d5abd201050114e6d11af16b28d6ab3fb83655f46ca45ab9
              • Instruction ID: 3cd71abb9ffe0853a807a2f60410743b411e4b53e9b45ab6d8e63b5ed5423c18
              • Opcode Fuzzy Hash: 9fd542566b820c21d5abd201050114e6d11af16b28d6ab3fb83655f46ca45ab9
              • Instruction Fuzzy Hash: 5C813570A00B0A8FD724DF6AD44579AFBF5BF88705F008A2DD18AD7A50E775E849CB90
              Function 017C590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 460 17c590c-17c5912 461 17c5919-17c591c 460->461 462 17c5914-17c5916 460->462 463 17c591d-17c59d9 CreateActCtxA 461->463 462->463 464 17c5918 462->464 466 17c59db-17c59e1 463->466 467 17c59e2-17c5a3c 463->467 464->461 466->467 474 17c5a3e-17c5a41 467->474 475 17c5a4b-17c5a4f 467->475 474->475 476 17c5a60 475->476 477 17c5a51-17c5a5d 475->477 479 17c5a61 476->479 477->476 479->479
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 017C59C9
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 1cb6db2cf5b22214da5fe5fe3b5ff12f502274762e481fb298bfcdb753115399
              • Instruction ID: de5f9b0ca2700a75882c9558198f7658783b33fd5da44c9d4442d47c26dbc45d
              • Opcode Fuzzy Hash: 1cb6db2cf5b22214da5fe5fe3b5ff12f502274762e481fb298bfcdb753115399
              • Instruction Fuzzy Hash: 6D41E2B1D00729CEDB14CFAAC8846CEBBB5BF49704F24819ED408AB255DB756949CF90
              Function 017C44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 480 17c44b0-17c59d9 CreateActCtxA 485 17c59db-17c59e1 480->485 486 17c59e2-17c5a3c 480->486 485->486 493 17c5a3e-17c5a41 486->493 494 17c5a4b-17c5a4f 486->494 493->494 495 17c5a60 494->495 496 17c5a51-17c5a5d 494->496 498 17c5a61 495->498 496->495 498->498
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 017C59C9
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: c14826a2be558ef2ae9491ff48259e0d78bc291fcb0d5a087e1cf043ef4654fe
              • Instruction ID: 66d977448776f0c4cba684fdc57bd397c8305539bd96a027c1e7789d45f13db1
              • Opcode Fuzzy Hash: c14826a2be558ef2ae9491ff48259e0d78bc291fcb0d5a087e1cf043ef4654fe
              • Instruction Fuzzy Hash: CE41E2B0D00719CBDB24CFAAC8847CEBBB5BF49704F2481AED408AB255DB756949CF90
              Function 017CD751 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 499 17cd751-17cd758 500 17cd75a 499->500 501 17cd714-17cd724 DuplicateHandle 499->501 504 17cd75c-17cd75e 500->504 505 17cd761-17cd763 500->505 502 17cd72d-17cd74a 501->502 503 17cd726-17cd72c 501->503 503->502 506 17cd765-17cd87e 504->506 507 17cd760 504->507 505->506 507->505
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD717
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f6c3be367173ed7aef80ea5ec4960ffef43f66855e4d5c3a749623278c894d7b
              • Instruction ID: a5ead95ef9e1bb3a39001337d7a7a839095538e659c471453e4d541f3ae1c2e8
              • Opcode Fuzzy Hash: f6c3be367173ed7aef80ea5ec4960ffef43f66855e4d5c3a749623278c894d7b
              • Instruction Fuzzy Hash: 54318B74A51784CFEB049F68F45AA697FA2E784711F10C16DF9028B3D4CEB84945EF21
              Function 017CD688 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 521 17cd688-17cd68e 522 17cd695-17cd724 DuplicateHandle 521->522 523 17cd690-17cd694 521->523 524 17cd72d-17cd74a 522->524 525 17cd726-17cd72c 522->525 523->522 525->524
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD717
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f0e39d1f390e28012e2efb9e7eabaa9f02a4990603c602adf302fc5e6e3a4a65
              • Instruction ID: cf143faec24145b88079a62ca72a9bfdfdd0008fa11b5a2939bf350c21939094
              • Opcode Fuzzy Hash: f0e39d1f390e28012e2efb9e7eabaa9f02a4990603c602adf302fc5e6e3a4a65
              • Instruction Fuzzy Hash: 1221E3B59002589FDB10CF9AD984ADEFFF9FB48314F14802AE958A7310D374A944CFA5
              Function 017CD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 528 17cd690-17cd694 529 17cd695-17cd724 DuplicateHandle 528->529 530 17cd72d-17cd74a 529->530 531 17cd726-17cd72c 529->531 531->530
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD717
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: c6a48c0e71c7e492f7946f8801c742fcc5c0006556d1a20e469b078d963eb21a
              • Instruction ID: b4e2a3a78e92f5593e334de0f5ac61a4aa17d538bb598fee2a4c19d73bf95226
              • Opcode Fuzzy Hash: c6a48c0e71c7e492f7946f8801c742fcc5c0006556d1a20e469b078d963eb21a
              • Instruction Fuzzy Hash: 7721E3B59002589FDB10CF9AD584ADEFBF8EB48310F14802AE918A3310D374A944CFA4
              Function 017CAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 534 17caf98-17cafd8 538 17cafda-17cafdd 534->538 539 17cafe0-17cb00b GetModuleHandleW 534->539 538->539 540 17cb00d-17cb013 539->540 541 17cb014-17cb028 539->541 540->541
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 017CAFFE
              Memory Dump Source
              • Source File: 00000009.00000002.1884640712.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_17c0000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: db731fc9eabe277add023830a9bfc6e0d8a45b91634eed5a31d1ac55589ddb09
              • Instruction ID: 0c52daf678f1983315985fd2b4458c6a87d805e12a49dd597d4d2191126e3773
              • Opcode Fuzzy Hash: db731fc9eabe277add023830a9bfc6e0d8a45b91634eed5a31d1ac55589ddb09
              • Instruction Fuzzy Hash: 5311E0B5C003498FDB14CF9AD444BDEFBF8AB88724F10842ED569A7210D375A545CFA5
              Function 0156D3D8 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e6223752f0bc7b3d416886facd08e3aa6b288edeb4174093ae34bb4fde65255
              • Instruction ID: 7c7c3fd880c43a7e40b0a1636028c6138de1029280f5030f93faed3a21e6c9e2
              • Opcode Fuzzy Hash: 6e6223752f0bc7b3d416886facd08e3aa6b288edeb4174093ae34bb4fde65255
              • Instruction Fuzzy Hash: D0214871200244DFDB01DF48C9C0B5ABFB9FB98315F20C969D9494F256C376E846C6E1
              Function 0156D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76e5bf9e03d9262989168b8e68d4979a5243488b80324bb8864d87525ea35456
              • Instruction ID: 056fb55f107191f78043fd693cf13779331e92504bfccd984f15d877577bb577
              • Opcode Fuzzy Hash: 76e5bf9e03d9262989168b8e68d4979a5243488b80324bb8864d87525ea35456
              • Instruction Fuzzy Hash: C4213371600240DFCB01DF58C9C0B2ABFB9FB98318F20C969E8890F656C336D446CAE1
              Function 0177D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1871602205.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_177d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17aae8b7bc4010c5e2494e043c6afd6335e466c845b6382a7c69fe6ecfa247c1
              • Instruction ID: 7611be77be34bb4d8fa03ec32b9fe0e7d4f0cd7858a6bd3beee52434da462a1f
              • Opcode Fuzzy Hash: 17aae8b7bc4010c5e2494e043c6afd6335e466c845b6382a7c69fe6ecfa247c1
              • Instruction Fuzzy Hash: F821D071608200EFDF25DF98D980B26FBA5FF88324F24C6ADE9494B256C336D446CA61
              Function 0177D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1871602205.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_177d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27db4e361d0ea182927600c1beb3fc0d00e27db62ca1faa31db4bb355c0dc472
              • Instruction ID: 0cd6dbedf42b7889064a75fd2f91a3ee0b871611a767dc30cd7edefb27234645
              • Opcode Fuzzy Hash: 27db4e361d0ea182927600c1beb3fc0d00e27db62ca1faa31db4bb355c0dc472
              • Instruction Fuzzy Hash: AA210071604200DFCF26DF58D984B26FBA5EF88314F20C5ADD80A4B256C33AD446CA61
              Function 0156D3D3 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 9d5c7917643fa6e87a00ac01d9fbe58eb968a8eaccb9c44a545a691eb7f6ab7b
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 9611DF72504240CFDB02CF44D5C4B5ABF71FB94324F24C6A9D9490F256C33AE85ACBA1
              Function 0156D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: 3f76f3facaec07be2f3dd893c31aeecc9cbb2c053fe7f68ea61d9500f547babe
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: D411E172504280CFCB12CF54D5C4B1ABF71FB94318F24C6AAD8490F656C33AD45ACBA1
              Function 0177D017 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1871602205.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_177d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 0cffa5ff1eb3ae3972fab665d4e4b24c6b152c7376f5372f352eeb30965a36e6
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 1211D075504280CFDB12CF54D5C4B15FF61FF44314F24C6AAD8094B656C33AD41ACB61
              Function 0177D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1871602205.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_177d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction ID: 00b66ce60aeca8b2c469dad71aa06701c63a9c50be8dcfc9c045df474ef23236
              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
              • Instruction Fuzzy Hash: 4C11BB75508280DFDB12CF54C5C4B15FFA1FF84224F28C6AADC494B296C33AD40ACB61
              Function 0156D745 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baa0fb65519bad27a2983abdc95768d2044a18f92493eb0b6d4d3d247f624b1a
              • Instruction ID: 5805979e782eb27b6e060fd35daa2f948e2ecb1c477b085ca213c6ef0b5143cb
              • Opcode Fuzzy Hash: baa0fb65519bad27a2983abdc95768d2044a18f92493eb0b6d4d3d247f624b1a
              • Instruction Fuzzy Hash: 8E0184712083809AE7115E69C984B6BBFECFF45324F18CD2AED494F286D67D9840C6F2
              Function 0156D744 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000009.00000002.1854677484.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_9_2_156d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 03665870b24a57017a29b8655c05010eabd57af2008c6c935c12fbe8799d3ee0
              • Instruction ID: 0dc834407840edf914ebf74e194354bff8343f561614da82b6d86b61d2cb6db3
              • Opcode Fuzzy Hash: 03665870b24a57017a29b8655c05010eabd57af2008c6c935c12fbe8799d3ee0
              • Instruction Fuzzy Hash: 38F062715083849AE7118E1AD888B66FFACFB81634F18C85AED484F286C67D9844CAB1

              Execution Graph

              Execution Coverage:0%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:3
              Total number of Limit Nodes:0
              execution_graph 61861 13a2c1d 61862 13a2c1f LdrInitializeThunk 61861->61862 61864 13a2c70 LdrInitializeThunk

              Executed Functions

              Function 013A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 13a2c0a-13a2c0f 1 13a2c1f-13a2c26 LdrInitializeThunk 0->1 2 13a2c11-13a2c18 0->2 2->1
              APIs
              • LdrInitializeThunk.NTDLL(013BFD4F,000000FF,00000024,01456634,00000004,00000000,?,-00000018,7D810F61,?,?,01378B12,?,?,?,?), ref: 013A2C24
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b21f120347e9df1730d34ebf90e7154b728406e33f1d662833bb81118120be78
              • Instruction ID: 34d9def93e3df3615f4f241e3aad55810cd6d7088671b79ae0072b08a6b9f6e9
              • Opcode Fuzzy Hash: b21f120347e9df1730d34ebf90e7154b728406e33f1d662833bb81118120be78
              • Instruction Fuzzy Hash: 03B09B719015C5C5EE11E7644A087177A04B7D0705F55C061D3030681F4738C1D5E675
              Function 013A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 7 13a2df0-13a2dfc LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(013DE73E,0000005A,0143D040,00000020,00000000,0143D040,00000080,013C4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,013AAE00), ref: 013A2DFA
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 6e76c2f03bf5173443565c784fabbc6c3cbeee88ffc60d54f709231aafbe01f9
              • Instruction ID: 3bc0c1f16a06d451ce343cda8a104b64e7b9bae6df8efa672e2a50d03ffd4db0
              • Opcode Fuzzy Hash: 6e76c2f03bf5173443565c784fabbc6c3cbeee88ffc60d54f709231aafbe01f9
              • Instruction Fuzzy Hash: B190023520140413E111715C4944747010D97D0245F95C452A1425598DE6568A56A621
              Function 013A2C1D Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 4 13a2c1d-13a2c26 LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(013BFD4F,000000FF,00000024,01456634,00000004,00000000,?,-00000018,7D810F61,?,?,01378B12,?,?,?,?), ref: 013A2C24
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c800536caa3b804dc7e9dabb53d7159eae9efb6abe1c3a59c073fdfe6a9e4b6c
              • Instruction ID: 8720eba3ce6fbae5b0c2e0ad82a39fe24fb5825966d69297b4ca72c015ed0a1b
              • Opcode Fuzzy Hash: c800536caa3b804dc7e9dabb53d7159eae9efb6abe1c3a59c073fdfe6a9e4b6c
              • Instruction Fuzzy Hash: AAA002391518044A9100F66888848462359ABD5609365C485D30256A3DD7319555AA31
              Function 013A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 6 13a2c70-13a2c7c LdrInitializeThunk
              APIs
              • LdrInitializeThunk.NTDLL(0135FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,013B7BE5,00001000,00004000,000000FF,?,00000000), ref: 013A2C7A
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4351a0ba508c95652ea96720900423e43f4fb6226102995a0318c3e205d6d235
              • Instruction ID: 38d8839c0a1ecbda891b711738bb9944c9fe390a30ef7836129fa42686e8f132
              • Opcode Fuzzy Hash: 4351a0ba508c95652ea96720900423e43f4fb6226102995a0318c3e205d6d235
              • Instruction Fuzzy Hash: 8E90023520148802E110715C884478A010997D0305F59C451A5425698DD69589957621
              Function 013A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 8 13a35c0-13a35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 29ca6cbdb41a70239a4f3203ffe02cb49e11ce938b605c065736d091a95eaddb
              • Instruction ID: a7f6a28d55068434a34afc7a91440d1fef08ad2ea310f8f010244d7ede340a8e
              • Opcode Fuzzy Hash: 29ca6cbdb41a70239a4f3203ffe02cb49e11ce938b605c065736d091a95eaddb
              • Instruction Fuzzy Hash: 0390023560550402E100715C4954746110997D0205F65C451A14255A8DD7958A556AA2
              Function 0042DF33 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 20 42df33-42df74 23 42df76-42df93 20->23 24 42dfce-42dfd3 20->24 26 42dfa6-42dfc5 23->26 27 42df95-42dfa3 23->27 30 42dfcb 26->30 27->26 30->24
              Memory Dump Source
              • Source File: 0000000D.00000002.1978372329.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_42d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99e3aea1523fdab011d2b345fba0c0fc3e3b11223038743f7e6fccc1ee9c3833
              • Instruction ID: e5f898755b9f223762972a00512d99e935245ee83e1376ee5f455dfdfaad11cd
              • Opcode Fuzzy Hash: 99e3aea1523fdab011d2b345fba0c0fc3e3b11223038743f7e6fccc1ee9c3833
              • Instruction Fuzzy Hash: 1F0175B1D1521C66FB68FBA59D42F99B3B89B04704F4082DAB50CA2181FF787748CE59
              Function 0042DF31 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 9 42df31-42df4a 10 42df59-42df60 9->10 11 42df6f-42df74 10->11 12 42df76-42df7f 11->12 13 42dfce-42dfd3 11->13 14 42df8e-42df93 12->14 15 42dfa6-42dfc5 14->15 16 42df95-42dfa3 14->16 19 42dfcb 15->19 16->15 19->13
              Memory Dump Source
              • Source File: 0000000D.00000002.1978372329.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_42d000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: acfa1071bb1b9096476d3ea49df59c3587ffc27336cee8fda0960cc7dc34c18a
              • Instruction ID: fc2c7c70b7701cd96d43e3408ca198dac0ca493f4d4c7f2bcf0a8bc2253e95dc
              • Opcode Fuzzy Hash: acfa1071bb1b9096476d3ea49df59c3587ffc27336cee8fda0960cc7dc34c18a
              • Instruction Fuzzy Hash: D60152B1D1561C66FB68FBA59D42F99B3B89B04304F4082DAA60CA2181FB787748CE59

              Non-executed Functions

              Function 013A2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 227 13a2890-13a28b3 228 13da4bc-13da4c0 227->228 229 13a28b9-13a28cc 227->229 228->229 230 13da4c6-13da4ca 228->230 231 13a28ce-13a28d7 229->231 232 13a28dd-13a28df 229->232 230->229 233 13da4d0-13da4d4 230->233 231->232 234 13da57e-13da585 231->234 235 13a28e1-13a28e5 232->235 233->229 238 13da4da-13da4de 233->238 234->232 236 13a28eb-13a28fa 235->236 237 13a2988-13a298e 235->237 239 13da58a-13da58d 236->239 240 13a2900-13a2905 236->240 241 13a2908-13a290c 237->241 238->229 242 13da4e4-13da4eb 238->242 239->241 240->241 241->235 243 13a290e-13a291b 241->243 244 13da4ed-13da4f4 242->244 245 13da564-13da56c 242->245 246 13a2921 243->246 247 13da592-13da599 243->247 249 13da50b 244->249 250 13da4f6-13da4fe 244->250 245->229 248 13da572-13da576 245->248 252 13a2924-13a2926 246->252 259 13da5a1-13da5c9 call 13b0050 247->259 248->229 253 13da57c call 13b0050 248->253 251 13da510-13da536 call 13b0050 249->251 250->229 254 13da504-13da509 250->254 267 13da55d-13da55f 251->267 256 13a2928-13a292a 252->256 257 13a2993-13a2995 252->257 253->267 254->251 263 13a292c-13a292e 256->263 264 13a2946-13a2966 call 13b0050 256->264 257->256 261 13a2997-13a29b1 call 13b0050 257->261 276 13a2969-13a2974 261->276 263->264 270 13a2930-13a2944 call 13b0050 263->270 264->276 273 13a2981-13a2985 267->273 270->264 276->252 278 13a2976-13a2979 276->278 278->259 279 13a297f 278->279 279->273
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID:
              • API String ID: 48624451-0
              • Opcode ID: 64c57e541285ad5c8e23debf70ab2d1719a30fa9adb4158049c6e7cd0e49bce3
              • Instruction ID: b8eef08ab22e06c7a1dfd42dd3cdf6f47322fca1dc9bce9f5c4749781bf932f3
              • Opcode Fuzzy Hash: 64c57e541285ad5c8e23debf70ab2d1719a30fa9adb4158049c6e7cd0e49bce3
              • Instruction Fuzzy Hash: B351E6B6A0011ABFCB11DB9C898097FFBBCFB48648B948229F5A5D7641D334DE1087E0
              Function 0137A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 280 137a250-137a26f 281 137a275-137a291 280->281 282 137a58d-137a594 280->282 284 137a297-137a2a0 281->284 285 13c79e6-13c79eb 281->285 282->281 283 137a59a-13c79bb 282->283 283->281 290 13c79c1-13c79c6 283->290 284->285 286 137a2a6-137a2ac 284->286 288 137a2b2-137a2b4 286->288 289 137a6ba-137a6bc 286->289 288->285 292 137a2ba-137a2bd 288->292 291 137a6c2 289->291 289->292 293 137a473-137a479 290->293 294 137a2c3-137a2c6 291->294 292->285 292->294 295 137a2da-137a2dd 294->295 296 137a2c8-137a2d1 294->296 299 137a6c7-137a6d0 295->299 300 137a2e3-137a32b 295->300 297 137a2d7 296->297 298 13c79cb-13c79d5 296->298 297->295 302 13c79da-13c79e3 call 13ef290 298->302 299->300 301 137a6d6-13c79ff 299->301 303 137a330-137a335 300->303 301->302 302->285 306 137a47c-137a47f 303->306 307 137a33b-137a343 303->307 308 137a485-137a488 306->308 309 137a34f-137a35d 306->309 307->309 311 137a345-137a349 307->311 312 137a48e-137a49e 308->312 313 13c7a16-13c7a19 308->313 309->312 315 137a363-137a368 309->315 311->309 314 137a59f-137a5a8 311->314 312->313 318 137a4a4-137a4ad 312->318 316 13c7a1f-13c7a24 313->316 317 137a36c-137a36e 313->317 319 137a5c0-137a5c3 314->319 320 137a5aa-137a5ac 314->320 315->317 321 13c7a2b 316->321 325 137a374-137a38c call 137a6e0 317->325 326 13c7a26 317->326 318->317 323 13c7a01 319->323 324 137a5c9-137a5cc 319->324 320->309 322 137a5b2-137a5bb 320->322 327 13c7a2d-13c7a2f 321->327 322->317 328 13c7a0c 323->328 324->328 329 137a5d2-137a5d5 324->329 333 137a4b2-137a4b9 325->333 334 137a392-137a3ba 325->334 326->321 327->293 332 13c7a35 327->332 328->313 329->320 335 137a3bc-137a3be 333->335 336 137a4bf-137a4c2 333->336 334->335 335->327 337 137a3c4-137a3cb 335->337 336->335 338 137a4c8-137a4d3 336->338 339 137a3d1-137a3d4 337->339 340 13c7ae0 337->340 338->303 341 137a3e0-137a3ea 339->341 342 13c7ae4-13c7afc call 13ef290 340->342 341->342 343 137a3f0-137a40c call 137a840 341->343 342->293 348 137a5d7-137a5e0 343->348 349 137a412-137a417 343->349 351 137a5e2-137a5eb 348->351 352 137a601-137a603 348->352 349->293 350 137a419-137a43d 349->350 356 137a440-137a443 350->356 351->352 353 137a5ed-137a5f1 351->353 354 137a605-137a623 call 1364508 352->354 355 137a629-137a631 352->355 357 137a5f7-137a5fb 353->357 358 137a681-137a6ab RtlDebugPrintTimes 353->358 354->293 354->355 360 137a449-137a44c 356->360 361 137a4d8-137a4dc 356->361 357->352 357->358 358->352 379 137a6b1-137a6b5 358->379 363 137a452-137a454 360->363 364 13c7ad6 360->364 365 137a4e2-137a4e5 361->365 366 13c7a3a-13c7a42 361->366 369 137a520-137a539 call 137a6e0 363->369 370 137a45a-137a461 363->370 364->340 367 137a634-137a64a 365->367 371 137a4eb-137a4ee 365->371 366->367 368 13c7a48-13c7a4c 366->368 373 137a4f4-137a50c 367->373 374 137a650-137a659 367->374 368->367 375 13c7a52-13c7a5b 368->375 387 137a53f-137a567 369->387 388 137a65e-137a665 369->388 376 137a467-137a46c 370->376 377 137a57b-137a582 370->377 371->360 371->373 373->360 384 137a512-137a51b 373->384 374->363 381 13c7a5d-13c7a60 375->381 382 13c7a85-13c7a87 375->382 376->293 383 137a46e 376->383 377->341 380 137a588 377->380 379->352 380->340 389 13c7a6e-13c7a71 381->389 390 13c7a62-13c7a6c 381->390 382->367 386 13c7a8d-13c7a96 382->386 383->293 384->363 386->363 391 137a569-137a56b 387->391 388->391 392 137a66b-137a66e 388->392 394 13c7a7e 389->394 395 13c7a73-13c7a7c 389->395 393 13c7a81 390->393 391->376 396 137a571-137a573 391->396 392->391 397 137a674-137a67c 392->397 393->382 394->393 395->386 398 13c7a9b-13c7aa4 396->398 399 137a579 396->399 397->356 398->399 400 13c7aaa-13c7ab0 398->400 399->377 400->399 401 13c7ab6-13c7abe 400->401 401->399 402 13c7ac4-13c7acf 401->402 402->401 403 13c7ad1 402->403 403->399
              Strings
              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013C79FA
              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013C79D5
              • SsHd, xrefs: 0137A3E4
              • RtlpFindActivationContextSection_CheckParameters, xrefs: 013C79D0, 013C79F5
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
              • API String ID: 0-929470617
              • Opcode ID: fe2633b6dc1805daaf6372818f27540b613f9124e721ae7242c6c8f24cd9bb5d
              • Instruction ID: 4d45f00455ff1148c84119507c1340bece0ba85fbc7bcf86810ba4f32445ac35
              • Opcode Fuzzy Hash: fe2633b6dc1805daaf6372818f27540b613f9124e721ae7242c6c8f24cd9bb5d
              • Instruction Fuzzy Hash: 71E1C1716043068FE735CE2CC884B6EBBE5BB8462CF184A2DE995CB391D739E945CB41
              Function 0137D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 404 137d770-137d7ab 405 137d9e7-137d9ee 404->405 406 137d7b1-137d7bb 404->406 405->406 407 137d9f4-13c932c 405->407 408 137d7c1-137d7ca 406->408 409 13c9357 406->409 407->406 412 13c9332-13c9337 407->412 408->409 411 137d7d0-137d7d3 408->411 413 13c9361-13c9370 409->413 414 137d9da-137d9dc 411->414 415 137d7d9-137d7db 411->415 417 137d927-137d938 call 13a4c30 412->417 419 13c934b-13c9354 call 13ef290 413->419 416 137d7e1-137d7e4 414->416 418 137d9e2 414->418 415->409 415->416 416->409 420 137d7ea-137d7ed 416->420 418->420 419->409 423 137d7f3-137d7f6 420->423 424 137d9f9-137da02 420->424 427 137da0d-137da16 423->427 428 137d7fc-137d848 call 137d660 423->428 424->423 429 137da08-13c9346 424->429 427->428 432 137da1c 427->432 428->417 434 137d84e-137d852 428->434 429->419 432->413 434->417 435 137d858-137d85f 434->435 436 137d865-137d869 435->436 437 137d9d1-137d9d5 435->437 439 137d870-137d87a 436->439 438 13c9563-13c957b call 13ef290 437->438 438->417 439->438 440 137d880-137d887 439->440 442 137d8ed-137d90d 440->442 443 137d889-137d88d 440->443 445 137d910-137d913 442->445 446 137d893-137d898 443->446 447 13c9372 443->447 448 137d915-137d918 445->448 449 137d93b-137d940 445->449 450 13c9379-13c937b 446->450 451 137d89e-137d8a5 446->451 447->450 452 13c9559-13c955e 448->452 453 137d91e-137d920 448->453 454 137d946-137d949 449->454 455 13c94d3-13c94db 449->455 450->451 456 13c9381-13c93aa 450->456 457 13c93ea-13c93ed 451->457 458 137d8ab-137d8e3 call 13a8250 451->458 452->417 460 137d922 453->460 461 137d971-137d98c call 137a6e0 453->461 462 137da21-137da2f 454->462 463 137d94f-137d952 454->463 455->462 464 13c94e1-13c94e5 455->464 456->442 465 13c93b0-13c93ca call 13b82c0 456->465 459 13c93f1-13c9400 call 13b82c0 457->459 475 137d8e5-137d8e7 458->475 486 13c9417 459->486 487 13c9402-13c9410 459->487 460->417 482 13c9528-13c952d 461->482 483 137d992-137d9ba 461->483 470 137d954-137d964 462->470 473 137da35-137da3e 462->473 463->448 463->470 464->462 471 13c94eb-13c94f4 464->471 465->475 481 13c93d0-13c93e3 465->481 470->448 477 137d966-137d96f 470->477 478 13c94f6-13c94f9 471->478 479 13c9512-13c9514 471->479 473->453 475->442 484 13c9420-13c9424 475->484 477->453 488 13c94fb-13c9501 478->488 489 13c9503-13c9506 478->489 479->462 485 13c951a-13c9523 479->485 481->465 490 13c93e5 481->490 493 137d9bc-137d9be 482->493 494 13c9533-13c9536 482->494 483->493 484->442 496 13c942a-13c9430 484->496 485->453 486->484 487->459 495 13c9412 487->495 488->479 491 13c950f 489->491 492 13c9508-13c950d 489->492 490->442 491->479 492->485 497 137d9c4-137d9cb 493->497 498 13c9549-13c954e 493->498 494->493 499 13c953c-13c9544 494->499 495->442 500 13c9457-13c9460 496->500 501 13c9432-13c944f 496->501 497->437 497->439 498->417 502 13c9554 498->502 499->445 504 13c94a7-13c94a9 500->504 505 13c9462-13c9467 500->505 501->500 503 13c9451-13c9454 501->503 502->452 503->500 507 13c94cc-13c94ce 504->507 508 13c94ab-13c94c6 call 1364508 504->508 505->504 506 13c9469-13c946d 505->506 509 13c946f-13c9473 506->509 510 13c9475-13c94a1 RtlDebugPrintTimes 506->510 507->417 508->417 508->507 509->504 509->510 510->504 514 13c94a3 510->514 514->504
              APIs
              Strings
              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013C936B
              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 013C9346
              • GsHd, xrefs: 0137D874
              • RtlpFindActivationContextSection_CheckParameters, xrefs: 013C9341, 013C9366
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
              • API String ID: 3446177414-576511823
              • Opcode ID: b38fc1d19a1ee7ee3e6698ad05b26eba185a75872e8566dd872aa5dffc39d371
              • Instruction ID: cbab13419493c0c616447e670a1d6c8406a804e9c4172751a458b8832911f93b
              • Opcode Fuzzy Hash: b38fc1d19a1ee7ee3e6698ad05b26eba185a75872e8566dd872aa5dffc39d371
              • Instruction Fuzzy Hash: E2E1F570604346DFDB20CF68C880B2ABBE5BF8971CF054A2DE995DB281D775E944CB52
              Function 013AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 515 13ab5ec-13ab5fc 516 13ab5fe 515->516 517 13ab600-13ab602 515->517 516->517 518 13ab608-13ab60d 517->518 519 13ab830-13ab844 call 13a4b87 517->519 521 13ab60f-13ab612 518->521 522 13ab621-13ab62e 518->522 521->519 524 13ab618-13ab61b 521->524 525 13ab631-13ab63d call 13ab5e6 522->525 524->519 524->522 528 13ab64a-13ab653 525->528 529 13ab63f-13ab644 525->529 531 13ab65a-13ab65d 528->531 532 13ab655-13ab658 528->532 529->529 530 13ab646-13ab648 529->530 530->525 533 13ab65f-13ab662 531->533 534 13ab665-13ab66d 531->534 532->533 533->534 535 13ab66f-13ab672 534->535 536 13ab690-13ab693 534->536 539 13ab67c-13ab680 535->539 540 13ab674 535->540 537 13ab6ad-13ab6d4 call 13a6810 536->537 538 13ab695-13ab698 536->538 550 13ab6d7-13ab6e9 call 13ab5e6 537->550 538->537 541 13ab69a-13ab69e 538->541 544 13ab68a-13ab68d 539->544 545 13ab682-13ab684 539->545 543 13ab676-13ab67a 540->543 546 13ab6a0-13ab6a2 541->546 547 13ab6a4-13ab6aa 541->547 543->537 544->536 545->544 549 13ab686-13ab688 545->549 546->537 546->547 547->537 549->543 553 13ab6eb-13ab6f1 550->553 554 13ab6f3-13ab704 call 13ab5e6 550->554 555 13ab71b-13ab727 553->555 563 13ab70a-13ab713 554->563 564 13ab791-13ab794 554->564 557 13ab729-13ab735 555->557 558 13ab797 555->558 560 13ab766-13ab769 557->560 561 13ab737 557->561 562 13ab79a-13ab79e 558->562 571 13ab76c-13ab786 call 13a6580 560->571 567 13ab739-13ab73c 561->567 568 13ab73e-13ab741 561->568 569 13ab7ad-13ab7b0 562->569 570 13ab7a0-13ab7a2 562->570 565 13ab718 563->565 566 13ab715 563->566 564->558 565->555 566->565 567->560 567->568 574 13ab743-13ab746 568->574 575 13ab757-13ab762 568->575 576 13ab7df-13ab7ed call 13ed8b0 569->576 577 13ab7b2-13ab7b5 569->577 572 13ab7a7-13ab7ab 570->572 573 13ab7a4 570->573 586 13ab789-13ab78c 571->586 581 13ab815-13ab81a 572->581 573->572 574->575 582 13ab748-13ab74e 574->582 575->562 585 13ab764 575->585 595 13ab7ef-13ab7f5 576->595 596 13ab7f7-13ab7fa 576->596 583 13ab80f 577->583 584 13ab7b7-13ab7ba 577->584 592 13ab81e-13ab821 581->592 593 13ab81c 581->593 582->571 588 13ab750 582->588 589 13ab812 583->589 590 13ab7ce-13ab7d3 584->590 591 13ab7bc-13ab7c1 584->591 585->586 586->550 588->575 597 13ab752-13ab755 588->597 589->581 590->583 594 13ab7d5 590->594 591->576 598 13ab7c3-13ab7c6 591->598 599 13ab829-13ab82f 592->599 600 13ab823-13ab827 592->600 593->592 594->576 601 13ab7d7-13ab7dd 594->601 595->581 602 13ab7fc-13ab803 596->602 603 13ab805-13ab80d 596->603 597->571 597->575 598->589 604 13ab7c8-13ab7ca 598->604 600->599 601->576 601->589 602->581 603->581 604->576 605 13ab7cc 604->605 605->589
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
              • Instruction ID: 8929df9aebdf465f3ef4302f46ae7f2486d2c50d2f4e7f8e52e1d4df906e7701
              • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
              • Instruction Fuzzy Hash: D181C070E052498EEF29CF6CC8917FEFFB5EF45328F984219D861A7299C77588408B61
              Function 01369126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 606 1369126-13691db call 13b7eb0 call 13a9020 call 1379950 613 13691f1-13691f8 606->613 614 13691dd-13691ee 606->614 613->614 615 13691fa-1369201 613->615 615->614 616 1369203-136921f call 137a250 615->616 616->614 619 1369221-1369227 616->619 620 13c2518-13c251d 619->620 621 136922d-1369234 619->621 620->614 622 136923a 621->622 623 13c2522-13c2529 621->623 625 1369241-136929e call 1385b20 622->625 624 13c252f-13c2539 623->624 623->625 624->625 625->614 628 13692a4-13692ba call 13805a0 625->628 628->614 631 13692c0-13c256b RtlDebugPrintTimes 628->631 631->614 634 13c2571-13c257a 631->634 635 13c2580-13c2595 call 137dd20 634->635 636 13c2651-13c265c 634->636 641 13c259d-13c25cb call 1379950 635->641 642 13c2597-13c2598 call 1373c70 635->642 637 13c265e-13c2669 RtlDebugPrintTimes ReleaseActCtx 636->637 638 13c26a0-13c26a7 636->638 637->638 638->614 646 13c25cd-13c25ea call 137a250 641->646 647 13c2645-13c264c call 13c2674 641->647 642->641 646->647 651 13c25ec-13c25f2 646->651 647->636 652 13c25fb-13c2638 call 13805a0 651->652 653 13c25f4-13c25f9 651->653 652->647 657 13c263a 652->657 654 13c263f 653->654 654->647 657->654
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $$@
              • API String ID: 3446177414-1194432280
              • Opcode ID: 9273b27dfca1f352471561a129d5704648f1a1aae2ac262326cb0cf958e78437
              • Instruction ID: 9f78a851c36aede8cdbc03954482260230413fd79b68ff4b8a14c0296e2d0f21
              • Opcode Fuzzy Hash: 9273b27dfca1f352471561a129d5704648f1a1aae2ac262326cb0cf958e78437
              • Instruction Fuzzy Hash: 00811B71D00269DBDB35DB58CC44BEEB6B8AB48718F1041DAEA19B7640E7709E84CFA0
              Function 0138D7B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 658 138d7b0-138d7cd call 13b7e54 661 138d8f0-138d8ff 658->661 662 138d7d3-138d7e9 658->662 663 138d7ef-138d7f6 662->663 664 13cf2b6-13cf2b8 662->664 665 138d7fc-138d812 663->665 666 13cf2c0-13cf2e2 call 13dea12 663->666 664->666 668 138d818-138d820 665->668 669 138d93d-138d961 RtlDebugPrintTimes 665->669 674 13cf2ea-13cf303 666->674 671 138d829-138d830 668->671 672 138d822-138d824 call 1364859 668->672 669->664 671->674 675 138d836-138d845 671->675 672->671 674->675 678 13cf309-13cf30f 674->678 677 138d846-138d84c 675->677 679 138d84e-138d862 677->679 680 138d8c1-138d8cb 677->680 681 138d8cd-138d8da GetPEB 678->681 679->677 684 138d864-138d86b 679->684 680->681 685 138d900-138d93b call 137dd20 call 137f183 call 138d96f 680->685 682 138d8e0-138d8e4 681->682 683 13cf332-13cf335 681->683 686 138d8eb call 138d978 682->686 687 138d8e6 call 138d9d0 682->687 683->682 690 13cf33b-13cf346 call 13e1348 683->690 684->677 688 138d86d-138d896 call 137dd20 684->688 685->681 686->661 687->686 699 138d898-138d8b4 call 137ddb1 call 138d966 688->699 700 138d8b6-138d8bf call 137f183 688->700 690->682 699->677 700->699
              APIs
              • RtlDebugPrintTimes.NTDLL ref: 0138D959
                • Part of subcall function 01364859: RtlDebugPrintTimes.NTDLL ref: 013648F7
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $$$$p.$)
              • API String ID: 3446177414-2596435465
              • Opcode ID: 684ea4273737c8df1965402c53518fdd7f3bcf8b5d44afdbebe87d58389a829c
              • Instruction ID: d9da588f63dc03bbf570fb35f2100ce37aed34319fd63f9d1d287e373a6e57df
              • Opcode Fuzzy Hash: 684ea4273737c8df1965402c53518fdd7f3bcf8b5d44afdbebe87d58389a829c
              • Instruction Fuzzy Hash: DE51DE72A0034A9FDB24EFA8D4847ADBFB2BF4831CF148159D4056B292C774E985CB80
              Function 0138DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1458 138db00-138db15 1459 138db1b-138db22 1458->1459 1460 13cf5f9-13cf603 1458->1460 1461 138db28-138db2f 1459->1461 1462 13cf608-13cf619 RtlDebugPrintTimes 1459->1462 1460->1462 1464 13cf61e-13cf628 GetPEB 1461->1464 1465 138db35-138db39 1461->1465 1462->1464 1467 13cf62a-13cf645 GetPEB call 135b970 1464->1467 1468 13cf647-13cf64c call 135b970 1464->1468 1469 138db3b-138db51 1465->1469 1470 138db70-138db7b GetPEB 1465->1470 1477 13cf651-13cf683 call 135b970 * 3 GetPEB 1467->1477 1468->1477 1469->1470 1475 138db53-138db6a 1469->1475 1472 138db81 1470->1472 1473 13cf703-13cf706 1470->1473 1478 138db86-138db89 1472->1478 1473->1472 1479 13cf70c-13cf71a GetPEB 1473->1479 1475->1470 1476 13cf69b-13cf69e 1475->1476 1484 13cf6a6-13cf6ae 1476->1484 1485 13cf6a0 1476->1485 1504 13cf694 1477->1504 1505 13cf685-13cf68d 1477->1505 1482 13cf71f-13cf72d GetPEB 1478->1482 1483 138db8f-138db95 1478->1483 1479->1478 1482->1483 1489 13cf733-13cf73a 1482->1489 1486 13cf6ba-13cf6c1 1484->1486 1487 13cf6b0-13cf6b7 call 138ffa0 1484->1487 1485->1484 1491 13cf6c4-13cf6d7 1486->1491 1487->1486 1489->1483 1495 13cf6d9-13cf6e4 call 138bba0 1491->1495 1496 13cf6e6-13cf6ef 1491->1496 1495->1491 1496->1470 1500 13cf6f5-13cf6fe call 138f3e0 1496->1500 1500->1470 1504->1476 1505->1504
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
              • API String ID: 3446177414-56086060
              • Opcode ID: 905ea27930a46e07297375202167a29ce49e5b7d7bd91403274302348b6119ad
              • Instruction ID: 76f2c0bc322da0a77bb5106d1ed44d268ad27a6e594116a56edd911f782d34c1
              • Opcode Fuzzy Hash: 905ea27930a46e07297375202167a29ce49e5b7d7bd91403274302348b6119ad
              • Instruction Fuzzy Hash: 19412271600745DBD722EF6CC485B6AB7B9EF41B6CF14816DE901877A2CB74AC80CB90
              Function 013E4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
              Download Yara Rule
              APIs
              Strings
              • LdrpCheckRedirection, xrefs: 013E488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 013E4888
              • minkernel\ntdll\ldrredirect.c, xrefs: 013E4899
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 3446177414-3154609507
              • Opcode ID: 9cb2f1cd9c66b528f2132aadde44546b22e9ac2932954a587bc2134164bcee5b
              • Instruction ID: f536811d9c25506745bcb662d922477320206c30613b6680f6d491daccef7a42
              • Opcode Fuzzy Hash: 9cb2f1cd9c66b528f2132aadde44546b22e9ac2932954a587bc2134164bcee5b
              • Instruction Fuzzy Hash: 3041B032A043719BCB21CE6DD848A267FE9AF8DA58F060569ED59D7392D731EC00CBD1
              Function 0138DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
              • API String ID: 3446177414-3526935505
              • Opcode ID: 1b65bec365dd1aec69c876f0ed79f14636b048b6726b9e04b2c7c9fff1029a43
              • Instruction ID: f5c44e2286a91c589607256acd47ac39ae0ad30ecf5eef294be409a942b5d064
              • Opcode Fuzzy Hash: 1b65bec365dd1aec69c876f0ed79f14636b048b6726b9e04b2c7c9fff1029a43
              • Instruction Fuzzy Hash: B031B431204784DFDB27AB6CC509B697BF9EB11B5CF044059E84687AA6C7B8AC84C751
              Function 0135C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $
              • API String ID: 3446177414-3993045852
              • Opcode ID: 790f98c90d37d7f0a78ad8a23e0d135d0ff60f8dcd753c95acb02b84be40070e
              • Instruction ID: 98dd388ab3f5912d038f8cf1cbb9e5344716d0285a10963b622e4cb84232bad2
              • Opcode Fuzzy Hash: 790f98c90d37d7f0a78ad8a23e0d135d0ff60f8dcd753c95acb02b84be40070e
              • Instruction Fuzzy Hash: 87115E32A04219EBDF15AFA8E8887DC7B71FF44378F108119F92A676E0DB359A00CB40
              Function 0138EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 019bc1daad4a11f0dd3f144871ee37ba1b05235a9755c42314c058fb2aaa64b8
              • Instruction ID: 597656a5964bdb0596b9b9ceb992cf803922abbfb2526bfdcc5bfb6754d7df5b
              • Opcode Fuzzy Hash: 019bc1daad4a11f0dd3f144871ee37ba1b05235a9755c42314c058fb2aaa64b8
              • Instruction Fuzzy Hash: BBE11F75D00708DFCB25EFA9C984AADBBF9FF48318F24452AE546A7661D730A941CF10
              Function 013DEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID:
              • API String ID: 3446177414-0
              • Opcode ID: 1c915fe56f762b6312a20b7ecd92789e70ccceeb5aedec1be0e0f0b288b5ec07
              • Instruction ID: 53a44b59d10246ec068251cbde6dd963bb6b56ab6363db9d633d343437a21b55
              • Opcode Fuzzy Hash: 1c915fe56f762b6312a20b7ecd92789e70ccceeb5aedec1be0e0f0b288b5ec07
              • Instruction Fuzzy Hash: 35711A72E0021ADFDF05CFA8D984ADDBBB9BF48318F194069E906EB254D734A906CF54
              Function 013DF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID:
              • API String ID: 3446177414-0
              • Opcode ID: c41f87349693955192cc5d40ecaa9025c9d4a883d5c0d0b5e2f5614b3ffe3f0b
              • Instruction ID: 9a8197e39057336b15a99ecc079f08c6098828f15701b9b098eafe85c8fec12b
              • Opcode Fuzzy Hash: c41f87349693955192cc5d40ecaa9025c9d4a883d5c0d0b5e2f5614b3ffe3f0b
              • Instruction Fuzzy Hash: FC513676E00219DFDF08CF98E8856DDBBB9BF48318F15812AE906BB250DB349902CF54
              Function 01397B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes$BaseInitThreadThunk
              • String ID:
              • API String ID: 4281723722-0
              • Opcode ID: 6ada52a26ed1f8fac5e17db8cce63bc87e55df8e9734b9ecdc9ec5b63a6673f7
              • Instruction ID: 45eae4eba1c886e5314cfa976d338867fd7dde03abcddfadb01c47234dedafb6
              • Opcode Fuzzy Hash: 6ada52a26ed1f8fac5e17db8cce63bc87e55df8e9734b9ecdc9ec5b63a6673f7
              • Instruction Fuzzy Hash: A9312772E00229DFDF21DFA8E885A9DBBB0FB48714F10412AE511B76A4DB359901CF54
              Function 013659C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: f5d6e799bf0e30a2d77fb2010ad63d4a950b624a1d7c21a9ac24e7b16e037f12
              • Instruction ID: c8897d280fc7060ce0d31555b4aa91c53fc7751093fc5c0223a623b530332e7a
              • Opcode Fuzzy Hash: f5d6e799bf0e30a2d77fb2010ad63d4a950b624a1d7c21a9ac24e7b16e037f12
              • Instruction Fuzzy Hash: 713259B0D0426ADFDF25CF68C884BEDBBB8BB18348F0081E9D549A7645D7749A84CF90
              Function 013A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
              • Instruction ID: 4832993363e51b915f39adfde8dcc8c5f6eca8188ef574ffcfd298b1eb2f8f40
              • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
              • Instruction Fuzzy Hash: B191B471E0020A9FEF24DF6DC8C0ABEBBB9EF44329F94451AE955E72C0D7328A418751
              Function 0137D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: Bl$l
              • API String ID: 3446177414-208461968
              • Opcode ID: 8c1cce820143b294037404cd699bb74e8432c2b231830ef22f1200e9b59f660a
              • Instruction ID: d59a3dd57a9f53c7abe69b6ba7d86a630a0d5e9a2a0f698f4f063ec510b27a0b
              • Opcode Fuzzy Hash: 8c1cce820143b294037404cd699bb74e8432c2b231830ef22f1200e9b59f660a
              • Instruction Fuzzy Hash: 4AA1A331A04329DBEF31DB99C890BAEB7B5BF44308F0440E9D909A7651DB78AE85CF51
              Function 013A5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 013A5E34
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: ErrorHandling__start
              • String ID: pow
              • API String ID: 3213639722-2276729525
              • Opcode ID: 6d0cfbe837ff5570044863072f11e81542dde4176adbf897397f9f4056d6726b
              • Instruction ID: aec5b4998e988ecea3f5b22595a2b78159ebf441ed9f65b04e86c585afd12a1a
              • Opcode Fuzzy Hash: 6d0cfbe837ff5570044863072f11e81542dde4176adbf897397f9f4056d6726b
              • Instruction Fuzzy Hash: 21516D71908206D7D712BB1CC9017BABF98EB4075CFD4C958E1D98629EEB38C4D98B86
              Function 01394C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID:
              • String ID: 0$Flst
              • API String ID: 0-758220159
              • Opcode ID: 10075180f9cca51a1a95d4a9b7d2f8b993191ea02650906c71cf4ede0fca7eb4
              • Instruction ID: b6ecd79fbbe49533a5107920e1452c41752dcd3ce5d6cb0225a8ed33a7663183
              • Opcode Fuzzy Hash: 10075180f9cca51a1a95d4a9b7d2f8b993191ea02650906c71cf4ede0fca7eb4
              • Instruction Fuzzy Hash: 1C51ACB6E00248CFDF26CF99D6846A9FBF5FF4431CF14806AD0099B256E7709982CB80
              Function 013DFD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: $
              • API String ID: 3446177414-3993045852
              • Opcode ID: 435367189eccd86bfe5bbe670a6dd6a6ca2624f078f43768981a8275f10ee370
              • Instruction ID: 3c61a75a8883a78aacbe06f314f18ef640996efda4d529c837f21f75d5122831
              • Opcode Fuzzy Hash: 435367189eccd86bfe5bbe670a6dd6a6ca2624f078f43768981a8275f10ee370
              • Instruction Fuzzy Hash: 8D4171B6A00209ABDF11DF99E880AEEBFB9FF48708F140119E905A7352D771DD16CB90
              Function 0135DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 0000000D.00000002.1979069112.0000000001356000.00000040.00001000.00020000.00000000.sdmp, Offset: 01330000, based on PE: true
              • Associated: 0000000D.00000002.1979069112.0000000001330000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001337000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B0000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013B6000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.00000000013F2000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001453000.00000040.00001000.00020000.00000000.sdmpDownload File
              • Associated: 0000000D.00000002.1979069112.0000000001459000.00000040.00001000.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_1330000_fPtPRnPDTzobXQ.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: 0$0
              • API String ID: 3446177414-203156872
              • Opcode ID: 28d3bf3adc2a7189ab19d06bd13519296e740d9f6f9be733e7405184358af182
              • Instruction ID: b58c2f6631a415c342d1cae89fecbbe0255b65aabaee77ce2280b282fd700032
              • Opcode Fuzzy Hash: 28d3bf3adc2a7189ab19d06bd13519296e740d9f6f9be733e7405184358af182
              • Instruction Fuzzy Hash: 21415BB16087069FD350CF29C484E5ABBE5FB88718F04496EF988DB341D771EA09CB96