Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:562512
MD5:13d83a3812ec316654034e15f506aa06
SHA1:9d4f2afe54ca9b3cd31912b10dcc288b6696f3ea
SHA256:2518a50e9483da255cb061cb5eb966f41f39daf912341e7cf4442da4b362da8c
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 4872 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 13D83A3812EC316654034E15F506AA06)
    • schtasks.exe (PID: 6592 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • tKZVPq.exe (PID: 5416 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: 13D83A3812EC316654034E15F506AA06)
    • schtasks.exe (PID: 4972 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tKZVPq.exe (PID: 3732 cmdline: {path} MD5: 13D83A3812EC316654034E15F506AA06)
  • tKZVPq.exe (PID: 3416 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: 13D83A3812EC316654034E15F506AA06)
    • schtasks.exe (PID: 6192 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tKZVPq.exe (PID: 6856 cmdline: {path} MD5: 13D83A3812EC316654034E15F506AA06)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "dattaprasad@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 41 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.0.Purchase Order.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.0.Purchase Order.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                7.0.Purchase Order.exe.400000.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30e3b:$s1: get_kbok
                • 0x3176f:$s2: get_CHoo
                • 0x323e2:$s3: set_passwordIsSet
                • 0x30c3f:$s4: get_enableLog
                • 0x35312:$s8: torbrowser
                • 0x33cee:$s10: logins
                • 0x3366d:$s11: credential
                • 0x30026:$g1: get_Clipboard
                • 0x30034:$g2: get_Keyboard
                • 0x30041:$g3: get_Password
                • 0x3161d:$g4: get_CtrlKeyDown
                • 0x3162d:$g5: get_ShiftKeyDown
                • 0x3163e:$g6: get_AltKeyDown
                7.2.Purchase Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.Purchase Order.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 63 entries

                    Sigma Overview

                    System Summary

                    barindex
                    Sigma detected: Suspicius Add Task From User AppData Temp
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe" , ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 4872, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp, ProcessId: 6592
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 4848, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 7.0.Purchase Order.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "dattaprasad@jkudyog.com", "Password": "%$#@lkjhgfdsa", "Host": "mail.jkudyog.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Purchase Order.exeVirustotal: Detection: 39%Perma Link
                    Source: Purchase Order.exeReversingLabs: Detection: 50%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exeVirustotal: Detection: 39%Perma Link
                    Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeVirustotal: Detection: 39%Perma Link
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeReversingLabs: Detection: 50%
                    Machine Learning detection for sample
                    Source: Purchase Order.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\TRaCepbEuy.exeJoe Sandbox ML: detected
                    Source: 7.0.Purchase Order.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.2.tKZVPq.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.0.tKZVPq.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Purchase Order.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Purchase Order.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.0.tKZVPq.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.0.tKZVPq.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Purchase Order.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.0.Purchase Order.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.0.tKZVPq.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 23.0.tKZVPq.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Purchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Purchase Order.exe, 00000000.00000002.383066984.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542437762.0000000002401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552495218.0000000002A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ybzARF.com
                    Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Purchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: tKZVPq.exe, 00000011.00000002.541479722.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 17.2.tKZVPq.exe.246817c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase Order.exe.2ea8150.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 19.2.tKZVPq.exe.2a7817c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Purchase Order.exe
                    .NET source code contains very large array initializations
                    Source: 7.0.Purchase Order.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: 7.2.Purchase Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: 7.0.Purchase Order.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: 7.0.Purchase Order.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: 7.0.Purchase Order.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: 7.0.Purchase Order.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bB747C883u002d44A2u002d40F5u002dB49Bu002dA4294DAD5307u007d/C3D243B9u002d893Du002d4BB7u002d88B3u002dE90A28290F7A.csLarge array initialization: .cctor: array initializer size 11964
                    Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 17.2.tKZVPq.exe.246817c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase Order.exe.2ea8150.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 19.2.tKZVPq.exe.2a7817c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0110C8270_2_0110C827
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0110C8280_2_0110C828
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0110FAB00_2_0110FAB0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0110FAA00_2_0110FAA0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_01109D100_2_01109D10
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0110FD8A0_2_0110FD8A
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB11100_2_02BB1110
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB27E80_2_02BB27E8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB24F00_2_02BB24F0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB6CE80_2_02BB6CE8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB72E70_2_02BB72E7
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB21E80_2_02BB21E8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB19180_2_02BB1918
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB11000_2_02BB1100
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_02BB27DF0_2_02BB27DF
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E558720_2_08E55872
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E5D8500_2_08E5D850
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E54DF20_2_08E54DF2
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E545880_2_08E54588
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E5DD000_2_08E5DD00
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E536C80_2_08E536C8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E567D00_2_08E567D0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E588E00_2_08E588E0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E588F00_2_08E588F0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E544DB0_2_08E544DB
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_08E56C800_2_08E56C80
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_011D47A07_2_011D47A0
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_011D3CCC7_2_011D3CCC
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_011D47907_2_011D4790
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_011D54907_2_011D5490
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_011DD8207_2_011DD820
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_00A7C82817_2_00A7C828
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_00A7FAA017_2_00A7FAA0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_00A7FAB017_2_00A7FAB0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_00A79D1017_2_00A79D10
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_02266B4817_2_02266B48
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226108017_2_02261080
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226275817_2_02262758
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_02266B3A17_2_02266B3A
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226107017_2_02261070
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226187917_2_02261879
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226188817_2_02261888
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226714817_2_02267148
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226215917_2_02262159
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_0226274817_2_02262748
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F5C58817_2_07F5C588
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F57B9017_2_07F57B90
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F5BAB017_2_07F5BAB0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F588E017_2_07F588E0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F5269017_2_07F52690
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F5556817_2_07F55568
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F5555817_2_07F55558
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F54CB817_2_07F54CB8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F54CA817_2_07F54CA8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F54B4817_2_07F54B48
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F54B3817_2_07F54B38
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F559F817_2_07F559F8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07F559E817_2_07F559E8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA67D017_2_07FA67D0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA36C817_2_07FA36C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA4DE817_2_07FA4DE8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA458817_2_07FA4588
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FADD0017_2_07FADD00
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA587217_2_07FA5872
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FAD85017_2_07FAD850
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA678B17_2_07FA678B
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA8F7817_2_07FA8F78
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA8B4817_2_07FA8B48
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA8B3817_2_07FA8B38
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA772717_2_07FA7727
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA771817_2_07FA7718
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA770817_2_07FA7708
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA670917_2_07FA6709
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA9A6D17_2_07FA9A6D
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA8DC017_2_07FA8DC0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA8DB017_2_07FA8DB0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA396817_2_07FA3968
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA88F017_2_07FA88F0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA88E017_2_07FA88E0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA44DD17_2_07FA44DD
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA6C8017_2_07FA6C80
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_00E7C5D019_2_00E7C5D0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_00E7FAA019_2_00E7FAA0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_00E7FAB019_2_00E7FAB0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_00E7FD8A19_2_00E7FD8A
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_00E79D1019_2_00E79D10
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3246019_2_04A32460
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3275819_2_04A32758
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3108019_2_04A31080
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3274819_2_04A32748
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3215919_2_04A32159
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A30D3019_2_04A30D30
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3188819_2_04A31888
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A3187919_2_04A31879
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_04A33B5719_2_04A33B57
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843D85019_2_0843D850
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843587219_2_08435872
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843DD0019_2_0843DD00
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08434DE819_2_08434DE8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843458819_2_08434588
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084336C819_2_084336C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084367D019_2_084367D0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084388E019_2_084388E0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084388F019_2_084388F0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843396819_2_08433968
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08439A1819_2_08439A18
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08438B4819_2_08438B48
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08438B3819_2_08438B38
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084344D819_2_084344D8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08436C8019_2_08436C80
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08438DC019_2_08438DC0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08438DB019_2_08438DB0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084366D019_2_084366D0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084376D019_2_084376D0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_084376D819_2_084376D8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08438F7819_2_08438F78
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843770819_2_08437708
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_0843771819_2_08437718
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 23_2_00F347A023_2_00F347A0
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 23_2_00F346B023_2_00F346B0
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess Stats: CPU usage > 98%
                    Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.383066984.0000000002E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.383716260.0000000003236000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.382135462.00000000009E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.389151124.0000000009170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000006.00000000.372788358.0000000000342000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000007.00000000.376065987.0000000000802000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaNWASxaOLUDUuWfyRdPyaxGxcwltyjgGnzufI.exe4 vs Purchase Order.exe
                    Source: Purchase Order.exe, 00000007.00000003.450912799.0000000006396000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exeBinary or memory string: OriginalFilenamekAj5Hnj.exe> vs Purchase Order.exe
                    Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TRaCepbEuy.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: tKZVPq.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Purchase Order.exeVirustotal: Detection: 39%
                    Source: Purchase Order.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\Purchase Order.exeJump to behavior
                    Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\TRaCepbEuy.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8E57.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@20/9@0/0
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2532:120:WilError_01
                    Source: 7.0.Purchase Order.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Purchase Order.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.2.Purchase Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.2.Purchase Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Purchase Order.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.0.Purchase Order.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_009156A1 pushad ; iretd 0_2_009156C8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00914DD9 push esp; ret 0_2_00914DDD
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_011042CB push edi; ret 0_2_011042E2
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_011054E9 push esi; ret 0_2_011054EE
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 6_2_002756A1 pushad ; iretd 6_2_002756C8
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 6_2_00274DD9 push esp; ret 6_2_00274DDD
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_00734DD9 push esp; ret 7_2_00734DDD
                    Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 7_2_007356A1 pushad ; iretd 7_2_007356C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_000156A1 pushad ; iretd 17_2_000156C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_00014DD9 push esp; ret 17_2_00014DDD
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 17_2_07FA9D25 push es; retf 17_2_07FA9D28
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_005E4DD9 push esp; ret 19_2_005E4DDD
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_005E56A1 pushad ; iretd 19_2_005E56C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 19_2_08439D25 push es; retf 19_2_08439D28
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 23_2_00F3CF71 push esp; iretd 23_2_00F3CF7D
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 28_2_009F56A1 pushad ; iretd 28_2_009F56C8
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 28_2_009F4DD9 push esp; ret 28_2_009F4DDD
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.31350730909
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.31350730909
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.31350730909
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\TRaCepbEuy.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp
                    Source: C:\Users\user\Desktop\Purchase Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542476618.000000000243B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Purchase Order.exe, 00000000.00000002.383123542.0000000002E7B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542476618.000000000243B000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4480Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3192Thread sleep count: 3025 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exe TID: 3192Thread sleep count: 6830 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 4324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 3025Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 6830Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: tKZVPq.exe, 00000013.00000002.551783085.0000000000EB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: tKZVPq.exe, 00000013.00000002.552617624.0000000002A4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeMemory written: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase Order.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR
                    Source: Yara matchFile source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3fff900.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35bf900.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35448e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.tKZVPq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3bcf900.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3fff900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase Order.exe.3f848e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.tKZVPq.exe.35bf900.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.0.tKZVPq.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3bcf900.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.tKZVPq.exe.3b548e0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 4848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 5416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: tKZVPq.exe PID: 3732, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		311
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		1
                    File and Directory Permissions Modification                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
                    Virtualization/Sandbox Evasion                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script111
                    Process Injection                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Deobfuscate/Decode Files or Information                    		Cached Domain Credentials113
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Hidden Files and Directories                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                    Obfuscated Files or Information                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)2
                    Software Packing                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 562512 Sample: Purchase Order.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 12 other signatures 2->59 7 Purchase Order.exe 6 2->7         started        11 tKZVPq.exe 5 2->11         started        13 tKZVPq.exe 4 2->13         started        process3 file4 37 C:\Users\user\AppData\...\TRaCepbEuy.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp8E57.tmp, XML 7->39 dropped 41 C:\Users\user\...\Purchase Order.exe.log, ASCII 7->41 dropped 61 Injects a PE file into a foreign processes 7->61 15 Purchase Order.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 Purchase Order.exe 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 23 schtasks.exe 1 11->23         started        25 tKZVPq.exe 11->25         started        27 schtasks.exe 13->27         started        29 tKZVPq.exe 13->29         started        signatures5 process6 file7 43 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 15->43 dropped 45 C:\Windows\System32\drivers\etc\hosts, ASCII 15->45 dropped 47 C:\Users\user\...\tKZVPq.exe:Zone.Identifier, ASCII 15->47 dropped 49 Modifies the hosts file 15->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->51 31 conhost.exe 19->31         started        33 conhost.exe 23->33         started        35 conhost.exe 27->35         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase Order.exe40%VirustotalBrowse
                    Purchase Order.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Purchase Order.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\TRaCepbEuy.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\TRaCepbEuy.exe40%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\TRaCepbEuy.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe40%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.0.Purchase Order.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    23.2.tKZVPq.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    7.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    23.0.tKZVPq.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Purchase Order.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Purchase Order.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    23.0.tKZVPq.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    23.0.tKZVPq.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Purchase Order.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    7.0.Purchase Order.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    23.0.tKZVPq.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    23.0.tKZVPq.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://ybzARF.com0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1Purchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://DynDns.comDynDNStKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThePurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPurchase Order.exe, 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ybzARF.comtKZVPq.exe, 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cThePurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasePurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Purchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleasePurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Order.exe, 00000000.00000002.383066984.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.542437762.0000000002401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.552495218.0000000002A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comPurchase Order.exe, 00000000.00000002.388094306.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPurchase Order.exe, 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Purchase Order.exe, 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tKZVPq.exe, 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:562512
                                          Start date:28.01.2022
                                          Start time:23:35:03
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 31s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:Purchase Order.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.adwa.evad.winEXE@20/9@0/0
                                          EGA Information:
                                          • Successful, ratio: 71.4%
                                          HDC Information:
                                          • Successful, ratio: 2.3% (good quality ratio 1%)
                                          • Quality average: 33.8%
                                          • Quality standard deviation: 40.2%
                                          HCA Information:
                                          • Successful, ratio: 95%
                                          • Number of executed functions: 140
                                          • Number of non-executed functions: 17
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Execution Graph export aborted for target Purchase Order.exe, PID 1880 because there are no executed function
                                          • Execution Graph export aborted for target tKZVPq.exe, PID 6856 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          23:36:30API Interceptor439x Sleep call for process: Purchase Order.exe modified
                                          23:37:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          23:37:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tKZVPq C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          23:37:42API Interceptor2x Sleep call for process: tKZVPq.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1314
                                          Entropy (8bit):5.350128552078965
                                          Encrypted:false
                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tKZVPq.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1314
                                          Entropy (8bit):5.350128552078965
                                          Encrypted:false
                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                          C:\Users\user\AppData\Local\Temp\tmp8E57.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1643
                                          Entropy (8bit):5.185357543359401
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBjtn:cbh47TlNQ//rydbz9I3YODOLNdq3H
                                          MD5:2910C09B515C12498D48A2CEB8B2E2D4
                                          SHA1:B806BD7B3477B112B649CC4054FC96CAF6B7FCA7
                                          SHA-256:A4BEABC21D8F857F4E4AC50D6F599D1B8023172BC6E51967516F1BEB068DD819
                                          SHA-512:2AB2812469BE0E51B3760950019017AE37C63BADD2277FE1E41BDBD64FDA34506D43B68479F75A4C50062D685BAC993C4926F47DAB35C02676FDF435715A42E1
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                          C:\Users\user\AppData\Local\Temp\tmpACD7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1643
                                          Entropy (8bit):5.185357543359401
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBjtn:cbh47TlNQ//rydbz9I3YODOLNdq3H
                                          MD5:2910C09B515C12498D48A2CEB8B2E2D4
                                          SHA1:B806BD7B3477B112B649CC4054FC96CAF6B7FCA7
                                          SHA-256:A4BEABC21D8F857F4E4AC50D6F599D1B8023172BC6E51967516F1BEB068DD819
                                          SHA-512:2AB2812469BE0E51B3760950019017AE37C63BADD2277FE1E41BDBD64FDA34506D43B68479F75A4C50062D685BAC993C4926F47DAB35C02676FDF435715A42E1
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                          C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1643
                                          Entropy (8bit):5.185357543359401
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBjtn:cbh47TlNQ//rydbz9I3YODOLNdq3H
                                          MD5:2910C09B515C12498D48A2CEB8B2E2D4
                                          SHA1:B806BD7B3477B112B649CC4054FC96CAF6B7FCA7
                                          SHA-256:A4BEABC21D8F857F4E4AC50D6F599D1B8023172BC6E51967516F1BEB068DD819
                                          SHA-512:2AB2812469BE0E51B3760950019017AE37C63BADD2277FE1E41BDBD64FDA34506D43B68479F75A4C50062D685BAC993C4926F47DAB35C02676FDF435715A42E1
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                          C:\Users\user\AppData\Roaming\TRaCepbEuy.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):909312
                                          Entropy (8bit):7.201647564710609
                                          Encrypted:false
                                          SSDEEP:12288:djtXf+RPhTN0zwBGc5kS+/WW7kY3zkjqnP5QaMZk+JOi6ZRWifvsKE5U9PH+me0Y:PmV9NE7Sl++WIvsjA+2VYJUEKlCW
                                          MD5:13D83A3812EC316654034E15F506AA06
                                          SHA1:9D4F2AFE54CA9B3CD31912B10DCC288B6696F3EA
                                          SHA-256:2518A50E9483DA255CB061CB5EB966F41F39DAF912341E7CF4442DA4B362DA8C
                                          SHA-512:7D17B219311E86C4F32726AEF5839212EE125C7E3A3A3A97D5719C0A51DDF09FCE543F3B5BFFD8577944B916C9635BC1E68D604B381F20504B5E421B591E3BA5
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 40%, Browse
                                          • Antivirus: ReversingLabs, Detection: 50%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............P......J........... ........@.. .......................@............@.................................T...W........F................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc....... ......................@..B........................H............)..........p2...V...........................................0..........*....0............ ..e. .D..a%..^E........+...........+)("...(..... A..>Z .gewa+... P...Z ....a+......(.....(.... .7. .D..a%..^E................+... :,.<Z ...9a+.*........RS.......0..*..........(#......($......(%......(.......(&....*...0..D.........(....o....('... 0..F ...+a%..^E................+... ..l.Z .Kj.a+.*.0...........((...*..0............o)...*.0............(*...*.0............(+....

                                          C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):909312
                                          Entropy (8bit):7.201647564710609
                                          Encrypted:false
                                          SSDEEP:12288:djtXf+RPhTN0zwBGc5kS+/WW7kY3zkjqnP5QaMZk+JOi6ZRWifvsKE5U9PH+me0Y:PmV9NE7Sl++WIvsjA+2VYJUEKlCW
                                          MD5:13D83A3812EC316654034E15F506AA06
                                          SHA1:9D4F2AFE54CA9B3CD31912B10DCC288B6696F3EA
                                          SHA-256:2518A50E9483DA255CB061CB5EB966F41F39DAF912341E7CF4442DA4B362DA8C
                                          SHA-512:7D17B219311E86C4F32726AEF5839212EE125C7E3A3A3A97D5719C0A51DDF09FCE543F3B5BFFD8577944B916C9635BC1E68D604B381F20504B5E421B591E3BA5
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 40%, Browse
                                          • Antivirus: ReversingLabs, Detection: 50%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............P......J........... ........@.. .......................@............@.................................T...W........F................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc....... ......................@..B........................H............)..........p2...V...........................................0..........*....0............ ..e. .D..a%..^E........+...........+)("...(..... A..>Z .gewa+... P...Z ....a+......(.....(.... .7. .D..a%..^E................+... :,.<Z ...9a+.*........RS.......0..*..........(#......($......(%......(.......(&....*...0..D.........(....o....('... 0..F ...+a%..^E................+... ..l.Z .Kj.a+.*.0...........((...*..0............o)...*.0............(*...*.0............(+....

                                          C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Windows\System32\drivers\etc\hosts

                                          Download File
                                          Process:C:\Users\user\Desktop\Purchase Order.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):835
                                          Entropy (8bit):4.694294591169137
                                          Encrypted:false
                                          SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                          MD5:6EB47C1CF858E25486E42440074917F2
                                          SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                          SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                          SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                          Malicious:true
                                          Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.201647564710609
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:Purchase Order.exe
                                          File size:909312
                                          MD5:13d83a3812ec316654034e15f506aa06
                                          SHA1:9d4f2afe54ca9b3cd31912b10dcc288b6696f3ea
                                          SHA256:2518a50e9483da255cb061cb5eb966f41f39daf912341e7cf4442da4b362da8c
                                          SHA512:7d17b219311e86c4f32726aef5839212ee125c7e3a3a3a97d5719c0a51ddf09fce543f3b5bffd8577944b916c9635bc1e68d604b381f20504b5e421b591e3ba5
                                          SSDEEP:12288:djtXf+RPhTN0zwBGc5kS+/WW7kY3zkjqnP5QaMZk+JOi6ZRWifvsKE5U9PH+me0Y:PmV9NE7Sl++WIvsjA+2VYJUEKlCW
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............P......J........... ........@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:04fcf0b0d4a6e46c

                                          Static PE Info

                                          General

                                          Entrypoint:0x4ab2ae
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F3EF1B [Fri Jan 28 13:26:51 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xab2540x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x34698.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa92b40xa9400False0.683070127862data7.31350730909IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xac0000x346980x34800False0.444480096726data6.25657435947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xac2b00xc5d8PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_ICON0xb88880x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                          RT_ICON0xc90b00x94a8data
                                          RT_ICON0xd25580x5488data
                                          RT_ICON0xd79e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                          RT_ICON0xdbc080x25a8data
                                          RT_ICON0xde1b00x10a8data
                                          RT_ICON0xdf2580x988data
                                          RT_ICON0xdfbe00x468GLS_BINARY_LSB_FIRST
                                          RT_GROUP_ICON0xe00480x84data
                                          RT_VERSION0xe00cc0x3dcdata
                                          RT_MANIFEST0xe04a80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2009-2021 Alexey Nicolaychuk aka Unwinder, developed special for Micro-Star Intl Co., Ltd.
                                          Assembly Version1.0.0.0
                                          InternalNamekAj5Hnj.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameMSIAfterburner
                                          ProductVersion1.0.0.0
                                          FileDescriptionMSIAfterburner
                                          OriginalFilenamekAj5Hnj.exe

                                          Network Behavior

                                          No network behavior found

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:23:36:02
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\Purchase Order.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Purchase Order.exe"
                                          Imagebase:0x910000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.386598355.00000000040FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.384446432.0000000003E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:4
                                          Start time:23:36:34
                                          Start date:28/01/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmp8E57.tmp
                                          Imagebase:0x11c0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:5
                                          Start time:23:36:36
                                          Start date:28/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:6
                                          Start time:23:36:37
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\Purchase Order.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x270000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Target ID:7
                                          Start time:23:36:39
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\Purchase Order.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x730000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.377300432.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.376818442.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.378482840.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.377959898.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.566073924.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000007.00000002.569789706.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low

                                          General

                                          Target ID:17
                                          Start time:23:37:25
                                          Start date:28/01/2022
                                          Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                                          Imagebase:0x10000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000002.544948329.0000000003401000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 40%, Virustotal, Browse
                                          • Detection: 50%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:19
                                          Start time:23:37:34
                                          Start date:28/01/2022
                                          Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                                          Imagebase:0x5e0000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000013.00000002.554080549.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:21
                                          Start time:23:37:48
                                          Start date:28/01/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpACD7.tmp
                                          Imagebase:0x11c0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:22
                                          Start time:23:37:52
                                          Start date:28/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:23
                                          Start time:23:37:52
                                          Start date:28/01/2022
                                          Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x730000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000017.00000002.569618047.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.534932278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.535514668.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.534286456.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000000.536182206.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.567278813.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:25
                                          Start time:23:37:58
                                          Start date:28/01/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TRaCepbEuy" /XML "C:\Users\user\AppData\Local\Temp\tmpD0CA.tmp
                                          Imagebase:0x11c0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:26
                                          Start time:23:37:59
                                          Start date:28/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:28
                                          Start time:23:38:00
                                          Start date:28/01/2022
                                          Path:C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x7ff70d6e0000
                                          File size:909312 bytes
                                          MD5 hash:13D83A3812EC316654034E15F506AA06
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:5%
                                            Total number of Nodes:199
                                            Total number of Limit Nodes:23
                                            execution_graph 27211 1106eb0 GetCurrentProcess 27212 1106f2a GetCurrentThread 27211->27212 27214 1106f23 27211->27214 27213 1106f67 GetCurrentProcess 27212->27213 27215 1106f60 27212->27215 27218 1106f9d 27213->27218 27214->27212 27215->27213 27216 1106fc5 GetCurrentThreadId 27217 1106ff6 27216->27217 27218->27216 27219 2bb4258 27220 2bb42a3 ReadProcessMemory 27219->27220 27221 2bb42e6 27220->27221 27131 110df98 27132 110e000 CreateWindowExW 27131->27132 27134 110e0bc 27132->27134 27135 11070d8 DuplicateHandle 27136 110716e 27135->27136 27222 11066b8 27223 11066cf 27222->27223 27227 1106b21 27223->27227 27232 1106be7 27223->27232 27224 11066e0 27228 1106b5a 27227->27228 27229 1106c51 27228->27229 27237 1106d87 27228->27237 27241 1106d98 27228->27241 27229->27224 27233 1106bec 27232->27233 27234 1106c51 27233->27234 27235 1106d87 2 API calls 27233->27235 27236 1106d98 2 API calls 27233->27236 27234->27224 27235->27234 27236->27234 27238 1106da5 27237->27238 27239 1106ddf 27238->27239 27245 1106a04 27238->27245 27239->27229 27242 1106da5 27241->27242 27243 1106ddf 27242->27243 27244 1106a04 2 API calls 27242->27244 27243->27229 27244->27243 27246 1106a0f 27245->27246 27248 11076d0 27246->27248 27249 1106b04 27246->27249 27248->27248 27250 1106b0f 27249->27250 27262 1109d50 27250->27262 27271 1109d60 27250->27271 27280 1109f64 27250->27280 27251 1107b4d 27252 1107740 LoadLibraryExW 27251->27252 27253 1107b67 27252->27253 27254 1107750 LoadLibraryExW 27253->27254 27255 1107b6e 27254->27255 27260 110bb50 LoadLibraryExW 27255->27260 27261 110bb38 LoadLibraryExW 27255->27261 27256 1107b78 27256->27248 27260->27256 27261->27256 27263 1109d60 27262->27263 27264 110a06a 27263->27264 27266 1109db7 27263->27266 27293 11099b8 GetFocus 27263->27293 27268 1109dcf 27266->27268 27294 1107750 27266->27294 27268->27264 27285 110aa18 27268->27285 27289 110aa09 27268->27289 27272 1109d8e 27271->27272 27274 1109db7 27272->27274 27276 110a06a 27272->27276 27298 11099b8 GetFocus 27272->27298 27275 1107750 LoadLibraryExW 27274->27275 27277 1109dcf 27274->27277 27275->27277 27277->27276 27278 110aa18 LoadLibraryExW 27277->27278 27279 110aa09 LoadLibraryExW 27277->27279 27278->27276 27279->27276 27282 1109f81 27280->27282 27281 110a06a 27281->27281 27282->27281 27283 110aa18 LoadLibraryExW 27282->27283 27284 110aa09 LoadLibraryExW 27282->27284 27283->27281 27284->27281 27286 110aa35 27285->27286 27287 1107750 LoadLibraryExW 27286->27287 27288 110aa79 27286->27288 27287->27288 27288->27264 27290 110aa35 27289->27290 27291 1107750 LoadLibraryExW 27290->27291 27292 110aa79 27290->27292 27291->27292 27292->27264 27293->27266 27295 110775b 27294->27295 27296 110b1c0 LoadLibraryExW 27295->27296 27297 110b97f 27296->27297 27297->27268 27298->27274 27299 2bb4253 27300 2bb4257 ReadProcessMemory 27299->27300 27301 2bb41e5 GetThreadContext 27299->27301 27305 2bb42e6 27300->27305 27303 2bb421e 27301->27303 27306 2bb0416 27310 2bb2131 27306->27310 27314 2bb2140 27306->27314 27307 2bb0422 27311 2bb2140 27310->27311 27312 2bb21cc 27311->27312 27318 2bb24f0 27311->27318 27312->27307 27315 2bb215d 27314->27315 27316 2bb21cc 27315->27316 27317 2bb24f0 CreateProcessW 27315->27317 27316->27307 27317->27315 27319 2bb2527 27318->27319 27320 2bb2587 27319->27320 27327 2bb27df 27319->27327 27331 2bb2a67 27319->27331 27335 2bb27e8 27319->27335 27339 2bb29e9 27319->27339 27343 2bb2a16 27319->27343 27347 2bb29d7 27319->27347 27320->27311 27329 2bb281b 27327->27329 27330 2bb29ca 27329->27330 27351 2bb0d44 27329->27351 27330->27319 27334 2bb2850 27331->27334 27332 2bb29ca 27332->27319 27333 2bb0d44 CreateProcessW 27333->27334 27334->27332 27334->27333 27336 2bb281b 27335->27336 27337 2bb0d44 CreateProcessW 27336->27337 27338 2bb29ca 27336->27338 27337->27336 27338->27319 27342 2bb2850 27339->27342 27340 2bb29ca 27340->27319 27341 2bb0d44 CreateProcessW 27341->27342 27342->27340 27342->27341 27344 2bb2850 27343->27344 27345 2bb29ca 27344->27345 27346 2bb0d44 CreateProcessW 27344->27346 27345->27319 27346->27344 27349 2bb2850 27347->27349 27348 2bb29ca 27348->27319 27349->27348 27350 2bb0d44 CreateProcessW 27349->27350 27350->27349 27352 2bb3e28 CreateProcessW 27351->27352 27354 2bb3f90 27352->27354 27137 2bb44e8 27138 2bb4533 WriteProcessMemory 27137->27138 27140 2bb4584 27138->27140 27141 2bb4328 27142 2bb436b VirtualAllocEx 27141->27142 27143 2bb43a2 27142->27143 27355 8e538d0 27357 8e538f4 27355->27357 27356 8e53953 27357->27356 27362 8e5a5be 27357->27362 27365 8e5a103 27357->27365 27368 8e59f67 27357->27368 27371 8e59e2b 27357->27371 27374 8e5c2b0 27362->27374 27367 8e5c2b0 VirtualProtect 27365->27367 27366 8e5a117 27367->27366 27370 8e5c2b0 VirtualProtect 27368->27370 27369 8e59f78 27370->27369 27373 8e5c2b0 VirtualProtect 27371->27373 27372 8e59e5c 27373->27372 27375 8e5c2f8 VirtualProtect 27374->27375 27376 8e5a5cf 27375->27376 27144 110b948 27145 110b958 27144->27145 27148 110b1c0 27145->27148 27147 110b97f 27149 110b1cb 27148->27149 27150 110ba52 27149->27150 27151 110baf1 27149->27151 27155 110bb50 27149->27155 27162 110bb38 27149->27162 27150->27151 27152 110b1c0 LoadLibraryExW 27150->27152 27151->27147 27152->27150 27157 110bb81 27155->27157 27158 110bbce 27155->27158 27156 110bb8d 27156->27150 27157->27156 27171 110be97 27157->27171 27174 110bed8 27157->27174 27179 110be98 27157->27179 27158->27150 27165 110babd 27162->27165 27166 110bb4e 27162->27166 27163 110baf1 27163->27150 27164 110b1c0 LoadLibraryExW 27164->27165 27165->27163 27165->27164 27167 110bb8d 27166->27167 27168 110be97 LoadLibraryExW 27166->27168 27169 110be98 LoadLibraryExW 27166->27169 27170 110bed8 LoadLibraryExW 27166->27170 27167->27150 27168->27167 27169->27167 27170->27167 27173 110bed8 LoadLibraryExW 27171->27173 27172 110bea2 27172->27158 27173->27172 27175 110befb 27174->27175 27176 110bf0b 27175->27176 27182 110c170 27175->27182 27186 110c16f 27175->27186 27176->27158 27180 110bea2 27179->27180 27181 110bed8 LoadLibraryExW 27179->27181 27180->27158 27181->27180 27183 110c184 27182->27183 27184 110c1a9 27183->27184 27190 110b2f0 27183->27190 27184->27176 27187 110c184 27186->27187 27188 110c1a9 27187->27188 27189 110b2f0 LoadLibraryExW 27187->27189 27188->27176 27189->27188 27191 110c350 LoadLibraryExW 27190->27191 27193 110c3c9 27191->27193 27193->27184 27194 110c0c8 27195 110c110 GetModuleHandleW 27194->27195 27196 110c10a 27194->27196 27197 110c13d 27195->27197 27196->27195 27198 2bb46a0 27199 2bb46e1 ResumeThread 27198->27199 27200 2bb470e 27199->27200 27201 2bb4920 27202 2bb4927 27201->27202 27204 2bb479a 27201->27204 27203 2bb48cb 27204->27203 27207 110e1e0 SetWindowLongW 27204->27207 27209 110e1d8 SetWindowLongW 27204->27209 27208 110e24c 27207->27208 27208->27204 27210 110e24c 27209->27210 27210->27204

                                            Executed Functions

                                            Function 08E567D0 Relevance: 2.8, Strings: 2, Instructions: 302COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 93 8e567d0-8e567f5 94 8e567f7 93->94 95 8e567fc-8e56819 93->95 94->95 96 8e56821 95->96 97 8e56828-8e56844 96->97 98 8e56846 97->98 99 8e5684d-8e5684e 97->99 98->96 98->99 100 8e56965-8e5697e call 8e56e18 98->100 101 8e569a0-8e569b5 98->101 102 8e56ba3-8e56baf 98->102 103 8e56ae3-8e56af8 98->103 104 8e5686c-8e56878 98->104 105 8e56a68-8e56a74 98->105 106 8e569f1-8e56a05 98->106 107 8e56afd-8e56b0f 98->107 108 8e568fd-8e56912 98->108 109 8e56a3e-8e56a4a 98->109 110 8e56ab9-8e56ac5 98->110 111 8e56b79-8e56b9e 98->111 112 8e569ba-8e569da 98->112 113 8e568cd-8e568d1 98->113 114 8e56b49-8e56b4d 98->114 115 8e56c08-8e56c0f 98->115 116 8e5694b-8e56960 98->116 117 8e56a0a-8e56a16 98->117 118 8e56b14-8e56b1d 98->118 119 8e56bd7-8e56c03 98->119 120 8e56917-8e56923 98->120 121 8e56853-8e5686a 98->121 122 8e5689d-8e568a1 98->122 123 8e569df-8e569ec 98->123 99->115 152 8e56984-8e5699b 100->152 101->97 132 8e56bb6-8e56bd2 102->132 133 8e56bb1 102->133 103->97 124 8e5687f-8e5689b 104->124 125 8e5687a 104->125 136 8e56a76 105->136 137 8e56a7b-8e56a91 105->137 106->97 107->97 108->97 128 8e56a51-8e56a63 109->128 129 8e56a4c 109->129 140 8e56ac7 110->140 141 8e56acc-8e56ade 110->141 111->97 112->97 134 8e568e4-8e568eb 113->134 135 8e568d3-8e568e2 113->135 126 8e56b60-8e56b67 114->126 127 8e56b4f-8e56b5e 114->127 116->97 144 8e56a1d-8e56a39 117->144 145 8e56a18 117->145 142 8e56b30-8e56b37 118->142 143 8e56b1f-8e56b2e 118->143 119->97 138 8e56925 120->138 139 8e5692a-8e56946 120->139 121->97 130 8e568b4-8e568bb 122->130 131 8e568a3-8e568b2 122->131 123->97 124->97 125->124 147 8e56b6e-8e56b74 126->147 127->147 128->97 129->128 149 8e568c2-8e568c8 130->149 131->149 132->97 133->132 150 8e568f2-8e568f8 134->150 135->150 136->137 162 8e56a93 137->162 163 8e56a98-8e56ab4 137->163 138->139 139->97 140->141 141->97 146 8e56b3e-8e56b44 142->146 143->146 144->97 145->144 146->97 147->97 149->97 150->97 152->97 162->163 163->97
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _{D@$fg<Y
                                            • API String ID: 0-51650776
                                            • Opcode ID: e821f235ce97d6afb9e13130fba16d1be510209772ed6b54dcedeb9caef9a3e7
                                            • Instruction ID: 635132460b52ed2e80164b18c4aa378a5da87a710e00863dfe5c8f14ab5304c9
                                            • Opcode Fuzzy Hash: e821f235ce97d6afb9e13130fba16d1be510209772ed6b54dcedeb9caef9a3e7
                                            • Instruction Fuzzy Hash: C8D15CB1D0520ADFCB44CFA5C5858AEFBB2FF99302B54E559C815AB224D734EA42CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E5DD00 Relevance: 1.6, Strings: 1, Instructions: 357COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 814 8e5dd00-8e5dd10 815 8e5dd17-8e5dd23 814->815 816 8e5dd12 814->816 819 8e5dd25 815->819 820 8e5dd2a-8e5dd3f 815->820 817 8e5de43-8e5de4d 816->817 819->817 823 8e5dd45-8e5dd50 820->823 824 8e5de53-8e5de94 820->824 827 8e5dd56-8e5dd5d 823->827 828 8e5de4e 823->828 840 8e5de9b-8e5df42 824->840 829 8e5dd5f-8e5dd76 827->829 830 8e5dd8a-8e5dd95 827->830 828->824 839 8e5dd7c-8e5dd7f 829->839 829->840 835 8e5dd97-8e5dd9f 830->835 836 8e5dda2-8e5ddac 830->836 835->836 845 8e5de36-8e5de3b 836->845 846 8e5ddb2-8e5ddbc 836->846 839->828 843 8e5dd85-8e5dd88 839->843 872 8e5df44 840->872 873 8e5df49-8e5df69 840->873 843->829 843->830 845->817 846->828 851 8e5ddc2-8e5ddde 846->851 856 8e5dde0 851->856 857 8e5dde2-8e5dde5 851->857 856->817 859 8e5dde7-8e5ddea 857->859 860 8e5ddec-8e5ddef 857->860 861 8e5ddf2-8e5de00 859->861 860->861 861->828 865 8e5de02-8e5de09 861->865 865->817 866 8e5de0b-8e5de11 865->866 866->828 868 8e5de13-8e5de18 866->868 868->828 869 8e5de1a-8e5de2d 868->869 869->828 874 8e5de2f-8e5de32 869->874 872->873 875 8e5df6a 873->875 874->866 876 8e5de34 874->876 877 8e5df71-8e5df8d 875->877 876->817 878 8e5df96-8e5df97 877->878 879 8e5df8f 877->879 880 8e5e184-8e5e18d 878->880 879->875 879->878 879->880 881 8e5e0c5-8e5e0dc 879->881 882 8e5e0e1-8e5e0f8 879->882 883 8e5e023-8e5e035 879->883 884 8e5dfee-8e5e006 879->884 885 8e5e0ae-8e5e0c0 879->885 886 8e5e00b-8e5e01e 879->886 887 8e5e156-8e5e163 879->887 888 8e5e0fd-8e5e101 879->888 889 8e5df9c-8e5dfa6 879->889 890 8e5e11f-8e5e123 879->890 891 8e5e03a-8e5e047 879->891 881->877 882->877 883->877 884->877 885->877 886->877 896 8e5e165 887->896 897 8e5e16a-8e5e17f 887->897 900 8e5e103 888->900 901 8e5e108-8e5e11a 888->901 894 8e5dfad-8e5dfd0 889->894 895 8e5dfa8 889->895 892 8e5e125-8e5e134 890->892 893 8e5e136-8e5e13d 890->893 898 8e5e04e-8e5e055 891->898 899 8e5e049 891->899 902 8e5e144-8e5e151 892->902 893->902 903 8e5dfd7-8e5dfec 894->903 904 8e5dfd2 894->904 895->894 896->897 897->877 905 8e5e057 898->905 906 8e5e05c-8e5e063 898->906 899->898 900->901 901->877 902->877 903->877 904->903 905->906 907 8e5e065 906->907 908 8e5e06a 906->908 907->908 909 8e5e074-8e5e0a9 908->909 909->877
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D0bm
                                            • API String ID: 0-1972494630
                                            • Opcode ID: bfcbc990b189511c07b5a52e504092f9152bac74896199cfe0f34705a69452d0
                                            • Instruction ID: fce4c8a6ea6987103fe2e93cc228108fe45736f86d912d166e6b5b34e9890277
                                            • Opcode Fuzzy Hash: bfcbc990b189511c07b5a52e504092f9152bac74896199cfe0f34705a69452d0
                                            • Instruction Fuzzy Hash: FED1B275F0520A8FCB04DFF9C9456EEBBF6AFC8315F109829D805A7354DB349A018BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E544DB Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D^
                                            • API String ID: 0-2137943434
                                            • Opcode ID: 46674d338ad97e8b2994b4c09cee20103d4df28af53685ece58a81773384dd1e
                                            • Instruction ID: be73c059f9225bf331daa2ef45137598cddf6dff63032299951a2302c701d1c8
                                            • Opcode Fuzzy Hash: 46674d338ad97e8b2994b4c09cee20103d4df28af53685ece58a81773384dd1e
                                            • Instruction Fuzzy Hash: 34B157B5E04219CFCB04CFA9C8846EEBBB2FF89305F20942AD915EB254D7349942CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E54588 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D^
                                            • API String ID: 0-2137943434
                                            • Opcode ID: 8b4b68e2b4fb60060405b2599c3486e709e3fc262a4ca3cb081a36e561c3329a
                                            • Instruction ID: fc0c629244e1add84bf60e7b7d9305a688a21e6ddcf2a578e39f294a6d2d5403
                                            • Opcode Fuzzy Hash: 8b4b68e2b4fb60060405b2599c3486e709e3fc262a4ca3cb081a36e561c3329a
                                            • Instruction Fuzzy Hash: 8D81C2B5E002188FCB08CFE9C984ADEBBB2FF89305F10942AD919BB254D7709946CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB24F0 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?p`(
                                            • API String ID: 0-2377489638
                                            • Opcode ID: 88f6c19529874f9f0cfccd70ed72fa88c2dbde7578d868e14f290307c8b1b4a9
                                            • Instruction ID: 154b2219e95b24860fd1f1f48447ae9b309a469610258cfa44404b2074a9ddda
                                            • Opcode Fuzzy Hash: 88f6c19529874f9f0cfccd70ed72fa88c2dbde7578d868e14f290307c8b1b4a9
                                            • Instruction Fuzzy Hash: D3714B74D1A208DBCB06CFA5D6906EDFBB6FF89300F24A46AD406A7254D7B48945CB04
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E5D850 Relevance: .2, Instructions: 246COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ea3f0c88621e663c9759ff5332fa10ddf2070ed3e352147c024ad5d93e1ebc9
                                            • Instruction ID: 38e9bfb1c2217012e33288408c6832691111efc5b2f40a498f18294895acb3bc
                                            • Opcode Fuzzy Hash: 7ea3f0c88621e663c9759ff5332fa10ddf2070ed3e352147c024ad5d93e1ebc9
                                            • Instruction Fuzzy Hash: C1A11275E052198BDB04DFE9C9446DEFBF2AF88311F24D529D808AB318E7349942CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E536C8 Relevance: .2, Instructions: 211COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b08f8e513e1b44883db4b6deea0a0424f8121b34a5f95c815186109f96d7fbfa
                                            • Instruction ID: 1800cdc1c2d7c79f7206ddd92a343df0600e688c9d57913cfdf1284517243da2
                                            • Opcode Fuzzy Hash: b08f8e513e1b44883db4b6deea0a0424f8121b34a5f95c815186109f96d7fbfa
                                            • Instruction Fuzzy Hash: B381E476E00215DFC71DCFA9C184AAABBB2AF82346B25D56DCC055B395C731EC42CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB1100 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 940e92d90d59b591990003b3401cc7a7e4c9657ba37a4f31e6b1b1dd98383bc9
                                            • Instruction ID: b23ad20f893d272bcba34397b609bc75795cf95c19dbe6cb216819f26a65367f
                                            • Opcode Fuzzy Hash: 940e92d90d59b591990003b3401cc7a7e4c9657ba37a4f31e6b1b1dd98383bc9
                                            • Instruction Fuzzy Hash: DD8114B4E002599FCB04DFE5D8555EEBBB2FF89300F20946AD81AAB368DB745942CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB1110 Relevance: .2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75abc7be07f1e7d3291ed7fb82d5ac12f7748b5da6c0556bbf1dcb0419e1b254
                                            • Instruction ID: 47bc83ea9a619d2139a2dd0254b4ca9ffbd7d820f092f5aa5be3f6bdbfa3e17f
                                            • Opcode Fuzzy Hash: 75abc7be07f1e7d3291ed7fb82d5ac12f7748b5da6c0556bbf1dcb0419e1b254
                                            • Instruction Fuzzy Hash: 9D81F3B4E102199FCB04DFE5D8555EEBBB2FF89300F209529D81AAB368DB745941CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E54DF2 Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffab54983296478ddded8adbd5d9ff5b7c542c1316b8f17f174f965bfeb87af0
                                            • Instruction ID: 1920286a78348b5bf9b25a1a1b03befc53502931dfa31a1aafaa7a45f6b9b444
                                            • Opcode Fuzzy Hash: ffab54983296478ddded8adbd5d9ff5b7c542c1316b8f17f174f965bfeb87af0
                                            • Instruction Fuzzy Hash: BE512CB5E05209CFDB08CFAAD5415EEFBF2AF89305F14D02AD915BB294D7348A818F58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB27E8 Relevance: .1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3889ab31c1be23206d8ba6bc4564fbe814056cc6457be24eb924ff804151c051
                                            • Instruction ID: 893536270011096283392be771ab80532900723c7f9ee1d5d59520a777646c7d
                                            • Opcode Fuzzy Hash: 3889ab31c1be23206d8ba6bc4564fbe814056cc6457be24eb924ff804151c051
                                            • Instruction Fuzzy Hash: AA511971E5462A8BDB24CF65CD447E9BBB6EF99300F1082EAD50DA7254EBB05AC48F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB6CE8 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3904c999e9d8ba70e5e36ed4797f4466c90bcc73c2a2151da6d059d63c4eefe7
                                            • Instruction ID: 5ab59548ba40593c47b9b39a2c254745040f4c1d7de7e843e4712013433a9f5b
                                            • Opcode Fuzzy Hash: 3904c999e9d8ba70e5e36ed4797f4466c90bcc73c2a2151da6d059d63c4eefe7
                                            • Instruction Fuzzy Hash: 6D415874E15218DBCB05CFA6D5847EEFBB6EF89200F14A56AE001B7294D7B49900CF24
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB27DF Relevance: .1, Instructions: 120COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2bede4d2a69d8bf624c9eb91d0b6b66724a5536542feaa3262c863b2fe02e3b
                                            • Instruction ID: d4a1fd855bb41c9b2b787a76468a1aa42e0775aa5434890dbb9f2e29d6d35b5a
                                            • Opcode Fuzzy Hash: b2bede4d2a69d8bf624c9eb91d0b6b66724a5536542feaa3262c863b2fe02e3b
                                            • Instruction Fuzzy Hash: BE511A71E5062A8BDB28CF65CD447E9BBB2BFC8300F1082EAD508A7654EB705AC58F40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E55872 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d6e27349b67761e06cf592bfcc41418568c16d47eca0fe885dc15172748f056
                                            • Instruction ID: c291af433290532b45aae5041efae6f53dd45102a3744e6cab1e0af8b6013d31
                                            • Opcode Fuzzy Hash: 2d6e27349b67761e06cf592bfcc41418568c16d47eca0fe885dc15172748f056
                                            • Instruction Fuzzy Hash: 132119B1E006588BEB18CFA7D8443CEBBB6AFC9311F14C17AD818A6264DB755945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01106EA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 01106F10
                                            • GetCurrentThread.KERNEL32 ref: 01106F4D
                                            • GetCurrentProcess.KERNEL32 ref: 01106F8A
                                            • GetCurrentThreadId.KERNEL32 ref: 01106FE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: ho
                                            • API String ID: 2063062207-2014758431
                                            • Opcode ID: 9646a03b9dc854c99d79701bd27d2b133384b9c7114b49ebf7485a9899355fbc
                                            • Instruction ID: c33530ce97b69297d4dbd311bfc45149f399b2dac795b72a1fac4f2047853618
                                            • Opcode Fuzzy Hash: 9646a03b9dc854c99d79701bd27d2b133384b9c7114b49ebf7485a9899355fbc
                                            • Instruction Fuzzy Hash: D25133B4D00249CFDB19CFA9D648BDEBBF0BF88304F248959E059A7290D7749848CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01106EB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 01106F10
                                            • GetCurrentThread.KERNEL32 ref: 01106F4D
                                            • GetCurrentProcess.KERNEL32 ref: 01106F8A
                                            • GetCurrentThreadId.KERNEL32 ref: 01106FE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: ho
                                            • API String ID: 2063062207-2014758431
                                            • Opcode ID: 63abeceacd9aa61f44d760f14ce5f927807a703ede55e3a1f8104c09d5332dfc
                                            • Instruction ID: 9faa98c4e7e602e9ce7ab2173407c273b096b5d23120ad696bdf772d2a814460
                                            • Opcode Fuzzy Hash: 63abeceacd9aa61f44d760f14ce5f927807a703ede55e3a1f8104c09d5332dfc
                                            • Instruction Fuzzy Hash: D15143B4D00249CFDB19CFAAD648BDEBBF4AF88304F24895DE019A7290D7746844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4253 Relevance: 3.1, APIs: 2, Instructions: 94threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 81 2bb4253-2bb4255 82 2bb4257-2bb42e4 ReadProcessMemory 81->82 83 2bb41e5-2bb421c GetThreadContext 81->83 90 2bb42ed-2bb430e 82->90 91 2bb42e6-2bb42ec 82->91 86 2bb421e-2bb4224 83->86 87 2bb4225-2bb4246 83->87 86->87 91->90
                                            APIs
                                            • GetThreadContext.KERNEL32(?,00000000), ref: 02BB420F
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02BB42D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ContextMemoryProcessReadThread
                                            • String ID:
                                            • API String ID: 1264303914-0
                                            • Opcode ID: 79c7f39224a96a4a725d059de58663d900aa4ccda31392e6121f4d44a5d6bc25
                                            • Instruction ID: 6f43e7f8a7c4514db7fe449c2966535986cab15ce9fea0489377019676b418ea
                                            • Opcode Fuzzy Hash: 79c7f39224a96a4a725d059de58663d900aa4ccda31392e6121f4d44a5d6bc25
                                            • Instruction Fuzzy Hash: 383135B29002099FDB00CF9AD945BEEFBF4FF48324F14846AE558A3241D378A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB3E1C Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 736 2bb3e1c-2bb3eb3 739 2bb3ebe-2bb3ec5 736->739 740 2bb3eb5-2bb3ebb 736->740 741 2bb3ed0-2bb3ee6 739->741 742 2bb3ec7-2bb3ecd 739->742 740->739 743 2bb3ee8-2bb3eee 741->743 744 2bb3ef1-2bb3f8e CreateProcessW 741->744 742->741 743->744 746 2bb3f90-2bb3f96 744->746 747 2bb3f97-2bb400b 744->747 746->747 755 2bb401d-2bb4024 747->755 756 2bb400d-2bb4013 747->756 757 2bb403b 755->757 758 2bb4026-2bb4035 755->758 756->755 760 2bb403c 757->760 758->757 760->760
                                            APIs
                                            • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 02BB3F7B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 32a89a0c4bac7a6cde6672e09c618a0749bb3408ea905a612be93d720ac40ff0
                                            • Instruction ID: 6384e8c03e7a8b1d4b1d88e55c9fa52e7743f372157a84b66ada84bf75d138a9
                                            • Opcode Fuzzy Hash: 32a89a0c4bac7a6cde6672e09c618a0749bb3408ea905a612be93d720ac40ff0
                                            • Instruction Fuzzy Hash: 84512871900318DFDB21CF99C880BDDBBB5BF48314F14849AE808A7250DB75AA89CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB0D44 Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 761 2bb0d44-2bb3eb3 764 2bb3ebe-2bb3ec5 761->764 765 2bb3eb5-2bb3ebb 761->765 766 2bb3ed0-2bb3ee6 764->766 767 2bb3ec7-2bb3ecd 764->767 765->764 768 2bb3ee8-2bb3eee 766->768 769 2bb3ef1-2bb3f8e CreateProcessW 766->769 767->766 768->769 771 2bb3f90-2bb3f96 769->771 772 2bb3f97-2bb400b 769->772 771->772 780 2bb401d-2bb4024 772->780 781 2bb400d-2bb4013 772->781 782 2bb403b 780->782 783 2bb4026-2bb4035 780->783 781->780 785 2bb403c 782->785 783->782 785->785
                                            APIs
                                            • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 02BB3F7B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 48a39f5f127a91e6938ee61119f8d58220a51147882d487dd4809df34bc5a3eb
                                            • Instruction ID: a3837a2b24f506f7a334869e11ceffb98cd8eb2a4b3c4a483c1cad9d7c612e9a
                                            • Opcode Fuzzy Hash: 48a39f5f127a91e6938ee61119f8d58220a51147882d487dd4809df34bc5a3eb
                                            • Instruction Fuzzy Hash: BA511771901318DFDB21CF99C890BDDBBB5BF48314F1484DAE908A7250DB75AA89CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110DF8C Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 786 110df8c-110dffe 787 110e000-110e006 786->787 788 110e009-110e010 786->788 787->788 789 110e012-110e018 788->789 790 110e01b-110e053 788->790 789->790 791 110e05b-110e0ba CreateWindowExW 790->791 792 110e0c3-110e0fb 791->792 793 110e0bc-110e0c2 791->793 797 110e108 792->797 798 110e0fd-110e100 792->798 793->792 799 110e109 797->799 798->797 799->799
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0110E0AA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9f16504589ba5a613c6fd1cb99bcd7c273ad28dd86713960de58da2cac6e8cb7
                                            • Instruction ID: 31a0f3cd8c2de69e29b9057d6d19e9ed188fc1ddd8782157446a9d3da1b550a3
                                            • Opcode Fuzzy Hash: 9f16504589ba5a613c6fd1cb99bcd7c273ad28dd86713960de58da2cac6e8cb7
                                            • Instruction Fuzzy Hash: 1651D2B1D01309DFDB15CF9AC884ADEBFB5BF88314F24862AE415AB250D7B59845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110DF98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 800 110df98-110dffe 801 110e000-110e006 800->801 802 110e009-110e010 800->802 801->802 803 110e012-110e018 802->803 804 110e01b-110e0ba CreateWindowExW 802->804 803->804 806 110e0c3-110e0fb 804->806 807 110e0bc-110e0c2 804->807 811 110e108 806->811 812 110e0fd-110e100 806->812 807->806 813 110e109 811->813 812->811 813->813
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0110E0AA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 2955f073efc89655afccdbd84bbff4e0466865f39beb89f729b97ee68d245331
                                            • Instruction ID: 52134417aee86b458d294ddbbf0e5be419485d6db7493049852ccc55e3968985
                                            • Opcode Fuzzy Hash: 2955f073efc89655afccdbd84bbff4e0466865f39beb89f729b97ee68d245331
                                            • Instruction Fuzzy Hash: 9141C1B1D01309DFDB19CF9AC884ADEBFB5BF88310F24852AE519AB250D7B59845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB44E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02BB4575
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ea82e564e115d2dd48f9044aeca4100754318a9f58b4e9f1ae35618ad52caf0a
                                            • Instruction ID: 4322c435228446e8b5a0afa0847de9217ffba62a29edc8742e4bc213cebc972d
                                            • Opcode Fuzzy Hash: ea82e564e115d2dd48f9044aeca4100754318a9f58b4e9f1ae35618ad52caf0a
                                            • Instruction Fuzzy Hash: 0F2155B1900249DFCB00CFAAC885BDEBBF8FF48310F04842AE818A7241D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4190 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1007 2bb4190-2bb4195 1009 2bb4197-2bb41e4 1007->1009 1010 2bb4125-2bb4138 1007->1010 1015 2bb41f0-2bb421c GetThreadContext 1009->1015 1016 2bb41e6-2bb41ee 1009->1016 1017 2bb421e-2bb4224 1015->1017 1018 2bb4225-2bb4246 1015->1018 1016->1015 1017->1018
                                            APIs
                                            • GetThreadContext.KERNEL32(?,00000000), ref: 02BB420F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 87205f5af2545962d6ba1cfcb866afee69981bcde67451bc940932bb22c7df5a
                                            • Instruction ID: 307a670918a64c97da0ff564e0ca830bea394d8e9c27d9a24f7c4be07203eb82
                                            • Opcode Fuzzy Hash: 87205f5af2545962d6ba1cfcb866afee69981bcde67451bc940932bb22c7df5a
                                            • Instruction Fuzzy Hash: 97210571D006199FCB00CF9AD8857EEFBF4FF48224F14816AE818B7641D778A9458BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB44E8 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02BB4575
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: ff7a557626659877efebb5140aa0cd58afce9bb106971bf83f8642b3f55b6bf6
                                            • Instruction ID: 12449c77a76cd05c8a479ba0909a0695e6d1fa21476270a2047bcefb7478bb98
                                            • Opcode Fuzzy Hash: ff7a557626659877efebb5140aa0cd58afce9bb106971bf83f8642b3f55b6bf6
                                            • Instruction Fuzzy Hash: 492116B1900649DFCB10CF9AD885BDEBBF8FF48314F04842AE518A7251D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011070D0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110715F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 394fa4af73f6b695950444334e01c59fd6b226005ae6ce8903e7c63cd9c04dc6
                                            • Instruction ID: 937a55520d883d8a61ac106c7829e8564567f4539bf687542f53b48f81ce6ad2
                                            • Opcode Fuzzy Hash: 394fa4af73f6b695950444334e01c59fd6b226005ae6ce8903e7c63cd9c04dc6
                                            • Instruction Fuzzy Hash: A121F4B5D00208AFDB10CFA9D985ADEBFF5EB48310F14841AE954A3250D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011070D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110715F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cca6254b92f5c6429328a66026e94f4423414120d31a1ed4c6ca63763da09385
                                            • Instruction ID: d4de0610d459bb2d9dbf309ad34a71898dfb9c77979d4c9528da055224778ccc
                                            • Opcode Fuzzy Hash: cca6254b92f5c6429328a66026e94f4423414120d31a1ed4c6ca63763da09385
                                            • Instruction Fuzzy Hash: D421C4B5D00208AFDB11CFAAD984ADEFBF9FB48324F14841AE954A3350D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4258 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02BB42D7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: ae32004ede7a4824ccb5b507547d17d426213cc5b57054b6c16617a354fc431d
                                            • Instruction ID: e1ecf69d6a09ed449d7993c22610335ec0479d230621cf5f8c4c3cf7a4037c2a
                                            • Opcode Fuzzy Hash: ae32004ede7a4824ccb5b507547d17d426213cc5b57054b6c16617a354fc431d
                                            • Instruction Fuzzy Hash: 7821D0B5900249DFCB10CF9AD984BDEBBF4FF48324F14842AE958A3250D378A954DFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4198 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetThreadContext.KERNEL32(?,00000000), ref: 02BB420F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 1ca76d76554f98f0523ba86d850ca97fae0ae90c7278189ec68a0a3ba6174ef0
                                            • Instruction ID: 6310f781dc42a7e00295eef7406419689d14b610e94781f17db0fe5b68da293c
                                            • Opcode Fuzzy Hash: 1ca76d76554f98f0523ba86d850ca97fae0ae90c7278189ec68a0a3ba6174ef0
                                            • Instruction Fuzzy Hash: DA2106B1D006199FCB00CF9AD9857EEFBF8FF48224F14816AE418B3641D778A9448FA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110B2F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0110C1A9,00000800,00000000,00000000), ref: 0110C3BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 289dec954fddd7a53f75365a6c20ce836e26db65904b1897f17296a0b1da69b0
                                            • Instruction ID: fbb75879990064623616a091fd468606f6d9fdc3f32c2b0e6dad92161d5e2ebd
                                            • Opcode Fuzzy Hash: 289dec954fddd7a53f75365a6c20ce836e26db65904b1897f17296a0b1da69b0
                                            • Instruction Fuzzy Hash: 451122B6C042088FDB14CF9AD444BDEFBF8AB88310F04852AE515A7240C3B4A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E5C2B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNEL32(?,?,?,?), ref: 08E5C323
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 5dfec97c095069e298097e12bc49304d7f6ecf40eae460c2c0050a95d4e3d3c9
                                            • Instruction ID: fdc26a116826a211ebf272d3c23467419938955524209a95d63ae2c4725207cc
                                            • Opcode Fuzzy Hash: 5dfec97c095069e298097e12bc49304d7f6ecf40eae460c2c0050a95d4e3d3c9
                                            • Instruction Fuzzy Hash: AF2117719003099FCB10CF9AC484BDEFBF4FB48320F148429E958A3240D378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4320 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02BB4393
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 058c9f6ce765f648e24c1d8ff574029acfdd14d210bccf7299a7ebaba48d133d
                                            • Instruction ID: 398e4401fc7fc2339eaad7305d0906d02752f8af7eb4614cfe1baed082814c72
                                            • Opcode Fuzzy Hash: 058c9f6ce765f648e24c1d8ff574029acfdd14d210bccf7299a7ebaba48d133d
                                            • Instruction Fuzzy Hash: 1B216472800248DFCB11CF9AD884BDEBBF4FF48314F148869E529A7201D375A454CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110C34F Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0110C1A9,00000800,00000000,00000000), ref: 0110C3BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 0ceea91a53e45953f45e2c111ce9e3a272d2e656c25d735d330c0ab44e693620
                                            • Instruction ID: b004acfffe5944e2eb26219d3aa9f1d60622a2d2769ce70b59595817a4122969
                                            • Opcode Fuzzy Hash: 0ceea91a53e45953f45e2c111ce9e3a272d2e656c25d735d330c0ab44e693620
                                            • Instruction Fuzzy Hash: 841114B6C002088FDB14CFAAD444BDEFBF4AB88310F14852ED515A7640C3B4A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4328 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02BB4393
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: bce4a5d7430e6b1feba2e559af4a6799ceab5e819beb6303cc242017680fa633
                                            • Instruction ID: 8e7e82c1ae3fa624a865b91bdda15aa6ee71b84206002d419b759b0a06167666
                                            • Opcode Fuzzy Hash: bce4a5d7430e6b1feba2e559af4a6799ceab5e819beb6303cc242017680fa633
                                            • Instruction Fuzzy Hash: 8C1125B6900248DFCB10CF9AD884BDEBBF8FF48324F148419E528A7250C375A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110C0C7 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0110C12E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 6de0f77886bbe66907a42e4a47fd8771aa8108d136723990c2eac1692d63fca8
                                            • Instruction ID: 3b4afc4d4ca82a93659995c7ceb33a9a319858e72595e0392158d3b6bba85395
                                            • Opcode Fuzzy Hash: 6de0f77886bbe66907a42e4a47fd8771aa8108d136723990c2eac1692d63fca8
                                            • Instruction Fuzzy Hash: 031102B1C00649CEDB14CF9AC444BDEFBF4AF88224F14855AD469A7640C378A546CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110C0C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0110C12E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 1fd25841d2fe093146ce2f5801e8710a21fb44a024c23a6469733d06b5068bdd
                                            • Instruction ID: 3f921e45bb3e8d6a375d863d017c6e827ecc3c82e56239cdebd4a762c3eacdaa
                                            • Opcode Fuzzy Hash: 1fd25841d2fe093146ce2f5801e8710a21fb44a024c23a6469733d06b5068bdd
                                            • Instruction Fuzzy Hash: F511E3B5C00649CFDB14CF9AC844BDEFBF4AF88224F14855AD529A7640C378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110E1D8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0110E23D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 6eb8d3e3804941fc56076aa24dcffca8ea82531f30ab70ca754c3058644bcef6
                                            • Instruction ID: e6b8489c137c3f53197b8c1be95f6c72d0237677648e519dce93215f0c0dd404
                                            • Opcode Fuzzy Hash: 6eb8d3e3804941fc56076aa24dcffca8ea82531f30ab70ca754c3058644bcef6
                                            • Instruction Fuzzy Hash: 731122B58002098FDB10DF9AD584BDEBBF8FB48324F24841AD964B7340C3B4A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB4698 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: a1fea7f59499f4489e27dc683f63ff3424a4bd323954b2650a0b0e457022b549
                                            • Instruction ID: 5596f1b56ccab932d4ab6d6b40d0e5185e370f6a8db950c135228504af27dfa8
                                            • Opcode Fuzzy Hash: a1fea7f59499f4489e27dc683f63ff3424a4bd323954b2650a0b0e457022b549
                                            • Instruction Fuzzy Hash: 9A1133B18002488FCB11CF9AD4847DEFBF4EF49324F148459D518A7740C374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110E1E0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0110E23D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 343650d1acc876f5745c380cf907086967b156c4d5138127f2e25ee985027c3e
                                            • Instruction ID: a2286a4ae52e4482a8092953ef6587499f83ada69da8374b3f137aa02a934891
                                            • Opcode Fuzzy Hash: 343650d1acc876f5745c380cf907086967b156c4d5138127f2e25ee985027c3e
                                            • Instruction Fuzzy Hash: 341100B5C002088FDB10CF9AD584BDEBBF8EB88324F14841AE915A3240C3B4A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB46A0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 9e35a2359cf9d80a3ead80d8d0e2f980de2bf6888d8126eafacaf8291214fe26
                                            • Instruction ID: 94ba27853e3d7d12a1c5fdc118c90a89aff8142c0c945881bb1886392df1ce8d
                                            • Opcode Fuzzy Hash: 9e35a2359cf9d80a3ead80d8d0e2f980de2bf6888d8126eafacaf8291214fe26
                                            • Instruction Fuzzy Hash: AC1112B18002088FCB10CF9AD588BDEFBF8FF49324F24845AD528A3640D775A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010AD4D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382501862.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10ad000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be56ee497e603f76322d74bdb381f5a44b209b559d011ee15124edf1e52bf4c8
                                            • Instruction ID: 92e6befce0fa9215425b12b114578159fed765c9254faa275e3ee035ab79fb45
                                            • Opcode Fuzzy Hash: be56ee497e603f76322d74bdb381f5a44b209b559d011ee15124edf1e52bf4c8
                                            • Instruction Fuzzy Hash: 53217C71500200DFCF05CFE4C9C4B6ABFA5FB88328F6485ADD9850B616C336D846C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382541747.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10bd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4585905b32253874dd3f6f3c798fc11519e5a3519be8c21841202f73205630d
                                            • Instruction ID: 3c052f1dcef10081578b19144c1d060a8a1e3f721e6810f0d269456173725a05
                                            • Opcode Fuzzy Hash: c4585905b32253874dd3f6f3c798fc11519e5a3519be8c21841202f73205630d
                                            • Instruction Fuzzy Hash: A1212571504200DFCB15CF94D9C4B66FBA5FB84368F24C9ADE9890B246C73AD847CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010BD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382541747.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10bd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 870283f524c678abcfc5de89022180077be257b2cbf6135817e137025dae5ebd
                                            • Instruction ID: ab246c58f6f9133a29e62caaf634ddb6b3c3bf7f9bffede0c47b259fabd0d476
                                            • Opcode Fuzzy Hash: 870283f524c678abcfc5de89022180077be257b2cbf6135817e137025dae5ebd
                                            • Instruction Fuzzy Hash: 84210771504280EFDB05DF94D9C0B66FBA5FB94328F24C9ADD9894B242C736D846CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382541747.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10bd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2e6d9005f517568b682a6fa76152836902b1633189d2fdb8e37038ffc2a7cf0
                                            • Instruction ID: 54367d632a41063af513b96aa35970b3fdd09b8358ae50ee7cdc0d5ce6772161
                                            • Opcode Fuzzy Hash: e2e6d9005f517568b682a6fa76152836902b1633189d2fdb8e37038ffc2a7cf0
                                            • Instruction Fuzzy Hash: 532141755083809FCB12CF54D994B11BFB1EB46214F28C5EAD8858B267C33A9856CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010AD4D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382501862.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10ad000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction ID: 12bd65709c3f5935473d6fb9ecc717acccc0ac75639c01c1b8d0d3f67816cc73
                                            • Opcode Fuzzy Hash: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction Fuzzy Hash: 9A11D376404280CFCF12CF94D5C4B16BFB1FB84324F2486A9D8850B657C33AD55ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010BD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382541747.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10bd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1dbedae0698d52e0643ce1b7d8e11560290ac4443e7eb4d9f0d1352bf0b3008
                                            • Instruction ID: 2ae154db0771fdb814e0862998176f2e4a0a38a499c8ee364225d8fe62c1dc4d
                                            • Opcode Fuzzy Hash: f1dbedae0698d52e0643ce1b7d8e11560290ac4443e7eb4d9f0d1352bf0b3008
                                            • Instruction Fuzzy Hash: 0011A975504280DFCB52CF54C6C0B55FFA1FB84228F28C6A9D8894B656C33AD84ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010AD771 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382501862.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10ad000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ada55d9f08218d6b4a6ee5e3220e4569ee3b77938c706ec3f0c2b5e65790636
                                            • Instruction ID: 8fb3b4db3b8c7e043acb8e674fc83e90157bc304ac386ae52780870aad1112de
                                            • Opcode Fuzzy Hash: 2ada55d9f08218d6b4a6ee5e3220e4569ee3b77938c706ec3f0c2b5e65790636
                                            • Instruction Fuzzy Hash: 0701FC310043849EE7154AD9CC8476EFFDCFF41664F488899ED450A682E7789844C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010AD770 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382501862.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_10ad000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51e27093a5cd2c1bdd2f351695f49360f1bb00f4376da19c6f8cc5ecf6a6cc53
                                            • Instruction ID: da02b409516dd37d31fcceba993573229d160971ea2097a98b7bd1c8b96ccaef
                                            • Opcode Fuzzy Hash: 51e27093a5cd2c1bdd2f351695f49360f1bb00f4376da19c6f8cc5ecf6a6cc53
                                            • Instruction Fuzzy Hash: 67F0C2714043849EEB158A59CD84B66FFE8EB41634F18C59AED484F682D3789844CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0110FAB0 Relevance: 3.9, Strings: 3, Instructions: 184COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $%^m$ssr$ssr
                                            • API String ID: 0-1799261603
                                            • Opcode ID: c248575ecfe99997aa98f7ca490c34d56008b2ac8c5469ade1bff5d4a5add5f4
                                            • Instruction ID: 9df946501b6f4d6adc3c618c376560fd00ad08139969e776a1a1bbe273f4800f
                                            • Opcode Fuzzy Hash: c248575ecfe99997aa98f7ca490c34d56008b2ac8c5469ade1bff5d4a5add5f4
                                            • Instruction Fuzzy Hash: D9813774E0420ADFCB18CFA5E5959EEFBB2FF89200F10992AD415BB254D774AA02CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB21E8 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 1Et3$:@P
                                            • API String ID: 0-623094759
                                            • Opcode ID: dbba2f795dd8ed4f402da83f274cbafdeb6f98965da2a25f51a0f7e2325fd9ff
                                            • Instruction ID: afd983e0998b1a26e87ab7f1b86e04d2d8cbfa996d66a57ae59847b3ce7d933e
                                            • Opcode Fuzzy Hash: dbba2f795dd8ed4f402da83f274cbafdeb6f98965da2a25f51a0f7e2325fd9ff
                                            • Instruction Fuzzy Hash: AB813674E0520A9FCF05CFA9D8815EEFBB2EF89200F20946AC915F7264D7749A42CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110FAA0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $%^m
                                            • API String ID: 0-665390657
                                            • Opcode ID: c983f07b5a013101c00a467ef2d709668e757028aeecc93f65425abb79e52ba8
                                            • Instruction ID: 15e0f0cce2291d8602411937654ff80a0cb4b3c6c83c1f9b7ba6c42fda7bbfe7
                                            • Opcode Fuzzy Hash: c983f07b5a013101c00a467ef2d709668e757028aeecc93f65425abb79e52ba8
                                            • Instruction Fuzzy Hash: 2F711874E0420ADFCB18CFA5E5959AEFBB2FF89200F10992AD415BB394D7749A02CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E588E0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .
                                            • API String ID: 0-3301801010
                                            • Opcode ID: 030e7c9e555de7d96c7c025353b1b81416b7606bb4f4950884a58acc9ec23e1b
                                            • Instruction ID: 934f1d23f9f0cac9de7e4da5b0aef2f3cca17c22f7c2ffd535a72bef0c8e4032
                                            • Opcode Fuzzy Hash: 030e7c9e555de7d96c7c025353b1b81416b7606bb4f4950884a58acc9ec23e1b
                                            • Instruction Fuzzy Hash: 41511C75D0561A8FCB48CFAAC4815EFFBF2BF98340F14D42AC819A7254D73496428F95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E588F0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .
                                            • API String ID: 0-3301801010
                                            • Opcode ID: e1db2e8e2cd0408b9f73ced0e9919f01bc10b99d6bd3fd1bf3fae52aea3f0b4f
                                            • Instruction ID: fcf9294d93d2a8b16bdd8fc2dd8fdccd1221b109f23ac60292ea43cf865aaecf
                                            • Opcode Fuzzy Hash: e1db2e8e2cd0408b9f73ced0e9919f01bc10b99d6bd3fd1bf3fae52aea3f0b4f
                                            • Instruction Fuzzy Hash: B751EA71D0461A9FCB48CFAAC4815EFFBF2AB98340F24D429C919B7254D73496428F95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB72E7 Relevance: .3, Instructions: 337COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef691a910df8931c954c9796dd1f4ea41fd7b807039d0638182701bee2c5c176
                                            • Instruction ID: 44b6fd985cb4364f6df9f4c63c531c221e4e4530533a0c1f68381c483a107a75
                                            • Opcode Fuzzy Hash: ef691a910df8931c954c9796dd1f4ea41fd7b807039d0638182701bee2c5c176
                                            • Instruction Fuzzy Hash: B6C1BD32B016058FDB1ADB79C4607AEB7E7AFC9208F1444A9D14ACB391CFB5E905CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110C828 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1639f682270a543eb096b1f5575faf3c1b6be0a004e6006af8b98074b78e9a7a
                                            • Instruction ID: 86820d681fa1f6f927508bee35f20f8969427d6000b6c9e8cafc9db8880b1dab
                                            • Opcode Fuzzy Hash: 1639f682270a543eb096b1f5575faf3c1b6be0a004e6006af8b98074b78e9a7a
                                            • Instruction Fuzzy Hash: 0912EAF96117468FE335CF6AE8981893BB8B755328F904308D2616FAD8D7B4314ACF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01109D10 Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f306b293bbbe9f95c4150615f80fd6a5e8618aeda977618754327bb1bd435b1c
                                            • Instruction ID: 8e3a3052f577a64642926d22ceaec84c905d2adcccf5d03286d8d8df86a925bc
                                            • Opcode Fuzzy Hash: f306b293bbbe9f95c4150615f80fd6a5e8618aeda977618754327bb1bd435b1c
                                            • Instruction Fuzzy Hash: 4DA1B136E0021ACFCF1ADFB5C8445DEBBB2FF85304B15856AE905BB260EB71A915CB40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110C827 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f7b1f01a612a4a19356a7168f5ced220f54342dd8b9a5875bc2bdc8c95a4433
                                            • Instruction ID: efb22dc3ba8e9290c16a296254c60607417a48c9f7ccef72b821b3eeafb36eaf
                                            • Opcode Fuzzy Hash: 5f7b1f01a612a4a19356a7168f5ced220f54342dd8b9a5875bc2bdc8c95a4433
                                            • Instruction Fuzzy Hash: 2AC17FF5A117468FE335DF6AE8881897BB9FB85328F504308D2616B6D8D7B4344ACF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0110FD8A Relevance: .2, Instructions: 162COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382645328.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1100000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 214133241fb5c8dc315367403ab86149ef1a460f4d1a69b896b90e25514b52fb
                                            • Instruction ID: 1064ef21b0d7e5dd984193b33e3eb273103f40431ad283e3f1bd27ef72881bd9
                                            • Opcode Fuzzy Hash: 214133241fb5c8dc315367403ab86149ef1a460f4d1a69b896b90e25514b52fb
                                            • Instruction Fuzzy Hash: 57614874E0420ADFCB18CFA4E5859AEFBB1FF89201F10996AD415BB294D774AA02CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 08E56C80 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.389105149.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8e50000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00e2a3a06d7a42b148b1fa86bb805b31d7c655dc25b3c60b0bb9445c86114fa9
                                            • Instruction ID: 36e621b19f06e71d834210152b5e7e5c8c84eb52a021318651386ebc183a7d75
                                            • Opcode Fuzzy Hash: 00e2a3a06d7a42b148b1fa86bb805b31d7c655dc25b3c60b0bb9445c86114fa9
                                            • Instruction Fuzzy Hash: 37411571E146199FCB04CF9AC9408EEFBF2FF89211F54A56AD819B7225D7309A41CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02BB1918 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.382812791.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2bb0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d06b970d6132b974b9646c15b1ac9fc46ca24b5bd5cc25c7b324deae10162a00
                                            • Instruction ID: d71249652dd11ed7b7d3e8105fb13d97fbf95e13bb462a4fc792c6d580ebd017
                                            • Opcode Fuzzy Hash: d06b970d6132b974b9646c15b1ac9fc46ca24b5bd5cc25c7b324deae10162a00
                                            • Instruction Fuzzy Hash: B7110671E116198BDB08CFABE9406EEFBF7AFC8210F14C17AD508A7214DB704A028F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:11.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:86
                                            Total number of Limit Nodes:5
                                            execution_graph 12407 fdd01c 12408 fdd034 12407->12408 12409 fdd08e 12408->12409 12414 11d5338 12408->12414 12418 11d7961 12408->12418 12426 11d3ca4 12408->12426 12434 11d5348 12408->12434 12415 11d5348 12414->12415 12416 11d3ca4 CallWindowProcW 12415->12416 12417 11d538f 12416->12417 12417->12409 12420 11d7988 12418->12420 12419 11d79e9 12423 11d79e7 12419->12423 12446 11d6964 12419->12446 12420->12419 12422 11d79d9 12420->12422 12438 11d7b10 12422->12438 12442 11d7b00 12422->12442 12427 11d3caf 12426->12427 12428 11d79e9 12427->12428 12431 11d79d9 12427->12431 12429 11d79e7 12428->12429 12430 11d6964 CallWindowProcW 12428->12430 12430->12429 12432 11d7b10 CallWindowProcW 12431->12432 12433 11d7b00 CallWindowProcW 12431->12433 12432->12429 12433->12429 12435 11d536e 12434->12435 12436 11d3ca4 CallWindowProcW 12435->12436 12437 11d538f 12436->12437 12437->12409 12440 11d7b1e 12438->12440 12439 11d6964 CallWindowProcW 12439->12440 12440->12439 12441 11d7c07 12440->12441 12441->12423 12444 11d7b05 12442->12444 12443 11d6964 CallWindowProcW 12443->12444 12444->12443 12445 11d7c07 12444->12445 12445->12423 12447 11d696f 12446->12447 12448 11d7cd2 CallWindowProcW 12447->12448 12449 11d7c81 12447->12449 12448->12449 12449->12423 12450 11d6d78 DuplicateHandle 12451 11d6e0e 12450->12451 12452 11d5190 12453 11d51f8 CreateWindowExW 12452->12453 12455 11d52b4 12453->12455 12455->12455 12456 11dbc30 12457 11dbc44 12456->12457 12460 11dbe7a 12457->12460 12466 11dbf50 12460->12466 12471 11dc076 12460->12471 12476 11dc05c 12460->12476 12481 11dbf60 12460->12481 12467 11dbfa4 12466->12467 12468 11dc09b 12467->12468 12486 11dc3a9 12467->12486 12494 11dc358 12467->12494 12472 11dc089 12471->12472 12473 11dc09b 12471->12473 12474 11dc3a9 2 API calls 12472->12474 12475 11dc358 2 API calls 12472->12475 12474->12473 12475->12473 12477 11dc00f 12476->12477 12477->12476 12478 11dc09b 12477->12478 12479 11dc3a9 2 API calls 12477->12479 12480 11dc358 2 API calls 12477->12480 12479->12478 12480->12478 12482 11dbfa4 12481->12482 12483 11dc09b 12482->12483 12484 11dc3a9 2 API calls 12482->12484 12485 11dc358 2 API calls 12482->12485 12484->12483 12485->12483 12487 11dc352 12486->12487 12488 11dc3b2 12486->12488 12492 11dc3a9 RtlEncodePointer 12487->12492 12499 11dc3b8 12487->12499 12490 11dc41c RtlEncodePointer 12488->12490 12491 11dc445 12488->12491 12489 11dc386 12489->12468 12490->12491 12491->12468 12492->12489 12495 11dc376 12494->12495 12497 11dc3a9 2 API calls 12495->12497 12498 11dc3b8 RtlEncodePointer 12495->12498 12496 11dc386 12496->12468 12497->12496 12498->12496 12500 11dc3f2 12499->12500 12501 11dc41c RtlEncodePointer 12500->12501 12502 11dc445 12500->12502 12501->12502 12502->12489 12503 11d6b50 GetCurrentProcess 12504 11d6bca GetCurrentThread 12503->12504 12505 11d6bc3 12503->12505 12506 11d6c07 GetCurrentProcess 12504->12506 12507 11d6c00 12504->12507 12505->12504 12508 11d6c3d 12506->12508 12507->12506 12509 11d6c65 GetCurrentThreadId 12508->12509 12510 11d6c96 12509->12510

                                            Executed Functions

                                            Function 011D6B50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 011D6BB0
                                            • GetCurrentThread.KERNEL32 ref: 011D6BED
                                            • GetCurrentProcess.KERNEL32 ref: 011D6C2A
                                            • GetCurrentThreadId.KERNEL32 ref: 011D6C83
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: eb24d45492e2250942ceab03c1f0375a048149606f676f0dc5058049b2c8c976
                                            • Instruction ID: c45535d1852f8588cb6254763f5d0e2ccab45379737e53b1279d1642c607611e
                                            • Opcode Fuzzy Hash: eb24d45492e2250942ceab03c1f0375a048149606f676f0dc5058049b2c8c976
                                            • Instruction Fuzzy Hash: 6A5135B0A00649CFDB14CFA9C648BDEBBF4EF88314F208499E159A7350D7746944CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011D5184 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 78 11d5184-11d51f6 79 11d51f8-11d51fe 78->79 80 11d5201-11d5208 78->80 79->80 81 11d520a-11d5210 80->81 82 11d5213-11d524b 80->82 81->82 83 11d5253-11d52b2 CreateWindowExW 82->83 84 11d52bb-11d52f3 83->84 85 11d52b4-11d52ba 83->85 89 11d52f5-11d52f8 84->89 90 11d5300 84->90 85->84 89->90 91 11d5301 90->91 91->91
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011D52A2
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: f414e9a4020e6947f26455a335915cb0e84046650738b2fe78c58a01493b6947
                                            • Instruction ID: 94e45736814f7982f477c94e87caa3eac932d06acf77610a242e07bdeec327d2
                                            • Opcode Fuzzy Hash: f414e9a4020e6947f26455a335915cb0e84046650738b2fe78c58a01493b6947
                                            • Instruction Fuzzy Hash: 8F51D0B1D10309DFDB14CF99C884ADEBFB6BF98314F24812AE819AB210D7749845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011D5190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 92 11d5190-11d51f6 93 11d51f8-11d51fe 92->93 94 11d5201-11d5208 92->94 93->94 95 11d520a-11d5210 94->95 96 11d5213-11d52b2 CreateWindowExW 94->96 95->96 98 11d52bb-11d52f3 96->98 99 11d52b4-11d52ba 96->99 103 11d52f5-11d52f8 98->103 104 11d5300 98->104 99->98 103->104 105 11d5301 104->105 105->105
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011D52A2
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 5e30782f0f72c6bb38f6500055fd5bd861a876b7d943ea8aed6bd01b46690b79
                                            • Instruction ID: 8a6b7ad8bf90afab432409c8ab3a226b867158bea555dab9a18f31d06161ebd4
                                            • Opcode Fuzzy Hash: 5e30782f0f72c6bb38f6500055fd5bd861a876b7d943ea8aed6bd01b46690b79
                                            • Instruction Fuzzy Hash: C941B0B1D10309DFDB18CF99C884ADEBFB6BF88314F24812AE919AB210D7749845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011D6964 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 106 11d6964-11d7c74 109 11d7c7a-11d7c7f 106->109 110 11d7d24-11d7d44 call 11d3ca4 106->110 112 11d7c81-11d7cb8 109->112 113 11d7cd2-11d7d0a CallWindowProcW 109->113 118 11d7d47-11d7d54 110->118 119 11d7cba-11d7cc0 112->119 120 11d7cc1-11d7cd0 112->120 114 11d7d0c-11d7d12 113->114 115 11d7d13-11d7d22 113->115 114->115 115->118 119->120 120->118
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 011D7CF9
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 7c238724e1810bf484a7d46e27977cf439e3141d3195cbab2bf549638bd3a79a
                                            • Instruction ID: 3bc16efec8235869bf29d2207139d09c0f4243b6d2c8a0830fcd29dc3790b97c
                                            • Opcode Fuzzy Hash: 7c238724e1810bf484a7d46e27977cf439e3141d3195cbab2bf549638bd3a79a
                                            • Instruction Fuzzy Hash: 34414BB5900605CFDB18CF99C488BAABBF5FF88318F258459D519AB361D734A841CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011DC3A9 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 123 11dc3a9-11dc3b0 124 11dc352-11dc376 call 11dbf28 123->124 125 11dc3b2-11dc3fa 123->125 143 11dc380 call 11dc3a9 124->143 144 11dc380 call 11dc3b8 124->144 131 11dc3fc-11dc3fe 125->131 132 11dc400 125->132 133 11dc405-11dc410 131->133 132->133 135 11dc471-11dc47e 133->135 136 11dc412-11dc443 RtlEncodePointer 133->136 134 11dc386-11dc3a5 call 11dc178 140 11dc44c-11dc46c 136->140 141 11dc445-11dc44b 136->141 140->135 141->140 143->134 144->134
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 011DC432
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 420665d059aac42397a60a80b31fd9f184839ce24fb0f55e79bbcaeee3f285e5
                                            • Instruction ID: d5450b3a04ce804b3ae436a17016adc924e9f519e28814a73d1d317f1e2393b4
                                            • Opcode Fuzzy Hash: 420665d059aac42397a60a80b31fd9f184839ce24fb0f55e79bbcaeee3f285e5
                                            • Instruction Fuzzy Hash: 1831E2718043458FDB10DFA8D5483EEBFF0AB59318F28885EC888A7342C7755849CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011D6D72 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 145 11d6d72-11d6e0c DuplicateHandle 146 11d6e0e-11d6e14 145->146 147 11d6e15-11d6e32 145->147 146->147
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D6DFF
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5a9f8606f47f254153c7edf1e0307d37800401b0b4f8e3a81527b6d53ad6f89c
                                            • Instruction ID: dc0398eaebf35ae152ec403afd757e9b957c9874c9b2ac1fb1db7eb2a40558aa
                                            • Opcode Fuzzy Hash: 5a9f8606f47f254153c7edf1e0307d37800401b0b4f8e3a81527b6d53ad6f89c
                                            • Instruction Fuzzy Hash: FE21E3B59002589FDB10CFA9D984AEEFFF4EB48324F14841AE954A3210D378A955CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011D6D78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 150 11d6d78-11d6e0c DuplicateHandle 151 11d6e0e-11d6e14 150->151 152 11d6e15-11d6e32 150->152 151->152
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D6DFF
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c12ced4a377102bde3accae24e6b53a98874c8be4feb781f9ff052f80f8ddcd2
                                            • Instruction ID: 4506649999687d6606ca0cc9e9ece95aa09ca6e5b12dc6a94270554f2010a452
                                            • Opcode Fuzzy Hash: c12ced4a377102bde3accae24e6b53a98874c8be4feb781f9ff052f80f8ddcd2
                                            • Instruction Fuzzy Hash: 7621C2B5900218DFDB10CFAAD984ADEBBF8EB48324F14841AE914A7310D378A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 011DC3B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 155 11dc3b8-11dc3fa 158 11dc3fc-11dc3fe 155->158 159 11dc400 155->159 160 11dc405-11dc410 158->160 159->160 161 11dc471-11dc47e 160->161 162 11dc412-11dc443 RtlEncodePointer 160->162 164 11dc44c-11dc46c 162->164 165 11dc445-11dc44b 162->165 164->161 165->164
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 011DC432
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569263109.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_11d0000_Purchase Order.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: fdfa3f20b6f5eaa9d2eb8ba343470049f4553da57906f288acdc143368609f5a
                                            • Instruction ID: e815cd2ed810844b7f5b4703731cd192f2d23d654efa1f1aab9bde8514b6e3b5
                                            • Opcode Fuzzy Hash: fdfa3f20b6f5eaa9d2eb8ba343470049f4553da57906f288acdc143368609f5a
                                            • Instruction Fuzzy Hash: B71179719407058FDB10DFAAD5487AEBFF8EB48314F24882ED449A7641C738A949CFA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FCD53C Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.568936484.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fcd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbdd899738f200a8299cc849bee624dafe217fac0f769107e472c91127d41505
                                            • Instruction ID: 09ccc1016f9322413233763fac8ccec0addd7c06ae146c66de1011a230f5819f
                                            • Opcode Fuzzy Hash: cbdd899738f200a8299cc849bee624dafe217fac0f769107e472c91127d41505
                                            • Instruction Fuzzy Hash: 09210672500241DFCB05DF54DAC1F2ABFA5FB98328F28897DE8054B246C336D856E7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FCD450 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.568936484.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fcd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2ad7e3450715879776edcdac51b0779daaf780dba74895bb5bd9ca3519d1a44
                                            • Instruction ID: 7cd5f26e14f968a80351b55aacedff4294feec96bfe0283f2f363ac25f8b68d1
                                            • Opcode Fuzzy Hash: d2ad7e3450715879776edcdac51b0779daaf780dba74895bb5bd9ca3519d1a44
                                            • Instruction Fuzzy Hash: C6213672500201DFCB08DF50DAC1F2BBB65FB84324F24897CD9050B246C336E846E7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569025246.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fdd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 227e9f9091a3f166e83ce1580b599de075cd72eafe37db64941df8d1419dae75
                                            • Instruction ID: bf1be76be821b9fb325715a35e3c75051722087dedeec6ab9d58ba265d944a34
                                            • Opcode Fuzzy Hash: 227e9f9091a3f166e83ce1580b599de075cd72eafe37db64941df8d1419dae75
                                            • Instruction Fuzzy Hash: A221F571504240DFCB14DF54D9C8B26BBA6FBC4324F28C96ED8494B34AC73AD847DA62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FDD005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.569025246.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fdd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f0644943b0e79fe21c5cc57218256ee96783f20ad81e85ece89300906c796d2
                                            • Instruction ID: dabf0667e0cc0f5628d5460b18b72f4b5aed38f35d23e4577d01dcbb46f52e20
                                            • Opcode Fuzzy Hash: 2f0644943b0e79fe21c5cc57218256ee96783f20ad81e85ece89300906c796d2
                                            • Instruction Fuzzy Hash: C92153755093C08FCB12CF24D594715BF71EB46324F29C5EBD8458B6A7C33A984ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FCD537 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.568936484.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fcd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction ID: 2867e02edb30477e0dd56463e78bb187d0330872ba06f1d7ebb5336e8214a0a0
                                            • Opcode Fuzzy Hash: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction Fuzzy Hash: 4411B476904240CFCF12CF10D6C4B1ABF71FB94324F2885ADD8454B656C33AD456DB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FCD44B Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.568936484.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_fcd000_Purchase Order.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction ID: 8bcaf255b500b0f078d832eed522018c0d5001ed519c8146999326faf0f5ef7d
                                            • Opcode Fuzzy Hash: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction Fuzzy Hash: D611AF76904280CFCF16CF14DAC4B1ABF71FB84324F2886ADD8050B656C336D85ADBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:11%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:193
                                            Total number of Limit Nodes:18
                                            execution_graph 31315 22629d7 31317 22627c0 31315->31317 31316 226293a 31317->31316 31319 2260cb4 31317->31319 31320 2263d98 CreateProcessW 31319->31320 31322 2263f00 31320->31322 31250 a7e382 31252 a7e396 31250->31252 31251 a7e4d9 31252->31251 31254 a7e1b0 31252->31254 31255 a7e1c8 SetWindowLongW 31254->31255 31258 a7b464 31254->31258 31255->31251 31257 a7e24c 31255->31257 31257->31251 31259 a7e1e0 SetWindowLongW 31258->31259 31260 a7e24c 31259->31260 31260->31255 31305 2264340 31306 226438b WriteProcessMemory 31305->31306 31308 22643dc 31306->31308 31092 a76eb0 31093 a76f16 31092->31093 31097 a77060 31093->31097 31100 a77070 31093->31100 31094 a76fc5 31103 a76aa4 31097->31103 31101 a7709e 31100->31101 31102 a76aa4 DuplicateHandle 31100->31102 31101->31094 31102->31101 31104 a770d8 DuplicateHandle 31103->31104 31105 a7709e 31104->31105 31105->31094 31261 7fa38d0 31262 7fa3904 31261->31262 31263 7fa3936 31262->31263 31268 7fa9e2b 31262->31268 31271 7fa9f67 31262->31271 31274 7faa103 31262->31274 31277 7faa5be 31262->31277 31280 7fac2b0 31268->31280 31273 7fac2b0 VirtualProtect 31271->31273 31272 7fa9f78 31273->31272 31276 7fac2b0 VirtualProtect 31274->31276 31275 7faa117 31276->31275 31279 7fac2b0 VirtualProtect 31277->31279 31278 7faa5cf 31279->31278 31281 7fac2f8 VirtualProtect 31280->31281 31282 7fa9e5c 31281->31282 31283 2264108 31284 2264150 SetThreadContext 31283->31284 31286 226418e 31284->31286 31287 2264298 31288 22642db VirtualAllocEx 31287->31288 31289 2264312 31288->31289 31290 2264598 31291 2264723 31290->31291 31292 22645be 31290->31292 31292->31291 31293 a7b464 SetWindowLongW 31292->31293 31295 a7e1b0 2 API calls 31292->31295 31296 a7e1a1 31292->31296 31293->31292 31295->31292 31297 a7e1b9 31296->31297 31298 a7e1c5 SetWindowLongW 31297->31298 31299 a7b464 SetWindowLongW 31297->31299 31298->31292 31301 a7e24c 31298->31301 31299->31298 31301->31292 31302 22644f8 31303 2264539 ResumeThread 31302->31303 31304 2264566 31303->31304 31309 22641c8 31310 2264213 ReadProcessMemory 31309->31310 31311 2264256 31310->31311 31106 a766b8 31107 a766cf 31106->31107 31111 a76be7 31107->31111 31116 a76b21 31107->31116 31108 a766e0 31112 a76bec 31111->31112 31113 a76c51 31112->31113 31121 a76d87 31112->31121 31125 a76d98 31112->31125 31113->31108 31117 a76b5a 31116->31117 31118 a76c51 31117->31118 31119 a76d87 5 API calls 31117->31119 31120 a76d98 5 API calls 31117->31120 31118->31108 31119->31118 31120->31118 31123 a76da5 31121->31123 31122 a76ddf 31122->31113 31123->31122 31129 a76a04 31123->31129 31127 a76da5 31125->31127 31126 a76ddf 31126->31113 31127->31126 31128 a76a04 5 API calls 31127->31128 31128->31126 31130 a76a0f 31129->31130 31132 a776d0 31130->31132 31133 a76b04 31130->31133 31132->31132 31134 a76b0f 31133->31134 31146 a79f64 31134->31146 31151 a79d60 31134->31151 31158 a79d50 31134->31158 31135 a77b4d 31136 a77740 GetModuleHandleW LoadLibraryExW CreateWindowExW GetModuleHandleW GetModuleHandleW 31135->31136 31137 a77b67 31136->31137 31138 a77750 GetModuleHandleW LoadLibraryExW CreateWindowExW GetModuleHandleW GetModuleHandleW 31137->31138 31139 a77b6e 31138->31139 31144 a7bb50 GetModuleHandleW LoadLibraryExW CreateWindowExW GetModuleHandleW GetModuleHandleW 31139->31144 31145 a7bb38 GetModuleHandleW LoadLibraryExW CreateWindowExW GetModuleHandleW GetModuleHandleW 31139->31145 31140 a77b78 31140->31132 31144->31140 31145->31140 31147 a79f81 31146->31147 31148 a7a06a 31147->31148 31165 a7aa09 31147->31165 31169 a7aa18 31147->31169 31152 a79d8e 31151->31152 31153 a77750 5 API calls 31152->31153 31154 a7a06a 31152->31154 31155 a79dcf 31152->31155 31153->31155 31155->31154 31156 a7aa09 5 API calls 31155->31156 31157 a7aa18 5 API calls 31155->31157 31156->31154 31157->31154 31159 a79d8e 31158->31159 31160 a7a06a 31159->31160 31161 a77750 5 API calls 31159->31161 31162 a79dcf 31159->31162 31161->31162 31162->31160 31163 a7aa09 5 API calls 31162->31163 31164 a7aa18 5 API calls 31162->31164 31163->31160 31164->31160 31166 a7aa35 31165->31166 31168 a7aa79 31166->31168 31173 a77750 31166->31173 31168->31148 31170 a7aa35 31169->31170 31171 a77750 5 API calls 31170->31171 31172 a7aa79 31170->31172 31171->31172 31172->31148 31174 a7775b 31173->31174 31177 a7b1c0 31174->31177 31176 a7b97f 31176->31168 31178 a7b1cb 31177->31178 31179 a7baf1 31178->31179 31180 a7ba52 31178->31180 31184 a7bb50 31178->31184 31194 a7bb38 31178->31194 31179->31176 31180->31179 31181 a7b1c0 5 API calls 31180->31181 31181->31180 31186 a7bb81 31184->31186 31187 a7bc73 31184->31187 31185 a7bb8d 31185->31180 31186->31185 31188 a7bbce 31186->31188 31204 a7be98 31186->31204 31208 a7bed8 31186->31208 31217 a7bee8 31186->31217 31187->31180 31226 a7d197 31188->31226 31238 a7d1a8 31188->31238 31196 a7bb81 31194->31196 31197 a7bc73 31194->31197 31195 a7bb8d 31195->31180 31196->31195 31198 a7bbce 31196->31198 31201 a7be98 4 API calls 31196->31201 31202 a7bee8 3 API calls 31196->31202 31203 a7bed8 3 API calls 31196->31203 31197->31180 31199 a7d197 2 API calls 31198->31199 31200 a7d1a8 2 API calls 31198->31200 31199->31197 31200->31197 31201->31198 31202->31198 31203->31198 31206 a7bee8 GetModuleHandleW LoadLibraryExW GetModuleHandleW 31204->31206 31207 a7bed8 GetModuleHandleW LoadLibraryExW GetModuleHandleW 31204->31207 31205 a7bea2 31205->31188 31206->31205 31207->31205 31209 a7befb 31208->31209 31210 a7b298 GetModuleHandleW 31208->31210 31211 a7bf13 31209->31211 31215 a7c163 GetModuleHandleW LoadLibraryExW 31209->31215 31216 a7c170 GetModuleHandleW LoadLibraryExW 31209->31216 31210->31209 31211->31188 31212 a7bf0b 31212->31211 31213 a7c110 GetModuleHandleW 31212->31213 31214 a7c13d 31213->31214 31214->31188 31215->31212 31216->31212 31218 a7b298 GetModuleHandleW 31217->31218 31219 a7befb 31218->31219 31220 a7bf13 31219->31220 31224 a7c163 GetModuleHandleW LoadLibraryExW 31219->31224 31225 a7c170 GetModuleHandleW LoadLibraryExW 31219->31225 31220->31188 31221 a7bf0b 31221->31220 31222 a7c110 GetModuleHandleW 31221->31222 31223 a7c13d 31222->31223 31223->31188 31224->31221 31225->31221 31227 a7d1d2 31226->31227 31228 a7b37c GetModuleHandleW 31227->31228 31229 a7d234 31228->31229 31234 a7d6a0 GetModuleHandleW 31229->31234 31235 a7b37c GetModuleHandleW 31229->31235 31230 a7d250 31231 a7b298 GetModuleHandleW 31230->31231 31233 a7d279 31230->31233 31232 a7d2a3 31231->31232 31236 a7de40 CreateWindowExW 31232->31236 31237 a7df48 CreateWindowExW 31232->31237 31234->31230 31235->31230 31236->31233 31237->31233 31239 a7d1d2 31238->31239 31240 a7b37c GetModuleHandleW 31239->31240 31241 a7d234 31240->31241 31246 a7d6a0 GetModuleHandleW 31241->31246 31247 a7b37c GetModuleHandleW 31241->31247 31242 a7d250 31243 a7b298 GetModuleHandleW 31242->31243 31245 a7d279 31242->31245 31244 a7d2a3 31243->31244 31248 a7de40 CreateWindowExW 31244->31248 31249 a7df48 CreateWindowExW 31244->31249 31246->31242 31247->31242 31248->31245 31249->31245 31312 a7b948 31313 a7b1c0 5 API calls 31312->31313 31314 a7b97f 31312->31314 31313->31314

                                            Executed Functions

                                            Function 07F5C588 Relevance: 25.1, Strings: 18, Instructions: 2609COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: <bm$<bm$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk$Nk
                                            • API String ID: 0-2217615921
                                            • Opcode ID: 69f2e5b7ff6249570b8082d3cfdd624861e85d0ac5b2052c6322f15f8fb88de2
                                            • Instruction ID: d8e609a839debd68f3ce6c940408774dff747e1dd3e69687a9904dedb01a944c
                                            • Opcode Fuzzy Hash: 69f2e5b7ff6249570b8082d3cfdd624861e85d0ac5b2052c6322f15f8fb88de2
                                            • Instruction Fuzzy Hash: 344307B4E012198FDB24DF68C888A9DB7B6BF49304F1985D9D919AB365CB30ED81CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F57B90 Relevance: 10.9, Strings: 8, Instructions: 896COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D0bm$D0bm$D0bm$Nk$Nk$Nk$Nk$Nk
                                            • API String ID: 0-4226866508
                                            • Opcode ID: 1decceb1167474a41c188e66765e057aa7562f26bc149a0586979b9b7dd845a5
                                            • Instruction ID: 02424e2b4c3177f5b98644f1cc74be4c20c76a37e64ab5c54fd964355f0779c0
                                            • Opcode Fuzzy Hash: 1decceb1167474a41c188e66765e057aa7562f26bc149a0586979b9b7dd845a5
                                            • Instruction Fuzzy Hash: C47290B0A00119CFCB14DFA8C844AAEBBF6BF89344F198569E915EB355DB30DC41CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5BAB0 Relevance: 4.5, Strings: 3, Instructions: 722COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Nk$Nk$Nk
                                            • API String ID: 0-771949547
                                            • Opcode ID: 364de81fa61a43379dee3c946edd50642d97591786a9cdaa21e40f076e71178c
                                            • Instruction ID: 09175db795ab7f03ec3272ef42f460b17ce29d870907f8d77a7ef364363be4e3
                                            • Opcode Fuzzy Hash: 364de81fa61a43379dee3c946edd50642d97591786a9cdaa21e40f076e71178c
                                            • Instruction Fuzzy Hash: 055261B1B0021A9FCB18DFA9C494AADB7B6FF85314B198169ED06DB364DB30DC41CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F588E0 Relevance: .9, Instructions: 910COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47fa281d6576b50360740e7ae6f851a2d42554d16122c5c6ab8fbedf6966beac
                                            • Instruction ID: b01500e84032c3f6c914a0cab8c5712b3c1b21a43e10482b2ff76b910074b601
                                            • Opcode Fuzzy Hash: 47fa281d6576b50360740e7ae6f851a2d42554d16122c5c6ab8fbedf6966beac
                                            • Instruction Fuzzy Hash: 7A826DB1A0020ADFCB14CFA8C584AAEBBF6BF88354F198559EA45DB361D770EC41CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7BEE8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1012 a7bee8-a7befd call a7b298 1015 a7bf13-a7bf17 1012->1015 1016 a7beff 1012->1016 1017 a7bf2b-a7bf6c 1015->1017 1018 a7bf19-a7bf23 1015->1018 1065 a7bf05 call a7c163 1016->1065 1066 a7bf05 call a7c170 1016->1066 1023 a7bf6e-a7bf76 1017->1023 1024 a7bf79-a7bf87 1017->1024 1018->1017 1019 a7bf0b-a7bf0d 1019->1015 1020 a7c048-a7c108 1019->1020 1060 a7c110-a7c13b GetModuleHandleW 1020->1060 1061 a7c10a-a7c10d 1020->1061 1023->1024 1026 a7bfab-a7bfad 1024->1026 1027 a7bf89-a7bf8e 1024->1027 1028 a7bfb0-a7bfb7 1026->1028 1029 a7bf90-a7bf97 call a7b2a4 1027->1029 1030 a7bf99 1027->1030 1032 a7bfc4-a7bfcb 1028->1032 1033 a7bfb9-a7bfc1 1028->1033 1031 a7bf9b-a7bfa9 1029->1031 1030->1031 1031->1028 1036 a7bfcd-a7bfd5 1032->1036 1037 a7bfd8-a7bfe1 call a7b2b4 1032->1037 1033->1032 1036->1037 1042 a7bfe3-a7bfeb 1037->1042 1043 a7bfee-a7bff3 1037->1043 1042->1043 1045 a7bff5-a7bffc 1043->1045 1046 a7c011-a7c01e 1043->1046 1045->1046 1048 a7bffe-a7c00e call a79ca0 call a7b2c4 1045->1048 1052 a7c041-a7c047 1046->1052 1053 a7c020-a7c03e 1046->1053 1048->1046 1053->1052 1062 a7c144-a7c158 1060->1062 1063 a7c13d-a7c143 1060->1063 1061->1060 1063->1062 1065->1019 1066->1019
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: lnk$lnk
                                            • API String ID: 4139908857-1122313549
                                            • Opcode ID: f5c55a3785b80754afb2d2bb4739f633026c26f1a2aaf2896725a12c1ae5358e
                                            • Instruction ID: e2bd29e85832f50538959f25c5a46ec7e7c42bb4fbdbe1f495dee2d870e742e9
                                            • Opcode Fuzzy Hash: f5c55a3785b80754afb2d2bb4739f633026c26f1a2aaf2896725a12c1ae5358e
                                            • Instruction Fuzzy Hash: C37154B0A00B058FDB24DF69C94579AB7F5BF88314F008A2DE44AD7A40DB35E846CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5B477 Relevance: 5.2, Strings: 4, Instructions: 194COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1067 7f5b477-7f5b4aa 1068 7f5b4c1-7f5b4d4 1067->1068 1069 7f5b4ac-7f5b4b0 1067->1069 1075 7f5b4d6-7f5b4dc 1068->1075 1076 7f5b4df-7f5b4ec 1068->1076 1070 7f5b4b6-7f5b4be 1069->1070 1071 7f5b82c-7f5b85b 1069->1071 1070->1068 1082 7f5b85d-7f5b869 1071->1082 1083 7f5b898 1071->1083 1075->1076 1079 7f5b4fc-7f5b504 1076->1079 1080 7f5b4ee-7f5b4f7 1076->1080 1126 7f5b507 call 7f5b8b0 1079->1126 1127 7f5b507 call 7f5b89f 1079->1127 1087 7f5b5ec-7f5b61a 1080->1087 1082->1083 1090 7f5b86b-7f5b874 1082->1090 1084 7f5b89a-7f5b89d 1083->1084 1086 7f5b50d-7f5b511 1086->1087 1088 7f5b517-7f5b524 1086->1088 1128 7f5b61d call 7f5baa1 1087->1128 1129 7f5b61d call 7f5bab0 1087->1129 1130 7f5b61d call 7f5bbef 1087->1130 1088->1087 1093 7f5b52a-7f5b53e 1088->1093 1090->1083 1096 7f5b876-7f5b884 1090->1096 1100 7f5b540-7f5b546 1093->1100 1101 7f5b578-7f5b589 1093->1101 1096->1083 1102 7f5b886-7f5b894 1096->1102 1099 7f5b623-7f5b625 1103 7f5b821-7f5b829 1099->1103 1104 7f5b54c-7f5b558 1100->1104 1105 7f5b548-7f5b54a 1100->1105 1110 7f5b58d-7f5b599 1101->1110 1111 7f5b58b 1101->1111 1102->1083 1113 7f5b896 1102->1113 1106 7f5b55a-7f5b567 1104->1106 1105->1106 1106->1101 1115 7f5b569-7f5b576 1106->1115 1114 7f5b59b-7f5b5aa 1110->1114 1111->1114 1113->1084 1118 7f5b5c3-7f5b5c7 1114->1118 1115->1101 1122 7f5b5ac-7f5b5c1 1115->1122 1120 7f5b5d2-7f5b5d4 1118->1120 1121 7f5b5c9-7f5b5d0 1118->1121 1120->1103 1121->1120 1123 7f5b5d9-7f5b5e7 1121->1123 1122->1118 1123->1103 1126->1086 1127->1086 1128->1099 1129->1099 1130->1099
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xcbm$Xcbm$Xcbm$Xcbm
                                            • API String ID: 0-2151507559
                                            • Opcode ID: 47691fc209bd404d5108ee7a1bb335366f66a2df662604625e5260ebbb77a401
                                            • Instruction ID: 0e74abb80736ff29906535a4bb32290e68ee6a142b025486b96a5907bcc3890e
                                            • Opcode Fuzzy Hash: 47691fc209bd404d5108ee7a1bb335366f66a2df662604625e5260ebbb77a401
                                            • Instruction Fuzzy Hash: 40618EB5B001199FCB149FA8D455AED7BF6EF89715F184069EA02AB394CB30DC41CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5FC90 Relevance: 3.8, Strings: 3, Instructions: 84COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1461 7f5fc90-7f5fc98 1462 7f5fd07-7f5fd1d 1461->1462 1463 7f5fc9a-7f5fcbb 1461->1463 1466 7f5fd25-7f5fd44 1462->1466 1464 7f5fcf1-7f5fd01 1463->1464 1465 7f5fcbd-7f5fcc0 1463->1465 1477 7f5fd0c-7f5fd1d 1464->1477 1467 7f5fcc2 1465->1467 1468 7f5fcc9-7f5fcdd 1465->1468 1472 7f5fd4b-7f5fd50 1466->1472 1467->1464 1467->1468 1471 7f5fd55-7f5fd70 1467->1471 1467->1472 1474 7f5fce3-7f5fcef 1468->1474 1475 7f5fdaa-7f5fdaf 1468->1475 1481 7f5fd72-7f5fd78 1471->1481 1482 7f5fd88-7f5fd8a 1471->1482 1472->1465 1474->1465 1477->1466 1483 7f5fd7c-7f5fd7e 1481->1483 1484 7f5fd7a 1481->1484 1485 7f5fda2-7f5fda9 1482->1485 1486 7f5fd8c-7f5fd92 1482->1486 1483->1482 1484->1482 1487 7f5fd94 1486->1487 1488 7f5fd96-7f5fd98 1486->1488 1487->1485 1488->1485
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ID$$,bm$$,bm
                                            • API String ID: 0-3712926452
                                            • Opcode ID: 9b35fd3541b39047b1ca149160b696d1406578ac9c566da351d84f922bc3afce
                                            • Instruction ID: 8bad70eb31c3629bd68b3bff1752353d81a797c5907533d673e3236f1892e99a
                                            • Opcode Fuzzy Hash: 9b35fd3541b39047b1ca149160b696d1406578ac9c566da351d84f922bc3afce
                                            • Instruction Fuzzy Hash: 8121F6B1B142099FCB549BB8D81567A7BE5EF89204F1849B6EA05DB385DB30CD02C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5FCA0 Relevance: 3.8, Strings: 3, Instructions: 83COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1489 7f5fca0-7f5fcbb 1490 7f5fcf1-7f5fd01 1489->1490 1492 7f5fd0c-7f5fd44 1490->1492 1496 7f5fd4b-7f5fd50 1492->1496 1497 7f5fcbd-7f5fcc0 1496->1497 1498 7f5fcc2 1497->1498 1499 7f5fcc9-7f5fcdd 1497->1499 1498->1490 1498->1496 1498->1499 1500 7f5fd55-7f5fd70 1498->1500 1502 7f5fce3-7f5fcef 1499->1502 1503 7f5fdaa-7f5fdaf 1499->1503 1507 7f5fd72-7f5fd78 1500->1507 1508 7f5fd88-7f5fd8a 1500->1508 1502->1497 1509 7f5fd7c-7f5fd7e 1507->1509 1510 7f5fd7a 1507->1510 1511 7f5fda2-7f5fda9 1508->1511 1512 7f5fd8c-7f5fd92 1508->1512 1509->1508 1510->1508 1513 7f5fd94 1512->1513 1514 7f5fd96-7f5fd98 1512->1514 1513->1511 1514->1511
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ID$$,bm$$,bm
                                            • API String ID: 0-3712926452
                                            • Opcode ID: 49d46b35ade9f0a5aeaebeb3b1152eaa8cf75ee18c7f77ebac7085c26d3f7a80
                                            • Instruction ID: 0b2460ef96cf0519506775de5c6b4acd491068d9c70e5d1674011d75ab9a3b3e
                                            • Opcode Fuzzy Hash: 49d46b35ade9f0a5aeaebeb3b1152eaa8cf75ee18c7f77ebac7085c26d3f7a80
                                            • Instruction Fuzzy Hash: 3E21F3B1B101099FC7549BB8D81577E76E6EFC9204F1448BADA06DB384DB30DD028792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F59DD0 Relevance: 2.1, Strings: 1, Instructions: 824COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1975 7f59dd0-7f5a2be 2050 7f5a2c4-7f5a2d4 1975->2050 2051 7f5a810-7f5a845 1975->2051 2050->2051 2052 7f5a2da-7f5a2ea 2050->2052 2056 7f5a847-7f5a84c 2051->2056 2057 7f5a851-7f5a86f 2051->2057 2052->2051 2053 7f5a2f0-7f5a300 2052->2053 2053->2051 2055 7f5a306-7f5a316 2053->2055 2055->2051 2058 7f5a31c-7f5a32c 2055->2058 2059 7f5a936-7f5a93b 2056->2059 2068 7f5a8e6-7f5a8f2 2057->2068 2069 7f5a871-7f5a87b 2057->2069 2058->2051 2061 7f5a332-7f5a342 2058->2061 2061->2051 2062 7f5a348-7f5a358 2061->2062 2062->2051 2064 7f5a35e-7f5a36e 2062->2064 2064->2051 2065 7f5a374-7f5a384 2064->2065 2065->2051 2067 7f5a38a-7f5a39a 2065->2067 2067->2051 2070 7f5a3a0-7f5a80f 2067->2070 2075 7f5a8f4-7f5a900 2068->2075 2076 7f5a909-7f5a915 2068->2076 2069->2068 2074 7f5a87d-7f5a889 2069->2074 2085 7f5a8ae-7f5a8b1 2074->2085 2086 7f5a88b-7f5a896 2074->2086 2075->2076 2082 7f5a902-7f5a907 2075->2082 2083 7f5a917-7f5a923 2076->2083 2084 7f5a92c-7f5a92e 2076->2084 2082->2059 2083->2084 2095 7f5a925-7f5a92a 2083->2095 2084->2059 2087 7f5a8b3-7f5a8bf 2085->2087 2088 7f5a8c8-7f5a8d4 2085->2088 2086->2085 2097 7f5a898-7f5a8a2 2086->2097 2087->2088 2099 7f5a8c1-7f5a8c6 2087->2099 2091 7f5a8d6-7f5a8dd 2088->2091 2092 7f5a93c-7f5a948 2088->2092 2091->2092 2096 7f5a8df-7f5a8e4 2091->2096 2102 7f5a978-7f5a98b call 7f5aaff 2092->2102 2103 7f5a94a-7f5a975 2092->2103 2095->2059 2096->2059 2097->2085 2104 7f5a8a4-7f5a8a9 2097->2104 2099->2059 2108 7f5a991-7f5a998 2102->2108 2103->2102 2104->2059 2109 7f5a9ab-7f5a9b6 2108->2109 2110 7f5a99a-7f5a9a5 2108->2110 2116 7f5aa87-7f5aacc call 7f59430 2109->2116 2117 7f5a9bc-7f5aa2b 2109->2117 2110->2109 2115 7f5aa2e-7f5aa80 2110->2115 2115->2116 2135 7f5aadd-7f5aaeb 2116->2135 2136 7f5aace-7f5aadb 2116->2136 2141 7f5aaed-7f5aaf7 2135->2141 2142 7f5aaf9 2135->2142 2144 7f5aafb-7f5aafe 2136->2144 2141->2144 2142->2144
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Nk
                                            • API String ID: 0-1353404103
                                            • Opcode ID: ad9f324c9b9ce3dda31eef9ce48709458bf616f0cb808b63cbead8b39c9ab22d
                                            • Instruction ID: 60b9cd30b1cd40c2882a2bfaa9a0d830369a51fe418cc4e54f57dc9aa2dad06f
                                            • Opcode Fuzzy Hash: ad9f324c9b9ce3dda31eef9ce48709458bf616f0cb808b63cbead8b39c9ab22d
                                            • Instruction Fuzzy Hash: 34728E70A0021D9FEB649BA4C850BDEBBB7BF84304F1484AED506AB798CB309E45DF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02263D41 Relevance: 1.7, APIs: 1, Instructions: 159processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02263EEB
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 68db33b97f915dde214b29bacb131d9f06fdc677938e965ac3a21347c03eaa04
                                            • Instruction ID: bd1e7702f07fb3e3a757e7ef2e15bf75b8e0d0c0cfed9d2ba37630d83f6062fd
                                            • Opcode Fuzzy Hash: 68db33b97f915dde214b29bacb131d9f06fdc677938e965ac3a21347c03eaa04
                                            • Instruction Fuzzy Hash: A0612871D00319DFDB10CF99C984BEDBBB5BF48714F1485AAE908A7250CB319A85CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02260CB4 Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02263EEB
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 26e7e1f401d5f09d4542899420de373f147530df146deb1bb2823e9efe8d13b4
                                            • Instruction ID: aee123283f6230b31539594dcc1a658ed828e3d852c9f9e731019d52d6931746
                                            • Opcode Fuzzy Hash: 26e7e1f401d5f09d4542899420de373f147530df146deb1bb2823e9efe8d13b4
                                            • Instruction Fuzzy Hash: 0D510871D00319DFDB20CF99C884BDDBBB5BF88714F1484AAE908A7250DB719A89CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02263D8D Relevance: 1.6, APIs: 1, Instructions: 145processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02263EEB
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: d6f33a740e2df65f04675aa5cc2a5821889c27033c8567d0b5b53e25775efa09
                                            • Instruction ID: 06b6391a37ea4c326155d0d1462521d7c48d287b0c58df0b3b833fdb2b3ea655
                                            • Opcode Fuzzy Hash: d6f33a740e2df65f04675aa5cc2a5821889c27033c8567d0b5b53e25775efa09
                                            • Instruction Fuzzy Hash: 5F512871D00319DFDB10CF99C884BDDBBB5BF88714F1484AAE508A7250CB719A89CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7B410 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A7E0AA
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 5f3cf0dd7443da7948c333f83075414254258acbb0f849398c3627ab37e0a5d7
                                            • Instruction ID: 2738fd51410be5df1a2701b48026d02cf297de61a03a08aaef78ba9170b74853
                                            • Opcode Fuzzy Hash: 5f3cf0dd7443da7948c333f83075414254258acbb0f849398c3627ab37e0a5d7
                                            • Instruction Fuzzy Hash: 8D51F2B1C00349DFDB14CFA9C894ADEBBB5FF88314F24822AE519AB210D7749846CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7B42C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A7E0AA
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d82735ec5347efe9ca0738f757c4744e74e6ec4fc07fd360ca638f4b812946f0
                                            • Instruction ID: 12f147d20a9ba6629ec08d7bd6f91e7b47a63a5c3923af235afcb503cd7da721
                                            • Opcode Fuzzy Hash: d82735ec5347efe9ca0738f757c4744e74e6ec4fc07fd360ca638f4b812946f0
                                            • Instruction Fuzzy Hash: 2851D0B1D10309DFDB14CF9AC884ADEBBB5BF88314F24822AE519AB210D7B49845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7DF8C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A7E0AA
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: ccd21ece4fd18e2c084e946b61cf6de62be7cedbbe2926af9cf0ff2c7880fc7d
                                            • Instruction ID: 8c5ba6f54820aa6752400c868802292e92bb097046044d3dbd40591aea5d6ce3
                                            • Opcode Fuzzy Hash: ccd21ece4fd18e2c084e946b61cf6de62be7cedbbe2926af9cf0ff2c7880fc7d
                                            • Instruction Fuzzy Hash: 1E51D2B1D10349DFDB14CF9AC884ADEFBB5BF88314F24856AE419AB210D7749986CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7E1A1 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00A7E1C8,?,?,?,?), ref: 00A7E23D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 34a1dc221713a4b230ece3ebe1b55dece9ce8aa29c423ff4da4fd3308581d086
                                            • Instruction ID: 4ab636d739fb38d3c8f2499b23c7b234329a7e653713b33dc48bb0089cb3a4d8
                                            • Opcode Fuzzy Hash: 34a1dc221713a4b230ece3ebe1b55dece9ce8aa29c423ff4da4fd3308581d086
                                            • Instruction Fuzzy Hash: 3E219AB5800249DFDB11CFA5E845BDEBBF4EF49324F08C09AD448A7212C734A905CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0226433A Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 022643CD
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 544a630d83f0e072ed973260265a1765b8a55b218b37d44f564d0f0ee8c36c32
                                            • Instruction ID: 4438e8612398216bf89c1322f9f60cb84a1472f8831b359de38b60a768e4d658
                                            • Opcode Fuzzy Hash: 544a630d83f0e072ed973260265a1765b8a55b218b37d44f564d0f0ee8c36c32
                                            • Instruction Fuzzy Hash: 002125B1900209DFCB10CF9AD989BDEBBF4FF48314F14842AE958A7240D338A594CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02264340 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 022643CD
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 28ccf8294728cddb54b5a912c67b1f49d60daa41eba2ff30bbed9c416065b89b
                                            • Instruction ID: b8bd5c22cf9fb16ee8e7c2cec24a51140757716d0b9c77dd42adc7c10f60578e
                                            • Opcode Fuzzy Hash: 28ccf8294728cddb54b5a912c67b1f49d60daa41eba2ff30bbed9c416065b89b
                                            • Instruction Fuzzy Hash: B92136B1900209DFCB10CF9AD884BDEBBF4FB48314F14842AE958A7240D374A994CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A76AA4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A7709E,?,?,?,?,?), ref: 00A7715F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0a37c5e5011db4ef98079afbe370b77760d8afa48933ea7fc4cd2465f43777a5
                                            • Instruction ID: 35dccf85a654419e875036f60680e98b06fd161c3fc202d524cf97c116b01c60
                                            • Opcode Fuzzy Hash: 0a37c5e5011db4ef98079afbe370b77760d8afa48933ea7fc4cd2465f43777a5
                                            • Instruction Fuzzy Hash: 8721E5B5900208AFDB10CFAAD984ADEFBF8EB48314F14851AE914A3310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022641C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02264247
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 987ed591efbd38c9eeb2512a3df8f5231a118dcc8a8580de3cfa51ec9f2bba8b
                                            • Instruction ID: 26f9c02e6e2792a43e13d39eb75d92413cda46c3d98357a9ed1d35a7408d2e45
                                            • Opcode Fuzzy Hash: 987ed591efbd38c9eeb2512a3df8f5231a118dcc8a8580de3cfa51ec9f2bba8b
                                            • Instruction Fuzzy Hash: F321F5B1901249DFCB10DF9AD984ADEFBF4FF48314F54842AE558A3210D374A554CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A770D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A7709E,?,?,?,?,?), ref: 00A7715F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e149855439913e6ddee751217b984ddd66f4cf4e7598b831c326cac410c0983a
                                            • Instruction ID: 9b17cb019614e09727a44341bee56160b7f7f3a89baa87ab8844909f8162c3c5
                                            • Opcode Fuzzy Hash: e149855439913e6ddee751217b984ddd66f4cf4e7598b831c326cac410c0983a
                                            • Instruction Fuzzy Hash: A221E6B5900209DFDB10CFAAD984ADEFBF4FB48314F14851AE954A7310C374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02264100 Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0226417F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 8c4d0e1b7c9f3cd2b913035e6aa99a1f0edc93f4949e50c76f691ac43977c4dc
                                            • Instruction ID: b5e8359c0eca607b03b1f71cae54b404323d0089c4bf197a40c82a6b9753c72d
                                            • Opcode Fuzzy Hash: 8c4d0e1b7c9f3cd2b913035e6aa99a1f0edc93f4949e50c76f691ac43977c4dc
                                            • Instruction Fuzzy Hash: 312129B1D1061A9FCB10DF9AD9497EEFBF4FB48214F14816AD418B3640D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022641C8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02264247
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 8837316fb16817863d706d8e892d4e97d442de0d0c8d61a187ca0fe7da006525
                                            • Instruction ID: 4dfbf8543ba148796930975065429080f25e06c9ac7b04f1a02dc8b46e7de6b0
                                            • Opcode Fuzzy Hash: 8837316fb16817863d706d8e892d4e97d442de0d0c8d61a187ca0fe7da006525
                                            • Instruction Fuzzy Hash: 4021D0B1900259DFCB10CF9AD984ADEFBF4FB48324F14842AE968A3250D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02264108 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0226417F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: cece8f1052fea10317e234b62ea367aaf286a57272588f96e9c685b3c9178f4d
                                            • Instruction ID: d8d7d195033d8a4775c37a4431119a125480803b28b1065a1a0e572e036f8f5c
                                            • Opcode Fuzzy Hash: cece8f1052fea10317e234b62ea367aaf286a57272588f96e9c685b3c9178f4d
                                            • Instruction Fuzzy Hash: 31214AB1D106199FCB10CF9AC9457EEFBF8FB48214F148169D418B3640D774A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07FAC2B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07FAC323
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551928198.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7fa0000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 3753b1fa5483404110d029fe878efd0db63be2394ea3c8efa80a4f097aa939a9
                                            • Instruction ID: e1e426c7834c8f97d7314567e1749a0e3bb7f031d1478f5d24c72de46dbca612
                                            • Opcode Fuzzy Hash: 3753b1fa5483404110d029fe878efd0db63be2394ea3c8efa80a4f097aa939a9
                                            • Instruction Fuzzy Hash: CF21D6B5D006499FCB10CF9AD984BDEFBF4FB48324F148429E558A7250D374A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7B2F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A7C1A9,00000800,00000000,00000000), ref: 00A7C3BA
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 52bca995c5c578916a120034b0dfb82d334b47d9b6532b5aebc844e2a2f02500
                                            • Instruction ID: ed2a56db476ac3b64dc8e1a792095c644b9feb28b2272fa1116fb4f4d61e211c
                                            • Opcode Fuzzy Hash: 52bca995c5c578916a120034b0dfb82d334b47d9b6532b5aebc844e2a2f02500
                                            • Instruction Fuzzy Hash: F211D3B69002099FDB10CF9AD844BDEFBF4AB88324F14C52ED519BB600C375A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7C348 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A7C1A9,00000800,00000000,00000000), ref: 00A7C3BA
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: b6e486b3594549a873a933a29bd0ae233da9047bb2ef51755a39b12f0a766ba3
                                            • Instruction ID: 29b4d5921b91326ccbdb63d079f00773cb9dc98da903e7238cad393f7d1c6e1d
                                            • Opcode Fuzzy Hash: b6e486b3594549a873a933a29bd0ae233da9047bb2ef51755a39b12f0a766ba3
                                            • Instruction Fuzzy Hash: 4811E4B6900209CFDB10CF9AD444ADEFBF5AB88324F14C42ED559A7640C375A945CFA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02264290 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02264303
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: b321d61731b9f597df351a8f65c679f2869ddf25c4b4205f207656db3b01689e
                                            • Instruction ID: e5538cbba7347610fb4593309bc0cc3711df28b331141fdd9954f83605443ba6
                                            • Opcode Fuzzy Hash: b321d61731b9f597df351a8f65c679f2869ddf25c4b4205f207656db3b01689e
                                            • Instruction Fuzzy Hash: 5B113776900249DFCB20DFDAD948BEEBFF4EB48324F148419E558A7210C334A994CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7B298 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00A7BEFB), ref: 00A7C12E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9d2de0554e1f35bd37f06e5c54dd10828b492974dbae505b9d359e32843cb52e
                                            • Instruction ID: ef8b53185202d3a20a3815c2caffde8ed03cc6985c03888eec5838f44a8d37f8
                                            • Opcode Fuzzy Hash: 9d2de0554e1f35bd37f06e5c54dd10828b492974dbae505b9d359e32843cb52e
                                            • Instruction Fuzzy Hash: 9111C0B6D006498BDB20CF9AC844BDEFBF4EB88324F14C52ED569A7601D374A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02264298 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02264303
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 0e7b41ab23d441f3118d65238cb66ec7d145c3722ec9716116185cc8365520bf
                                            • Instruction ID: f59ac0be57934884aeeab3469e36caf14aeb4e5ea2e208739b4c9ef50c337aca
                                            • Opcode Fuzzy Hash: 0e7b41ab23d441f3118d65238cb66ec7d145c3722ec9716116185cc8365520bf
                                            • Instruction Fuzzy Hash: C711E675900649DFCB10DF9AD948BDEBBF4FB48324F148419E568A7210C375A554CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7B464 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00A7E1C8,?,?,?,?), ref: 00A7E23D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542126415.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_a70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 377bb520bc82c897a9d138b50aa1e4bfc360a3083274684e0b6d6fed9eb6357c
                                            • Instruction ID: f60b17c6d80f7b382f780972022509db1dc3b114c7c6a27b69f3db26648a0251
                                            • Opcode Fuzzy Hash: 377bb520bc82c897a9d138b50aa1e4bfc360a3083274684e0b6d6fed9eb6357c
                                            • Instruction Fuzzy Hash: 3811F5B59002089FDB10DF9AD985BDEBBF8EB88324F148559EA59A7201C374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022644F1 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 2786ba7b6092a3ba1113e75aae128c8f61b4ef4d02c8fb3155814bfb4c7e9320
                                            • Instruction ID: cd7044d8a72a2bbeed37b96c389e40ecb62aee8d9236beaf20a326308e79181e
                                            • Opcode Fuzzy Hash: 2786ba7b6092a3ba1113e75aae128c8f61b4ef4d02c8fb3155814bfb4c7e9320
                                            • Instruction Fuzzy Hash: EC1115B1900249CFCB20DF9AD548BDEFBF4EB88324F24845AD568A7210C374A985CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022644F8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.542357681.0000000002260000.00000040.00000800.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_2260000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 712d1dae311385eb0b0425915e3d0e33ff12e7008433154eed10ce6cf4249876
                                            • Instruction ID: 10a772c3f450607d626d76b1fe9de4220434813e2416dc4d3fa0277b0bdae259
                                            • Opcode Fuzzy Hash: 712d1dae311385eb0b0425915e3d0e33ff12e7008433154eed10ce6cf4249876
                                            • Instruction Fuzzy Hash: 4C112AB1800249CFCB10DF9AD548BDEFBF4EB48324F148419D568A3200C374A544CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5BBEF Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Nk
                                            • API String ID: 0-1353404103
                                            • Opcode ID: 424fdfdc99900b330705d6c8159f1880f3e8b11fa58f4bb95f1c14158688c36b
                                            • Instruction ID: 9b92811067854640ae9406838929cb0330b6c8bb0d3a63005e62334ca14eccdb
                                            • Opcode Fuzzy Hash: 424fdfdc99900b330705d6c8159f1880f3e8b11fa58f4bb95f1c14158688c36b
                                            • Instruction Fuzzy Hash: 06413AB0B0011AAFCF149F64D849AAEB7A7EFC4314F198428ED02973A4DB34DC52CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5AC20 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc1058c8b8f7a1d5a32dee3a20ce886f9cc4341746028dbfdc142bf2919520cd
                                            • Instruction ID: a0bc293e08060592a2f42bd769e00e9aaa35fb550d4f240a55b5aea94def82ed
                                            • Opcode Fuzzy Hash: bc1058c8b8f7a1d5a32dee3a20ce886f9cc4341746028dbfdc142bf2919520cd
                                            • Instruction Fuzzy Hash: A2D11BB5E001198FCB04DF69C98499DBBF6FF88310B1AC1A9EA15AB361CB31EC51CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5AAFF Relevance: .3, Instructions: 304COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9dcb7d804d9b59086b8b6a1aba0aa788115fbf1aa9c0f566fb5865af016abc3c
                                            • Instruction ID: a860927b3c208359a0bfdfbbaadb1c552cc3adfed95df1a73faaa98a2bf7bfcf
                                            • Opcode Fuzzy Hash: 9dcb7d804d9b59086b8b6a1aba0aa788115fbf1aa9c0f566fb5865af016abc3c
                                            • Instruction Fuzzy Hash: 57C1FBB5E001198FCB04DFA9C98899DBFF6BF88310B1AC159EA15AB361C734EC51CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F59668 Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb9b41b11266af9497cecbb481b8c420120c021d3e47d163ab481056f8e502de
                                            • Instruction ID: d0b676a740d5519a441ad382574272ef2eb529ea5f7d4e15ddf92a6ef228a379
                                            • Opcode Fuzzy Hash: cb9b41b11266af9497cecbb481b8c420120c021d3e47d163ab481056f8e502de
                                            • Instruction Fuzzy Hash: D851A3B5724116CFC708DF39D88496A7BE9FF8925570A44B6EA06CB362DB61EC01CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5F965 Relevance: .2, Instructions: 162COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01e5293abebf2b2459b20271c6f1b3069e05b79ffc458566cefac9ba9800fdca
                                            • Instruction ID: ea2296a3a48ba6935f8fdf30f64bfed2045736382de1710acd49682dba674931
                                            • Opcode Fuzzy Hash: 01e5293abebf2b2459b20271c6f1b3069e05b79ffc458566cefac9ba9800fdca
                                            • Instruction Fuzzy Hash: 6D51D7B0B042959FDB00DBB8C8257BE7BE2EF85315F1484A6DA01DB389DB348D41C7A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5F9B0 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9406ca7a564a107130593ca665867c2d500af884540b92ca85695444f4f075c4
                                            • Instruction ID: afa05cfa1f8a9920d19ba33c21477c7327ffc26610712bd278b4d8810ee15f3a
                                            • Opcode Fuzzy Hash: 9406ca7a564a107130593ca665867c2d500af884540b92ca85695444f4f075c4
                                            • Instruction Fuzzy Hash: E541D7B0B001599FDB04DBB4C8157BE76E2EF88305F148466DA06EB389DB348D01C7A6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F59467 Relevance: .1, Instructions: 118COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 587b05ade0aa810ea76d01e8a3f57b2de1328d141c995144288f81705d5e52ef
                                            • Instruction ID: 42b4f30d625cefc9890c34966afa34e6423e095495514a40490b285b22a76b49
                                            • Opcode Fuzzy Hash: 587b05ade0aa810ea76d01e8a3f57b2de1328d141c995144288f81705d5e52ef
                                            • Instruction Fuzzy Hash: C4414CB5A10219DFCB09DF28D998AAA3BF6BF89311F140069EA068B361C771ED50CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F598A9 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5dcc612dfea893ec10c18c262b37b124e4b99234ac30bff8d571955d4268851
                                            • Instruction ID: c1fb41de65f0f0e456b3be213c707b92f873a40cc872eb89a6115bcfe7bcec8f
                                            • Opcode Fuzzy Hash: b5dcc612dfea893ec10c18c262b37b124e4b99234ac30bff8d571955d4268851
                                            • Instruction Fuzzy Hash: 3721F3B1718216CBDB19A735C4542BD339BEFC5249F1C8039DA42CB395DFAADC428382
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F597B0 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb7ed7ddb1eff5e131ffa9168ab6421e2a5e10a5dd555126a088cc33bde7c75b
                                            • Instruction ID: 4fd19bc3103cf39ffb0ca5e1e5688c8cf3962495b25b90fc56a58d516f114c0d
                                            • Opcode Fuzzy Hash: bb7ed7ddb1eff5e131ffa9168ab6421e2a5e10a5dd555126a088cc33bde7c75b
                                            • Instruction Fuzzy Hash: 0C21D8F1B0414ADFCB08DE65D8806BB7BEABB85241F494425EE16CB355D7B0E800CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5B8B0 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e13e21a48733f1362ca7cef1004fc41ad1c7ee6219c9e78dc927cd9bbcda5a87
                                            • Instruction ID: 07e3eb6be0fe0a58a71e328d7ec1a75b09acb5b34f013d6a7dcfbb2c60458ab7
                                            • Opcode Fuzzy Hash: e13e21a48733f1362ca7cef1004fc41ad1c7ee6219c9e78dc927cd9bbcda5a87
                                            • Instruction Fuzzy Hash: E0216DB5B0420A8FCB10DFB8C484AADBBF5EF85214F194466EA05DB361D734E845CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0069D4D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541018395.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_69d000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09e88b20fa1636d96b47383fdae7a8da0d0e501068fbc457d1fa53e6f0ff027f
                                            • Instruction ID: 922c6e0e9c9f36f72e3a7e3c914fb70af90ffb256d0ab9c475f6f436af197e18
                                            • Opcode Fuzzy Hash: 09e88b20fa1636d96b47383fdae7a8da0d0e501068fbc457d1fa53e6f0ff027f
                                            • Instruction Fuzzy Hash: 49212571500200DFCF05DF54D9C0B66BBAAFB98328F248579E9090B756C33AD856CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 006BD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541086837.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6bd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7a10c6b1a0ee4fd0d484a746f1e59d6ed02fd008971d0e4283f251217c1b6f4
                                            • Instruction ID: 8996fadfc318f92edf9497b2e868f1eb179dc39d441c203fb837fb9540f0301b
                                            • Opcode Fuzzy Hash: e7a10c6b1a0ee4fd0d484a746f1e59d6ed02fd008971d0e4283f251217c1b6f4
                                            • Instruction Fuzzy Hash: FB2103B1504200DFCB14EF54D9C4BA6BBA6EB84324F24C969D8090F346D73AD887CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 006BD1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541086837.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6bd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d25169d6a57772afe381e7760c2383972f0417ea48118feb6e8705b3e8f8f3e2
                                            • Instruction ID: c95a1d63b95a55fb3cb8c0a7b8a3cd7f187babbd406a9c0d80a9d308c6ca9317
                                            • Opcode Fuzzy Hash: d25169d6a57772afe381e7760c2383972f0417ea48118feb6e8705b3e8f8f3e2
                                            • Instruction Fuzzy Hash: 682137B1504280EFCB05CF54C9C0BA6BBA6FB84318F20C96DDA094F342D736D986CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5FBB8 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd001129d89d82c9e8030a09b73a0fb5787a40e23890a181b873edb16086c7a7
                                            • Instruction ID: 113c3403948676688403ae290f4f7966972ed0c354be29ab5ab49e32349dac94
                                            • Opcode Fuzzy Hash: cd001129d89d82c9e8030a09b73a0fb5787a40e23890a181b873edb16086c7a7
                                            • Instruction Fuzzy Hash: 471106F3B1C11A9BD3088A2CCD5933A7ADAEB45214F0D89B7EF43CB2C1D674C9408690
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 006BD006 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541086837.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6bd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 55db0ec552efc28accf60a112e18e31ed409cb13a79fcc1617e214d4e156b01e
                                            • Instruction ID: 09e6db86b32b584396944796e8fc9525f6c84dad9c1ea67c84382f0e16e24dd8
                                            • Opcode Fuzzy Hash: 55db0ec552efc28accf60a112e18e31ed409cb13a79fcc1617e214d4e156b01e
                                            • Instruction Fuzzy Hash: C121B0754083808FCB02DF20C990B41BF71EB46314F28C1DAC8488F2A7C33A984ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F581A8 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7307edec665a0eecc5c5e13a9181091a859b4c88342e7e5c4c02f23e0037b7c2
                                            • Instruction ID: bcab47d3d31aeca6b2521a0605a86c22aa07e200010842a8096a35849eb48c6e
                                            • Opcode Fuzzy Hash: 7307edec665a0eecc5c5e13a9181091a859b4c88342e7e5c4c02f23e0037b7c2
                                            • Instruction Fuzzy Hash: CF21CDB1E00609DFCB24CF94C844BAABBF6EB08354F08C06AEA198B111D375D944CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0069D4D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541018395.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_69d000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction ID: 4bee0062d61467d57a0836e12ad0d20fb315bd3d43008e58946a95ef4913fed9
                                            • Opcode Fuzzy Hash: 80f0594bee8868593b253288601a07ef2959b201ea6725fd913386ffcdecb2b8
                                            • Instruction Fuzzy Hash: 2C11AF76404280DFCF12CF14D5C4B56BF72FB94324F2486A9D8050B756C33AD85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 006BD1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541086837.00000000006BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6bd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1dbedae0698d52e0643ce1b7d8e11560290ac4443e7eb4d9f0d1352bf0b3008
                                            • Instruction ID: e7bcd95368dceadc8a0dbc36992b0d2ba1c0688ed9589e1b6cf0fa07d47f4809
                                            • Opcode Fuzzy Hash: f1dbedae0698d52e0643ce1b7d8e11560290ac4443e7eb4d9f0d1352bf0b3008
                                            • Instruction Fuzzy Hash: 0B11A9B5504280DFCB12CF10C6C0B95BBA2FB84324F28C6A9D9494B756C33AD98ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0069D771 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541018395.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_69d000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbcb0722566698c02aacfe9b8cfd3ef2491636b92b89696ad5de0725a5706166
                                            • Instruction ID: e8a63e7d13782e62fe3eaf694fcea89f780669691ff46e65626a0de2bc5820fb
                                            • Opcode Fuzzy Hash: bbcb0722566698c02aacfe9b8cfd3ef2491636b92b89696ad5de0725a5706166
                                            • Instruction Fuzzy Hash: CD01F7310083449EEF104AE5CD847A6FBDCEF41764F18887AED050EB82C7789C44CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0069D770 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.541018395.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_69d000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 364bbad5c369ee734a036b7fd1676e4b28c01d186b07769b5f8d17ac65be7f26
                                            • Instruction ID: a18b7bcef776e2e0f9f7e3efc9559cfbbff66ce29677b25722c7840973218424
                                            • Opcode Fuzzy Hash: 364bbad5c369ee734a036b7fd1676e4b28c01d186b07769b5f8d17ac65be7f26
                                            • Instruction Fuzzy Hash: D2F0C2714043849EEB108A56CD84BA6FFACEB41734F18C46AED080F782C3789844CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5B420 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ee1f2a839173238b4efbdd742309b80b87faefad9a6aeb40c9a4a6bf4679080
                                            • Instruction ID: 105a30f0181dcddab32098c56eda7d3bf6787c5de9b210ad8209560c95d85551
                                            • Opcode Fuzzy Hash: 8ee1f2a839173238b4efbdd742309b80b87faefad9a6aeb40c9a4a6bf4679080
                                            • Instruction Fuzzy Hash: 84F0F9B590934DAFCB02DFA8E8056EEBFB1FF09210F0446AAE85496252D7714650DB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5B89F Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6c10c70dcf9c2ac6c21429dec82eb18fa1365e6f4fd88f4d2a10e05ae3ab7fc
                                            • Instruction ID: 08c27955a0768a9254634d741d992ad6bb772b29b596c691cf14cfcf4860e6b8
                                            • Opcode Fuzzy Hash: e6c10c70dcf9c2ac6c21429dec82eb18fa1365e6f4fd88f4d2a10e05ae3ab7fc
                                            • Instruction Fuzzy Hash: A4F0EC756053495FCB1116B5FD496E67F64AB41161F04407BEA4085543D6308099C3B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5B430 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 320536440241da271d2e6e40b8d5939db9919d8a91029b9c937bbd346aa06636
                                            • Instruction ID: e25a0d9ba35eceed4dedf978d4e3e878e440fab093488e6805383079a569f6dc
                                            • Opcode Fuzzy Hash: 320536440241da271d2e6e40b8d5939db9919d8a91029b9c937bbd346aa06636
                                            • Instruction Fuzzy Hash: F9F01CB4D0420DEFCF04DFE8D8016ADBBB5FB48300F008669E814A2351D7719660EF41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 07F52690 Relevance: 7.9, Strings: 6, Instructions: 410COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: lnk$lnk$lnk$lnk$lnk$lnk
                                            • API String ID: 0-3204212817
                                            • Opcode ID: 6aad2d3b2ee8b7ae20d15596b217d1972a8c62a2825d99f25dee4ab5b7f71154
                                            • Instruction ID: 7902481adf387d554d9659ee05cf2a1dbdd6cf416eb87c811bb10242fd78e4bf
                                            • Opcode Fuzzy Hash: 6aad2d3b2ee8b7ae20d15596b217d1972a8c62a2825d99f25dee4ab5b7f71154
                                            • Instruction Fuzzy Hash: 72E1AFB0A002048FDB18DFA9C49469DBBF6EF89314F14856DE506EB395DF34AC46CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F56F0F Relevance: 7.8, Strings: 6, Instructions: 326COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xcbm$Xcbm$|gf^$Nk$Nk$Nk
                                            • API String ID: 0-707201748
                                            • Opcode ID: 7fc4706c178ffcf11d51b28f81ae373d7888ccb3366fe837b95b4d1a6fa22e7c
                                            • Instruction ID: f55c3811b6aee2e9ab1782dd8c1aab85ad774274672791bc681b96cbc739ea74
                                            • Opcode Fuzzy Hash: 7fc4706c178ffcf11d51b28f81ae373d7888ccb3366fe837b95b4d1a6fa22e7c
                                            • Instruction Fuzzy Hash: 1DB107717042559FCB05AFB4D859BAE7BA6EF89318F084829EA05CB391DF34CC45CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F5F188 Relevance: 6.6, Strings: 5, Instructions: 358COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D0bm$Xcbm$Xcbm$Nk$Nk
                                            • API String ID: 0-3068094719
                                            • Opcode ID: e71f75ef97746012c61c913adfd64128267dde094d2776317a4c3abc6db592a3
                                            • Instruction ID: e8a9b1aee5d7c12030708e040b87fb87fb5613470b7d35fbfbd5a4d92b347208
                                            • Opcode Fuzzy Hash: e71f75ef97746012c61c913adfd64128267dde094d2776317a4c3abc6db592a3
                                            • Instruction Fuzzy Hash: 38C102B5B041158FCB19ABB8C4589BD3BE7AFCA614B1944EED606CB3A5CF70CC418792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F575B8 Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Kbm$Kbm$Kbm$Kbm
                                            • API String ID: 0-261881988
                                            • Opcode ID: 900dbe0a67e957baa9de0d84e538703ee2a2808f30c433dcd9248f30baa2cbe7
                                            • Instruction ID: 818ceabffe184bcd37df0127c5017a2cc5f9239e4976159993609c1a8ced7b3d
                                            • Opcode Fuzzy Hash: 900dbe0a67e957baa9de0d84e538703ee2a2808f30c433dcd9248f30baa2cbe7
                                            • Instruction Fuzzy Hash: 4D11A5B13046119F8B50EF7EE4D4A1A77DAAF8E65474440BCEA0ACB361DF61EC058BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 07F57B00 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.551849436.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_7f50000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ]m$]m$]m$]m
                                            • API String ID: 0-2738894597
                                            • Opcode ID: 5f881afaf976286a6444370f48662c3096be862092cc4e1c0f3fe1eefa0614c4
                                            • Instruction ID: 52e527253a9a9f992098d1172f780d6a50445f2486da1dd6e6971a8f7af010bd
                                            • Opcode Fuzzy Hash: 5f881afaf976286a6444370f48662c3096be862092cc4e1c0f3fe1eefa0614c4
                                            • Instruction Fuzzy Hash: B20188F1B100129F8764AE2DC454D5E73DAAFE576471A4165EA05CB378DA30DC418771
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:13.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:162
                                            Total number of Limit Nodes:21
                                            execution_graph 18190 84338d0 18192 84338f4 18190->18192 18191 8433953 18192->18191 18198 843a103 18192->18198 18201 843a5be 18192->18201 18204 843b248 18192->18204 18207 8439e2b 18192->18207 18210 8439f67 18192->18210 18213 843c2b0 18198->18213 18203 843c2b0 VirtualProtect 18201->18203 18202 843a5cf 18203->18202 18206 843c2b0 VirtualProtect 18204->18206 18205 843b259 18206->18205 18209 843c2b0 VirtualProtect 18207->18209 18208 8439e5c 18209->18208 18212 843c2b0 VirtualProtect 18210->18212 18211 8439f78 18212->18211 18214 843c2f8 VirtualProtect 18213->18214 18215 843a117 18214->18215 18335 4a30416 18339 4a320a1 18335->18339 18343 4a320b0 18335->18343 18336 4a30422 18341 4a320aa 18339->18341 18340 4a3213c 18340->18336 18341->18340 18347 4a32460 18341->18347 18344 4a320cd 18343->18344 18345 4a3213c 18344->18345 18346 4a32460 CreateProcessW 18344->18346 18345->18336 18346->18344 18348 4a32497 18347->18348 18349 4a324f7 18348->18349 18356 4a32986 18348->18356 18360 4a32947 18348->18360 18364 4a329d7 18348->18364 18368 4a32758 18348->18368 18372 4a32748 18348->18372 18376 4a32959 18348->18376 18349->18341 18358 4a327c0 18356->18358 18357 4a3293a 18357->18348 18358->18357 18380 4a30cb4 18358->18380 18362 4a327c0 18360->18362 18361 4a3293a 18361->18348 18362->18361 18363 4a30cb4 CreateProcessW 18362->18363 18363->18362 18366 4a327c0 18364->18366 18365 4a3293a 18365->18348 18366->18365 18367 4a30cb4 CreateProcessW 18366->18367 18367->18366 18369 4a3278b 18368->18369 18370 4a30cb4 CreateProcessW 18369->18370 18371 4a3293a 18369->18371 18370->18369 18371->18348 18373 4a3278b 18372->18373 18374 4a30cb4 CreateProcessW 18373->18374 18375 4a3293a 18373->18375 18374->18373 18375->18348 18378 4a327c0 18376->18378 18377 4a3293a 18377->18348 18378->18377 18379 4a30cb4 CreateProcessW 18378->18379 18379->18378 18381 4a33d98 CreateProcessW 18380->18381 18383 4a33f00 18381->18383 18216 e76eb0 GetCurrentProcess 18217 e76f2a GetCurrentThread 18216->18217 18221 e76f23 18216->18221 18218 e76f67 GetCurrentProcess 18217->18218 18219 e76f60 18217->18219 18220 e76f9d 18218->18220 18219->18218 18222 e76fc5 GetCurrentThreadId 18220->18222 18221->18217 18223 e76ff6 18222->18223 18224 e77680 18225 e776a8 18224->18225 18227 e776d0 18225->18227 18228 e76b04 18225->18228 18229 e76b0f 18228->18229 18241 e79d50 18229->18241 18250 e79d60 18229->18250 18259 e79f64 18229->18259 18230 e77b4d 18231 e77740 LoadLibraryExW GetModuleHandleW 18230->18231 18232 e77b67 18231->18232 18233 e77750 LoadLibraryExW GetModuleHandleW 18232->18233 18234 e77b6e 18233->18234 18236 e7bb50 LoadLibraryExW GetModuleHandleW 18234->18236 18237 e7bb38 LoadLibraryExW GetModuleHandleW 18234->18237 18235 e77b78 18235->18227 18236->18235 18237->18235 18242 e79d60 18241->18242 18244 e79db7 18242->18244 18246 e7a06a 18242->18246 18272 e799b8 18242->18272 18247 e79dcf 18244->18247 18276 e77750 18244->18276 18247->18246 18264 e7aa09 18247->18264 18268 e7aa18 18247->18268 18251 e79d8e 18250->18251 18252 e799b8 GetFocus 18251->18252 18253 e79db7 18251->18253 18255 e7a06a 18251->18255 18252->18253 18254 e77750 2 API calls 18253->18254 18256 e79dcf 18253->18256 18254->18256 18255->18255 18256->18255 18257 e7aa09 2 API calls 18256->18257 18258 e7aa18 2 API calls 18256->18258 18257->18255 18258->18255 18260 e79f81 18259->18260 18261 e7a06a 18260->18261 18262 e7aa09 2 API calls 18260->18262 18263 e7aa18 2 API calls 18260->18263 18261->18261 18262->18261 18263->18261 18265 e7aa35 18264->18265 18266 e77750 2 API calls 18265->18266 18267 e7aa79 18265->18267 18266->18267 18267->18246 18269 e7aa35 18268->18269 18270 e7aa79 18269->18270 18271 e77750 2 API calls 18269->18271 18270->18246 18271->18270 18273 e799c3 18272->18273 18275 e7a375 18273->18275 18280 e79a3c 18273->18280 18275->18244 18277 e7775b 18276->18277 18284 e7b1c0 18277->18284 18279 e7b97f 18279->18247 18281 e79a47 18280->18281 18282 e7a430 GetFocus 18281->18282 18283 e7a429 18281->18283 18282->18283 18283->18275 18285 e7b1cb 18284->18285 18286 e7baf1 18285->18286 18287 e7ba52 18285->18287 18291 e7bb50 18285->18291 18298 e7bb38 18285->18298 18286->18279 18287->18286 18288 e7b1c0 2 API calls 18287->18288 18288->18287 18293 e7bb81 18291->18293 18294 e7bbce 18291->18294 18292 e7bb8d 18292->18287 18293->18292 18305 e7be88 18293->18305 18308 e7bed8 18293->18308 18316 e7be98 18293->18316 18294->18287 18300 e7bb81 18298->18300 18301 e7bbce 18298->18301 18299 e7bb8d 18299->18287 18300->18299 18302 e7be88 2 API calls 18300->18302 18303 e7be98 2 API calls 18300->18303 18304 e7bed8 2 API calls 18300->18304 18301->18287 18302->18301 18303->18301 18304->18301 18307 e7bed8 2 API calls 18305->18307 18306 e7bea2 18306->18294 18307->18306 18309 e7befb 18308->18309 18311 e7bf13 18309->18311 18319 e7c162 18309->18319 18323 e7c170 18309->18323 18310 e7bf0b 18310->18311 18312 e7c110 GetModuleHandleW 18310->18312 18311->18294 18313 e7c13d 18312->18313 18313->18294 18317 e7bea2 18316->18317 18318 e7bed8 2 API calls 18316->18318 18317->18294 18318->18317 18320 e7c184 18319->18320 18321 e7c1a9 18320->18321 18327 e7b2f0 18320->18327 18321->18310 18324 e7c184 18323->18324 18325 e7c1a9 18324->18325 18326 e7b2f0 LoadLibraryExW 18324->18326 18325->18310 18326->18325 18328 e7c350 LoadLibraryExW 18327->18328 18330 e7c3c9 18328->18330 18330->18321 18331 e7b948 18332 e7b958 18331->18332 18333 e7b1c0 2 API calls 18332->18333 18334 e7b97f 18333->18334 18384 e770d8 DuplicateHandle 18385 e7716e 18384->18385 18386 e7df98 18387 e7e000 CreateWindowExW 18386->18387 18389 e7e0bc 18387->18389 18389->18389

                                            Executed Functions

                                            Function 00E76EA0 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00E76F10
                                            • GetCurrentThread.KERNEL32 ref: 00E76F4D
                                            • GetCurrentProcess.KERNEL32 ref: 00E76F8A
                                            • GetCurrentThreadId.KERNEL32 ref: 00E76FE3
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 2b1b9f42ca6e9c8fc628cd7ccfb1f1b57033290ec9c75a32f3cff6cdfd46849f
                                            • Instruction ID: 3ebc3cf2346ee3f6cf0c97f66d9c4576a080627ac64f2d2949d5af22977390cc
                                            • Opcode Fuzzy Hash: 2b1b9f42ca6e9c8fc628cd7ccfb1f1b57033290ec9c75a32f3cff6cdfd46849f
                                            • Instruction Fuzzy Hash: 9F5154B4A00649CFDB14CFA9D5497EEBBF0EF88308F248469E059B7250D774A848CF26
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E76EB0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00E76F10
                                            • GetCurrentThread.KERNEL32 ref: 00E76F4D
                                            • GetCurrentProcess.KERNEL32 ref: 00E76F8A
                                            • GetCurrentThreadId.KERNEL32 ref: 00E76FE3
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 7181ba4e74c3994e76243664d7f954a5851b5d2d8ffd84fa919d85c7695826b1
                                            • Instruction ID: 6c600b66eebaf8c4fa181e31afadbe363ccb37bff1e51c82f6a35e8e177eecf4
                                            • Opcode Fuzzy Hash: 7181ba4e74c3994e76243664d7f954a5851b5d2d8ffd84fa919d85c7695826b1
                                            • Instruction Fuzzy Hash: F05146B4A00649CFDB14CFAAD5487DEBBF0AF88318F20C469E059B7250D7746844CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7BED8 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 219 e7bed8-e7befd call e7b298 222 e7bf13-e7bf17 219->222 223 e7beff 219->223 224 e7bf2b-e7bf6c 222->224 225 e7bf19-e7bf23 222->225 272 e7bf05 call e7c162 223->272 273 e7bf05 call e7c170 223->273 230 e7bf6e-e7bf76 224->230 231 e7bf79-e7bf87 224->231 225->224 226 e7bf0b-e7bf0d 226->222 227 e7c048-e7c108 226->227 267 e7c110-e7c13b GetModuleHandleW 227->267 268 e7c10a-e7c10d 227->268 230->231 233 e7bfab-e7bfad 231->233 234 e7bf89-e7bf8e 231->234 235 e7bfb0-e7bfb7 233->235 236 e7bf90-e7bf97 call e7b2a4 234->236 237 e7bf99 234->237 239 e7bfc4-e7bfcb 235->239 240 e7bfb9-e7bfc1 235->240 238 e7bf9b-e7bfa9 236->238 237->238 238->235 243 e7bfcd-e7bfd5 239->243 244 e7bfd8-e7bfe1 call e7b2b4 239->244 240->239 243->244 249 e7bfe3-e7bfeb 244->249 250 e7bfee-e7bff3 244->250 249->250 252 e7bff5-e7bffc 250->252 253 e7c011-e7c01e 250->253 252->253 255 e7bffe-e7c00e call e79ca0 call e7b2c4 252->255 259 e7c041-e7c047 253->259 260 e7c020-e7c03e 253->260 255->253 260->259 269 e7c144-e7c158 267->269 270 e7c13d-e7c143 267->270 268->267 270->269 272->226 273->226
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E7C12E
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 453be0c56687d619b4840daf874fea75e378dec5854fe4ee61457938f598b661
                                            • Instruction ID: 751fa70a1401a23c295d1f18563c7bace917032a4b1d21985fa2999becca8724
                                            • Opcode Fuzzy Hash: 453be0c56687d619b4840daf874fea75e378dec5854fe4ee61457938f598b661
                                            • Instruction Fuzzy Hash: 75814570A00B058FD724DF69C85579ABBF5BF88304F10892DE48AEBA51DB35E846CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A33D41 Relevance: 1.7, APIs: 1, Instructions: 162processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 274 4a33d41-4a33d48 275 4a33dab-4a33e23 274->275 276 4a33d4a-4a33d68 274->276 280 4a33e25-4a33e2b 275->280 281 4a33e2e-4a33e35 275->281 278 4a33d6a 276->278 279 4a33d6f-4a33d80 276->279 278->279 280->281 282 4a33e40-4a33e56 281->282 283 4a33e37-4a33e3d 281->283 285 4a33e61-4a33efe CreateProcessW 282->285 286 4a33e58-4a33e5e 282->286 283->282 288 4a33f00-4a33f06 285->288 289 4a33f07-4a33f7b 285->289 286->285 288->289 297 4a33f8d-4a33f94 289->297 298 4a33f7d-4a33f83 289->298 299 4a33f96-4a33fa5 297->299 300 4a33fab 297->300 298->297 299->300 302 4a33fac 300->302 302->302
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04A33EEB
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.554409749.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_4a30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: beca0df6b8f186d0bfde12e95f9d9773e0565135359e9b95f0e0c4f466005a5f
                                            • Instruction ID: 48d1e77d9567714a7f6a5a78cab5501290d2c552aa7427d638177a5110edfd19
                                            • Opcode Fuzzy Hash: beca0df6b8f186d0bfde12e95f9d9773e0565135359e9b95f0e0c4f466005a5f
                                            • Instruction Fuzzy Hash: C9610571D04319DFDF50CFA9C880BDDBBB5AF48305F1484AAE908AB250DB31AA89CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A33D8D Relevance: 1.6, APIs: 1, Instructions: 148processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 303 4a33d8d-4a33e23 305 4a33e25-4a33e2b 303->305 306 4a33e2e-4a33e35 303->306 305->306 307 4a33e40-4a33e56 306->307 308 4a33e37-4a33e3d 306->308 309 4a33e61-4a33efe CreateProcessW 307->309 310 4a33e58-4a33e5e 307->310 308->307 312 4a33f00-4a33f06 309->312 313 4a33f07-4a33f7b 309->313 310->309 312->313 321 4a33f8d-4a33f94 313->321 322 4a33f7d-4a33f83 313->322 323 4a33f96-4a33fa5 321->323 324 4a33fab 321->324 322->321 323->324 326 4a33fac 324->326 326->326
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04A33EEB
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.554409749.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_4a30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 5144884874972b505d4b257a03b518a5313e8f509540a54bcbd39cbecab03558
                                            • Instruction ID: 34fc57833597391c35f80a3cef9ae4eca917fc8235bece0d7846d62565d5e0af
                                            • Opcode Fuzzy Hash: 5144884874972b505d4b257a03b518a5313e8f509540a54bcbd39cbecab03558
                                            • Instruction Fuzzy Hash: F1511971900319DFDF14CF99C880BDEBBB5BF88314F1485AAE908A7250DB71AA89CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A30CB4 Relevance: 1.6, APIs: 1, Instructions: 146processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 327 4a30cb4-4a33e23 330 4a33e25-4a33e2b 327->330 331 4a33e2e-4a33e35 327->331 330->331 332 4a33e40-4a33e56 331->332 333 4a33e37-4a33e3d 331->333 334 4a33e61-4a33efe CreateProcessW 332->334 335 4a33e58-4a33e5e 332->335 333->332 337 4a33f00-4a33f06 334->337 338 4a33f07-4a33f7b 334->338 335->334 337->338 346 4a33f8d-4a33f94 338->346 347 4a33f7d-4a33f83 338->347 348 4a33f96-4a33fa5 346->348 349 4a33fab 346->349 347->346 348->349 351 4a33fac 349->351 351->351
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04A33EEB
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.554409749.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_4a30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 3f0b65eaeb756b5f58659912e117359275250857cbc7270d202fd5d30aedba15
                                            • Instruction ID: 464b495e9af6b2503b8c8125790fa71babe9c95bbb9ad83efbbbf6619ffd45a9
                                            • Opcode Fuzzy Hash: 3f0b65eaeb756b5f58659912e117359275250857cbc7270d202fd5d30aedba15
                                            • Instruction Fuzzy Hash: 1C510871904319DFDF50CF99C880BDEBBB5BF48315F1484AAE908A7250DB71AA89CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7DF8C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 352 e7df8c-e7dffe 353 e7e000-e7e006 352->353 354 e7e009-e7e010 352->354 353->354 355 e7e012-e7e018 354->355 356 e7e01b-e7e053 354->356 355->356 357 e7e05b-e7e0ba CreateWindowExW 356->357 358 e7e0c3-e7e0fb 357->358 359 e7e0bc-e7e0c2 357->359 363 e7e0fd-e7e100 358->363 364 e7e108 358->364 359->358 363->364 365 e7e109 364->365 365->365
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7E0AA
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 88dbf74818994508cbc30d70bcab22d1fe2c3642434ce42d3ecb3683582324fa
                                            • Instruction ID: 8ba43cf2823dc0a4c3b56168f5daefe5fe0c0a2443db71626cb3b1e5264fb98e
                                            • Opcode Fuzzy Hash: 88dbf74818994508cbc30d70bcab22d1fe2c3642434ce42d3ecb3683582324fa
                                            • Instruction Fuzzy Hash: 0B51D0B1D00309DFDB14CF99C984ADEBBF5BF88314F25856AE818AB250D7749885CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7DF98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 366 e7df98-e7dffe 367 e7e000-e7e006 366->367 368 e7e009-e7e010 366->368 367->368 369 e7e012-e7e018 368->369 370 e7e01b-e7e0ba CreateWindowExW 368->370 369->370 372 e7e0c3-e7e0fb 370->372 373 e7e0bc-e7e0c2 370->373 377 e7e0fd-e7e100 372->377 378 e7e108 372->378 373->372 377->378 379 e7e109 378->379 379->379
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7E0AA
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9d3b77504c566290e2cd9b1e8bbc2ee89a5dd67c27bf27dbefbf60181c693e9b
                                            • Instruction ID: 7afaa6b28b8d035d55b8e13c2f25dcf44303f55a337b0fbf2a5b9c9a22bfded4
                                            • Opcode Fuzzy Hash: 9d3b77504c566290e2cd9b1e8bbc2ee89a5dd67c27bf27dbefbf60181c693e9b
                                            • Instruction Fuzzy Hash: 6341CEB1D00309DFDB14CF9AC884ADEBBF5BF88314F25852AE819AB250D7B59845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E770D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 562 e770d0-e7716c DuplicateHandle 563 e77175-e77192 562->563 564 e7716e-e77174 562->564 564->563
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7715F
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 53de806f42eca12f17d3a3859b805662f3fa5dae14cd8408561e2252cc090b86
                                            • Instruction ID: 2f00589301862b2bd9f009bd4063d2f729f94e7c684d648734a7f5fef2bb26cd
                                            • Opcode Fuzzy Hash: 53de806f42eca12f17d3a3859b805662f3fa5dae14cd8408561e2252cc090b86
                                            • Instruction Fuzzy Hash: C221D2B59002099FDB10CFA9D985ADEBBF4EB48324F14841AE954A7350D374AA54CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E770D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 567 e770d8-e7716c DuplicateHandle 568 e77175-e77192 567->568 569 e7716e-e77174 567->569 569->568
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7715F
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5c0e93cf1ae9f8d26bc097dbecceb89ce228af597f5a08cdf146bbffee263afe
                                            • Instruction ID: efb30a58abb405a52adc5a6fd58db0db9df886477d1e1670c60118f7ef5e568c
                                            • Opcode Fuzzy Hash: 5c0e93cf1ae9f8d26bc097dbecceb89ce228af597f5a08cdf146bbffee263afe
                                            • Instruction Fuzzy Hash: 9D21C4B59012089FDB10CFAAD984ADEBBF8EB48324F14841AE954A7350D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7C348 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E7C1A9,00000800,00000000,00000000), ref: 00E7C3BA
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: e21f6df8e0918c64c0021e3e000bf7c1b88ba81a1643d132a2f5707bb04698f1
                                            • Instruction ID: a7f337d411622b0746e8942e81932810c0b8ae9612a898a0aacf4abc713b3d6a
                                            • Opcode Fuzzy Hash: e21f6df8e0918c64c0021e3e000bf7c1b88ba81a1643d132a2f5707bb04698f1
                                            • Instruction Fuzzy Hash: 5A1106B68003489FDB10CFAAD445ADEFBF4EB88324F14856ED559B7600C375A946CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7B2F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E7C1A9,00000800,00000000,00000000), ref: 00E7C3BA
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 405168e543332d9bb08d37d60c744b3d4a48cb17f405a3e88b5e7296e0d0863f
                                            • Instruction ID: dc5a42dd0c89ac1050056c1bece643e78785b88579037191ec2c9cc627e56ad3
                                            • Opcode Fuzzy Hash: 405168e543332d9bb08d37d60c744b3d4a48cb17f405a3e88b5e7296e0d0863f
                                            • Instruction Fuzzy Hash: AE11D6B69003099FDB10CF9AD444ADEFBF8AB88314F14846ED519B7600C375A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0843C2B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0843C323
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.556996295.0000000008430000.00000040.00000800.00020000.00000000.sdmp, Offset: 08430000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_8430000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: ebdd13bf70bcedc57918d57b6e763597af19ec6483e39ea6af4093cdef1d5960
                                            • Instruction ID: 8cb4cad6fc29e29c02f328b129da20b30827191bd926e25d2c2af19eed6dab4a
                                            • Opcode Fuzzy Hash: ebdd13bf70bcedc57918d57b6e763597af19ec6483e39ea6af4093cdef1d5960
                                            • Instruction Fuzzy Hash: 4F2106B59002099FCB10DF9AC584BDEFBF4EB48320F14842AE558A7240D374A544CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7C0C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E7C12E
                                            Memory Dump Source
                                            • Source File: 00000013.00000002.551618476.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_19_2_e70000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 87435ab79ac1700387a67f507c6c6529650cca3b62d7fe68b3bb3bb71084c14b
                                            • Instruction ID: 6dac53761f91725f7ab03aaf318bb91313c99aed5373e087dfd8ab0137a523f0
                                            • Opcode Fuzzy Hash: 87435ab79ac1700387a67f507c6c6529650cca3b62d7fe68b3bb3bb71084c14b
                                            • Instruction Fuzzy Hash: 1F11D2B5C006498FDB10CF9AC844ADEFBF8AB88324F15842AD429B7600D374A546CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:6.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:61
                                            Total number of Limit Nodes:6
                                            execution_graph 12785 edd01c 12786 edd034 12785->12786 12787 edd08e 12786->12787 12792 f37961 12786->12792 12800 f35338 12786->12800 12804 f35348 12786->12804 12808 f33ca4 12786->12808 12796 f379b5 12792->12796 12793 f379e9 12794 f379e7 12793->12794 12824 f36964 12793->12824 12796->12793 12797 f379d9 12796->12797 12816 f37b10 12797->12816 12820 f37b00 12797->12820 12801 f3536e 12800->12801 12802 f33ca4 CallWindowProcW 12801->12802 12803 f3538f 12802->12803 12803->12787 12805 f3536e 12804->12805 12806 f33ca4 CallWindowProcW 12805->12806 12807 f3538f 12806->12807 12807->12787 12809 f33caf 12808->12809 12810 f379e9 12809->12810 12812 f379d9 12809->12812 12811 f36964 CallWindowProcW 12810->12811 12813 f379e7 12810->12813 12811->12813 12814 f37b10 CallWindowProcW 12812->12814 12815 f37b00 CallWindowProcW 12812->12815 12814->12813 12815->12813 12818 f37b1e 12816->12818 12817 f36964 CallWindowProcW 12817->12818 12818->12817 12819 f37c07 12818->12819 12819->12794 12822 f37b05 12820->12822 12821 f36964 CallWindowProcW 12821->12822 12822->12821 12823 f37c07 12822->12823 12823->12794 12825 f3696f 12824->12825 12826 f37cd2 CallWindowProcW 12825->12826 12827 f37c81 12825->12827 12826->12827 12827->12794 12828 f316b0 12829 f316df 12828->12829 12832 f30420 12829->12832 12831 f31804 12833 f3042b 12832->12833 12836 f33368 12833->12836 12834 f31d4a 12834->12831 12837 f33392 12836->12837 12838 f33439 12837->12838 12840 f3510f 12837->12840 12841 f3509a 12840->12841 12842 f3511a 12840->12842 12841->12838 12843 f35146 12842->12843 12844 f35253 CreateWindowExW 12842->12844 12843->12838 12845 f352b4 12844->12845 12845->12845 12846 f36b50 GetCurrentProcess 12847 f36bc3 12846->12847 12848 f36bca GetCurrentThread 12846->12848 12847->12848 12849 f36c00 12848->12849 12850 f36c07 GetCurrentProcess 12848->12850 12849->12850 12851 f36c3d 12850->12851 12852 f36c65 GetCurrentThreadId 12851->12852 12853 f36c96 12852->12853 12854 f36d78 DuplicateHandle 12855 f36e0e 12854->12855

                                            Executed Functions

                                            Function 00F36B1F Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F36BB0
                                            • GetCurrentThread.KERNEL32 ref: 00F36BED
                                            • GetCurrentProcess.KERNEL32 ref: 00F36C2A
                                            • GetCurrentThreadId.KERNEL32 ref: 00F36C83
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: f7f00308be2a8855f8209cdb7f813c2e0f5e4f0340ffcf02a189dce8cc683579
                                            • Instruction ID: 962c90fa98d606b35b87c1b082ebf7dabb597061c534f1115578e4607c87ffaa
                                            • Opcode Fuzzy Hash: f7f00308be2a8855f8209cdb7f813c2e0f5e4f0340ffcf02a189dce8cc683579
                                            • Instruction Fuzzy Hash: 0B5177B09047849FDB01CFA9DA48BDEBFF0EF49314F24849AD195A72A2C7745849CF62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F36B50 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 00F36BB0
                                            • GetCurrentThread.KERNEL32 ref: 00F36BED
                                            • GetCurrentProcess.KERNEL32 ref: 00F36C2A
                                            • GetCurrentThreadId.KERNEL32 ref: 00F36C83
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 24580a04f57f357678dedcbc04107a1b21a4430babbd94d1098de2121a30ab4d
                                            • Instruction ID: 523b7e62b104bf6ff1278eb5763944ba6d388a72211322843367812a8e2e7353
                                            • Opcode Fuzzy Hash: 24580a04f57f357678dedcbc04107a1b21a4430babbd94d1098de2121a30ab4d
                                            • Instruction Fuzzy Hash: EB5163B0900648DFDB10CFAAD648BDEBBF4EF88324F248459E159A7350CB746845CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F3510F Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 39 f3510f-f35118 40 f3509a-f350a4 39->40 41 f3511a-f35144 39->41 43 f35146-f35170 call f33c7c 41->43 44 f3517e-f351f6 41->44 50 f35175-f35176 43->50 46 f35201-f35208 44->46 47 f351f8-f351fe 44->47 48 f35213-f352b2 CreateWindowExW 46->48 49 f3520a-f35210 46->49 47->46 52 f352b4-f352ba 48->52 53 f352bb-f352f3 48->53 49->48 52->53 57 f35300 53->57 58 f352f5-f352f8 53->58 59 f35301 57->59 58->57 59->59
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5ec69b19808425e51eb343f6e52cba03db072cc5e3bacf3bbb3803910b655dc
                                            • Instruction ID: 4c36b159171078c424d2d61b91678b0669a75abae95ed559963a4b90a568bdd8
                                            • Opcode Fuzzy Hash: c5ec69b19808425e51eb343f6e52cba03db072cc5e3bacf3bbb3803910b655dc
                                            • Instruction Fuzzy Hash: 536133B1C04349AFDF12CFA9C880ACEBFB1BF89320F15815AE908AB261C7359955DF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F35190 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 60 f35190-f351f6 61 f35201-f35208 60->61 62 f351f8-f351fe 60->62 63 f35213-f3524b 61->63 64 f3520a-f35210 61->64 62->61 65 f35253-f352b2 CreateWindowExW 63->65 64->63 66 f352b4-f352ba 65->66 67 f352bb-f352f3 65->67 66->67 71 f35300 67->71 72 f352f5-f352f8 67->72 73 f35301 71->73 72->71 73->73
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F352A2
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 20f3549bd2c4eaee48ba8c3471ee420f07afcccbba30b455722a9b6416eeecc0
                                            • Instruction ID: c5df09f9c6cb10305227f6a6d48ee484dddf3870c4d1f53ab59f9c148281f40d
                                            • Opcode Fuzzy Hash: 20f3549bd2c4eaee48ba8c3471ee420f07afcccbba30b455722a9b6416eeecc0
                                            • Instruction Fuzzy Hash: CD41C0B1D003099FDF14CF9AC884ADEBBB5BF88714F24852AE819AB210D7749845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F36964 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 74 f36964-f37c74 77 f37d24-f37d44 call f33ca4 74->77 78 f37c7a-f37c7f 74->78 85 f37d47-f37d54 77->85 80 f37cd2-f37d0a CallWindowProcW 78->80 81 f37c81-f37cb8 78->81 82 f37d13-f37d22 80->82 83 f37d0c-f37d12 80->83 88 f37cc1-f37cd0 81->88 89 f37cba-f37cc0 81->89 82->85 83->82 88->85 89->88
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F37CF9
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: f095f23a0879513cdcc0c17895526570459246eb85c30a3f3c1ae96b565ce470
                                            • Instruction ID: 652499e61fccdd971696ec6a16b9cf967603a0056b3507ab641da41530a31f32
                                            • Opcode Fuzzy Hash: f095f23a0879513cdcc0c17895526570459246eb85c30a3f3c1ae96b565ce470
                                            • Instruction Fuzzy Hash: FB4138B5900305CFDB14DF99C488AAABBF5FF88324F248458D519AB311C734A945DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F36D71 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 91 f36d71-f36e0c DuplicateHandle 92 f36e15-f36e32 91->92 93 f36e0e-f36e14 91->93 93->92
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F36DFF
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 4b4f70888ae470a2c1126db23ed53428fe002e6a38943f220be528453f7b03b6
                                            • Instruction ID: c9f456618ffbe5035afdf2306a177804f92e8e9212a3e523ba55fdae30ad329a
                                            • Opcode Fuzzy Hash: 4b4f70888ae470a2c1126db23ed53428fe002e6a38943f220be528453f7b03b6
                                            • Instruction Fuzzy Hash: 2521E4B59002489FDB00CFA9D984ADEFBF4FB48324F14841AE954A3310C378A955DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00F36D78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 96 f36d78-f36e0c DuplicateHandle 97 f36e15-f36e32 96->97 98 f36e0e-f36e14 96->98 98->97
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F36DFF
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569272969.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_f30000_tKZVPq.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 87c4e3d1594684a54df8d5f6a02ac2a4cb0a831c09c9fac5b871fd5a468d46ec
                                            • Instruction ID: ae4fb2119b52bea0573b56cdefea4c90c01c4c948e02226ce5be5c5435ea3b78
                                            • Opcode Fuzzy Hash: 87c4e3d1594684a54df8d5f6a02ac2a4cb0a831c09c9fac5b871fd5a468d46ec
                                            • Instruction Fuzzy Hash: 6A21C2B5900208AFDB10CFAAD984ADEFBF8EB48324F14841AE914A7310D374A954DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569128055.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_edd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c16dd9527c2d2ff5fc44f8534eea49028e81c94b09e6445a9ed5b3111e00e7bf
                                            • Instruction ID: 2fd6086a0b1782d3c44907e3178f67181ac2336334786f18b12cd3c81b1eb1f9
                                            • Opcode Fuzzy Hash: c16dd9527c2d2ff5fc44f8534eea49028e81c94b09e6445a9ed5b3111e00e7bf
                                            • Instruction Fuzzy Hash: 5321D371508240DFCB14DF54DDC4B66BBA6EBC4318F24C96AD8495B346C73AD847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.569128055.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_edd000_tKZVPq.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7ed4449ca7fc0a1ca0993824ce9e254a0c413f6f83f2d96c25ff2051dc0fbf8
                                            • Instruction ID: ba8e15158ad5e97c516d0263b3091bad1ca9ffbf06990b9fdb4a3468c68d0525
                                            • Opcode Fuzzy Hash: d7ed4449ca7fc0a1ca0993824ce9e254a0c413f6f83f2d96c25ff2051dc0fbf8
                                            • Instruction Fuzzy Hash: DF217F7550D3808FCB12CF24D990715BF71EB86314F28C5EBD8498B6A7C33A984ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%